.code NtAcceptConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAcceptConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAcceptConnectPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAcceptConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAcceptConnectPort_Check_10_0_XXXX jmp NtAcceptConnectPort_SystemCall_Unknown NtAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAcceptConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAcceptConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAcceptConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAcceptConnectPort_SystemCall_6_3_XXXX jmp NtAcceptConnectPort_SystemCall_Unknown NtAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAcceptConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAcceptConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAcceptConnectPort_SystemCall_6_0_6002 jmp NtAcceptConnectPort_SystemCall_Unknown NtAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAcceptConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAcceptConnectPort_SystemCall_6_1_7601 jmp NtAcceptConnectPort_SystemCall_Unknown NtAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAcceptConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAcceptConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAcceptConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAcceptConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAcceptConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAcceptConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAcceptConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAcceptConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAcceptConnectPort_SystemCall_10_0_18363 jmp NtAcceptConnectPort_SystemCall_Unknown NtAcceptConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0060h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0061h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0001h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0002h jmp NtAcceptConnectPort_Epilogue NtAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAcceptConnectPort_Epilogue: mov r10, rcx syscall ret NtAcceptConnectPort ENDP NtAccessCheck PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheck_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheck_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheck_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheck_Check_10_0_XXXX jmp NtAccessCheck_SystemCall_Unknown NtAccessCheck_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheck_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheck_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheck_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheck_SystemCall_6_3_XXXX jmp NtAccessCheck_SystemCall_Unknown NtAccessCheck_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheck_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheck_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheck_SystemCall_6_0_6002 jmp NtAccessCheck_SystemCall_Unknown NtAccessCheck_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheck_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheck_SystemCall_6_1_7601 jmp NtAccessCheck_SystemCall_Unknown NtAccessCheck_Check_10_0_XXXX: ; Check build number for Windows 10. jmp NtAccessCheck_SystemCall_Unknown NtAccessCheck_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0061h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0062h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0062h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0000h jmp NtAccessCheck_Epilogue NtAccessCheck_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheck_Epilogue: mov r10, rcx syscall ret NtAccessCheck ENDP NtAccessCheckAndAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckAndAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckAndAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckAndAuditAlarm_Check_10_0_XXXX jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown NtAccessCheckAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckAndAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckAndAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown NtAccessCheckAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002 jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown NtAccessCheckAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601 jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown NtAccessCheckAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363 jmp NtAccessCheckAndAuditAlarm_SystemCall_Unknown NtAccessCheckAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0026h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0027h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0028h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0029h jmp NtAccessCheckAndAuditAlarm_Epilogue NtAccessCheckAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckAndAuditAlarm_Epilogue: mov r10, rcx syscall ret NtAccessCheckAndAuditAlarm ENDP NtAccessCheckByType PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckByType_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckByType_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckByType_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckByType_Check_10_0_XXXX jmp NtAccessCheckByType_SystemCall_Unknown NtAccessCheckByType_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckByType_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckByType_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByType_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByType_SystemCall_6_3_XXXX jmp NtAccessCheckByType_SystemCall_Unknown NtAccessCheckByType_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckByType_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckByType_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckByType_SystemCall_6_0_6002 jmp NtAccessCheckByType_SystemCall_Unknown NtAccessCheckByType_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckByType_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckByType_SystemCall_6_1_7601 jmp NtAccessCheckByType_SystemCall_Unknown NtAccessCheckByType_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckByType_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckByType_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckByType_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckByType_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckByType_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckByType_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckByType_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckByType_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckByType_SystemCall_10_0_18363 jmp NtAccessCheckByType_SystemCall_Unknown NtAccessCheckByType_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0062h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0063h jmp NtAccessCheckByType_Epilogue NtAccessCheckByType_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckByType_Epilogue: mov r10, rcx syscall ret NtAccessCheckByType ENDP NtAccessCheckByTypeAndAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckByTypeAndAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002 jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601 jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363 jmp NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0056h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0057h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0058h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0059h jmp NtAccessCheckByTypeAndAuditAlarm_Epilogue NtAccessCheckByTypeAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckByTypeAndAuditAlarm_Epilogue: mov r10, rcx syscall ret NtAccessCheckByTypeAndAuditAlarm ENDP NtAccessCheckByTypeResultList PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckByTypeResultList_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckByTypeResultList_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckByTypeResultList_Check_10_0_XXXX jmp NtAccessCheckByTypeResultList_SystemCall_Unknown NtAccessCheckByTypeResultList_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckByTypeResultList_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckByTypeResultList_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX jmp NtAccessCheckByTypeResultList_SystemCall_Unknown NtAccessCheckByTypeResultList_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckByTypeResultList_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckByTypeResultList_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckByTypeResultList_SystemCall_6_0_6002 jmp NtAccessCheckByTypeResultList_SystemCall_Unknown NtAccessCheckByTypeResultList_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckByTypeResultList_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckByTypeResultList_SystemCall_6_1_7601 jmp NtAccessCheckByTypeResultList_SystemCall_Unknown NtAccessCheckByTypeResultList_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckByTypeResultList_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckByTypeResultList_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckByTypeResultList_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckByTypeResultList_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckByTypeResultList_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckByTypeResultList_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckByTypeResultList_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckByTypeResultList_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckByTypeResultList_SystemCall_10_0_18363 jmp NtAccessCheckByTypeResultList_SystemCall_Unknown NtAccessCheckByTypeResultList_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0063h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0064h jmp NtAccessCheckByTypeResultList_Epilogue NtAccessCheckByTypeResultList_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckByTypeResultList_Epilogue: mov r10, rcx syscall ret NtAccessCheckByTypeResultList ENDP NtAccessCheckByTypeResultListAndAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckByTypeResultListAndAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002 jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601 jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363 jmp NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0064h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue NtAccessCheckByTypeResultListAndAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckByTypeResultListAndAuditAlarm_Epilogue: mov r10, rcx syscall ret NtAccessCheckByTypeResultListAndAuditAlarm ENDP NtAccessCheckByTypeResultListAndAuditAlarmByHandle PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002 jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601 jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363 jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0065h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0066h jmp NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue NtAccessCheckByTypeResultListAndAuditAlarmByHandle_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAccessCheckByTypeResultListAndAuditAlarmByHandle_Epilogue: mov r10, rcx syscall ret NtAccessCheckByTypeResultListAndAuditAlarmByHandle ENDP NtAcquireCMFViewOwnership PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAcquireCMFViewOwnership_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAcquireCMFViewOwnership_Check_6_X_XXXX jmp NtAcquireCMFViewOwnership_SystemCall_Unknown NtAcquireCMFViewOwnership_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAcquireCMFViewOwnership_Check_6_0_XXXX jmp NtAcquireCMFViewOwnership_SystemCall_Unknown NtAcquireCMFViewOwnership_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAcquireCMFViewOwnership_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAcquireCMFViewOwnership_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAcquireCMFViewOwnership_SystemCall_6_0_6002 jmp NtAcquireCMFViewOwnership_SystemCall_Unknown NtAcquireCMFViewOwnership_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0066h jmp NtAcquireCMFViewOwnership_Epilogue NtAcquireCMFViewOwnership_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0066h jmp NtAcquireCMFViewOwnership_Epilogue NtAcquireCMFViewOwnership_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0066h jmp NtAcquireCMFViewOwnership_Epilogue NtAcquireCMFViewOwnership_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAcquireCMFViewOwnership_Epilogue: mov r10, rcx syscall ret NtAcquireCMFViewOwnership ENDP NtAcquireProcessActivityReference PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAcquireProcessActivityReference_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtAcquireProcessActivityReference_Check_10_0_XXXX jmp NtAcquireProcessActivityReference_SystemCall_Unknown NtAcquireProcessActivityReference_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtAcquireProcessActivityReference_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAcquireProcessActivityReference_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAcquireProcessActivityReference_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAcquireProcessActivityReference_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAcquireProcessActivityReference_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAcquireProcessActivityReference_SystemCall_10_0_18363 jmp NtAcquireProcessActivityReference_SystemCall_Unknown NtAcquireProcessActivityReference_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0067h jmp NtAcquireProcessActivityReference_Epilogue NtAcquireProcessActivityReference_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAcquireProcessActivityReference_Epilogue: mov r10, rcx syscall ret NtAcquireProcessActivityReference ENDP NtAddAtom PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAddAtom_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAddAtom_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAddAtom_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAddAtom_Check_10_0_XXXX jmp NtAddAtom_SystemCall_Unknown NtAddAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAddAtom_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAddAtom_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAddAtom_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAddAtom_SystemCall_6_3_XXXX jmp NtAddAtom_SystemCall_Unknown NtAddAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAddAtom_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAddAtom_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAddAtom_SystemCall_6_0_6002 jmp NtAddAtom_SystemCall_Unknown NtAddAtom_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAddAtom_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAddAtom_SystemCall_6_1_7601 jmp NtAddAtom_SystemCall_Unknown NtAddAtom_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAddAtom_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAddAtom_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAddAtom_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAddAtom_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAddAtom_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAddAtom_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAddAtom_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAddAtom_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAddAtom_SystemCall_10_0_18363 jmp NtAddAtom_SystemCall_Unknown NtAddAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0044h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0045h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0046h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0047h jmp NtAddAtom_Epilogue NtAddAtom_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAddAtom_Epilogue: mov r10, rcx syscall ret NtAddAtom ENDP NtAddAtomEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAddAtomEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAddAtomEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAddAtomEx_Check_10_0_XXXX jmp NtAddAtomEx_SystemCall_Unknown NtAddAtomEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtAddAtomEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAddAtomEx_SystemCall_6_3_XXXX jmp NtAddAtomEx_SystemCall_Unknown NtAddAtomEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAddAtomEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAddAtomEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAddAtomEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAddAtomEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAddAtomEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAddAtomEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAddAtomEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAddAtomEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAddAtomEx_SystemCall_10_0_18363 jmp NtAddAtomEx_SystemCall_Unknown NtAddAtomEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0067h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0067h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0067h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0067h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0067h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0068h jmp NtAddAtomEx_Epilogue NtAddAtomEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAddAtomEx_Epilogue: mov r10, rcx syscall ret NtAddAtomEx ENDP NtAddBootEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAddBootEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAddBootEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAddBootEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAddBootEntry_Check_10_0_XXXX jmp NtAddBootEntry_SystemCall_Unknown NtAddBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAddBootEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAddBootEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAddBootEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAddBootEntry_SystemCall_6_3_XXXX jmp NtAddBootEntry_SystemCall_Unknown NtAddBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAddBootEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAddBootEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAddBootEntry_SystemCall_6_0_6002 jmp NtAddBootEntry_SystemCall_Unknown NtAddBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAddBootEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAddBootEntry_SystemCall_6_1_7601 jmp NtAddBootEntry_SystemCall_Unknown NtAddBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAddBootEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAddBootEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAddBootEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAddBootEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAddBootEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAddBootEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAddBootEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAddBootEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAddBootEntry_SystemCall_10_0_18363 jmp NtAddBootEntry_SystemCall_Unknown NtAddBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0066h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0067h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0067h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0067h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0066h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0066h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0068h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0068h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0068h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0068h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0068h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0069h jmp NtAddBootEntry_Epilogue NtAddBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAddBootEntry_Epilogue: mov r10, rcx syscall ret NtAddBootEntry ENDP NtAddDriverEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAddDriverEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAddDriverEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAddDriverEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAddDriverEntry_Check_10_0_XXXX jmp NtAddDriverEntry_SystemCall_Unknown NtAddDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAddDriverEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAddDriverEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAddDriverEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAddDriverEntry_SystemCall_6_3_XXXX jmp NtAddDriverEntry_SystemCall_Unknown NtAddDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAddDriverEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAddDriverEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAddDriverEntry_SystemCall_6_0_6002 jmp NtAddDriverEntry_SystemCall_Unknown NtAddDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAddDriverEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAddDriverEntry_SystemCall_6_1_7601 jmp NtAddDriverEntry_SystemCall_Unknown NtAddDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAddDriverEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAddDriverEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAddDriverEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAddDriverEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAddDriverEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAddDriverEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAddDriverEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAddDriverEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAddDriverEntry_SystemCall_10_0_18363 jmp NtAddDriverEntry_SystemCall_Unknown NtAddDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0067h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0068h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0068h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0068h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0067h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0067h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0069h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0069h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0069h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0069h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0069h jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006ah jmp NtAddDriverEntry_Epilogue NtAddDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAddDriverEntry_Epilogue: mov r10, rcx syscall ret NtAddDriverEntry ENDP NtAdjustGroupsToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAdjustGroupsToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAdjustGroupsToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAdjustGroupsToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAdjustGroupsToken_Check_10_0_XXXX jmp NtAdjustGroupsToken_SystemCall_Unknown NtAdjustGroupsToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAdjustGroupsToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAdjustGroupsToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAdjustGroupsToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAdjustGroupsToken_SystemCall_6_3_XXXX jmp NtAdjustGroupsToken_SystemCall_Unknown NtAdjustGroupsToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAdjustGroupsToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAdjustGroupsToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAdjustGroupsToken_SystemCall_6_0_6002 jmp NtAdjustGroupsToken_SystemCall_Unknown NtAdjustGroupsToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAdjustGroupsToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAdjustGroupsToken_SystemCall_6_1_7601 jmp NtAdjustGroupsToken_SystemCall_Unknown NtAdjustGroupsToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAdjustGroupsToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAdjustGroupsToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAdjustGroupsToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAdjustGroupsToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAdjustGroupsToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAdjustGroupsToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAdjustGroupsToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAdjustGroupsToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAdjustGroupsToken_SystemCall_10_0_18363 jmp NtAdjustGroupsToken_SystemCall_Unknown NtAdjustGroupsToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0068h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0069h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0069h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0069h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0068h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0068h jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006ah jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006ah jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006ah jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006ah jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006ah jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006bh jmp NtAdjustGroupsToken_Epilogue NtAdjustGroupsToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAdjustGroupsToken_Epilogue: mov r10, rcx syscall ret NtAdjustGroupsToken ENDP NtAdjustPrivilegesToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAdjustPrivilegesToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAdjustPrivilegesToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAdjustPrivilegesToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAdjustPrivilegesToken_Check_10_0_XXXX jmp NtAdjustPrivilegesToken_SystemCall_Unknown NtAdjustPrivilegesToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAdjustPrivilegesToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAdjustPrivilegesToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAdjustPrivilegesToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAdjustPrivilegesToken_SystemCall_6_3_XXXX jmp NtAdjustPrivilegesToken_SystemCall_Unknown NtAdjustPrivilegesToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAdjustPrivilegesToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAdjustPrivilegesToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAdjustPrivilegesToken_SystemCall_6_0_6002 jmp NtAdjustPrivilegesToken_SystemCall_Unknown NtAdjustPrivilegesToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAdjustPrivilegesToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAdjustPrivilegesToken_SystemCall_6_1_7601 jmp NtAdjustPrivilegesToken_SystemCall_Unknown NtAdjustPrivilegesToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAdjustPrivilegesToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAdjustPrivilegesToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAdjustPrivilegesToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAdjustPrivilegesToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAdjustPrivilegesToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAdjustPrivilegesToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAdjustPrivilegesToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAdjustPrivilegesToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAdjustPrivilegesToken_SystemCall_10_0_18363 jmp NtAdjustPrivilegesToken_SystemCall_Unknown NtAdjustPrivilegesToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003eh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003fh jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0040h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0041h jmp NtAdjustPrivilegesToken_Epilogue NtAdjustPrivilegesToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAdjustPrivilegesToken_Epilogue: mov r10, rcx syscall ret NtAdjustPrivilegesToken ENDP NtAdjustTokenClaimsAndDeviceGroups PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAdjustTokenClaimsAndDeviceGroups_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown NtAdjustTokenClaimsAndDeviceGroups_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown NtAdjustTokenClaimsAndDeviceGroups_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363 jmp NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006bh jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006bh jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006bh jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006bh jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006bh jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006ch jmp NtAdjustTokenClaimsAndDeviceGroups_Epilogue NtAdjustTokenClaimsAndDeviceGroups_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAdjustTokenClaimsAndDeviceGroups_Epilogue: mov r10, rcx syscall ret NtAdjustTokenClaimsAndDeviceGroups ENDP NtAlertResumeThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlertResumeThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAlertResumeThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAlertResumeThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlertResumeThread_Check_10_0_XXXX jmp NtAlertResumeThread_SystemCall_Unknown NtAlertResumeThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlertResumeThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlertResumeThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlertResumeThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlertResumeThread_SystemCall_6_3_XXXX jmp NtAlertResumeThread_SystemCall_Unknown NtAlertResumeThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlertResumeThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlertResumeThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlertResumeThread_SystemCall_6_0_6002 jmp NtAlertResumeThread_SystemCall_Unknown NtAlertResumeThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlertResumeThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlertResumeThread_SystemCall_6_1_7601 jmp NtAlertResumeThread_SystemCall_Unknown NtAlertResumeThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlertResumeThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlertResumeThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlertResumeThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlertResumeThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlertResumeThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlertResumeThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlertResumeThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlertResumeThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlertResumeThread_SystemCall_10_0_18363 jmp NtAlertResumeThread_SystemCall_Unknown NtAlertResumeThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0069h jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006ah jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006ah jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006ah jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0069h jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0069h jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006ch jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006ch jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006ch jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006ch jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006ch jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006dh jmp NtAlertResumeThread_Epilogue NtAlertResumeThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlertResumeThread_Epilogue: mov r10, rcx syscall ret NtAlertResumeThread ENDP NtAlertThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlertThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAlertThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAlertThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlertThread_Check_10_0_XXXX jmp NtAlertThread_SystemCall_Unknown NtAlertThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlertThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlertThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlertThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlertThread_SystemCall_6_3_XXXX jmp NtAlertThread_SystemCall_Unknown NtAlertThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlertThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlertThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlertThread_SystemCall_6_0_6002 jmp NtAlertThread_SystemCall_Unknown NtAlertThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlertThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlertThread_SystemCall_6_1_7601 jmp NtAlertThread_SystemCall_Unknown NtAlertThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlertThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlertThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlertThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlertThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlertThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlertThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlertThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlertThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlertThread_SystemCall_10_0_18363 jmp NtAlertThread_SystemCall_Unknown NtAlertThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006ah jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006bh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006bh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006bh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006ah jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006ah jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006dh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006dh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006dh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006dh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006dh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006eh jmp NtAlertThread_Epilogue NtAlertThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlertThread_Epilogue: mov r10, rcx syscall ret NtAlertThread ENDP NtAlertThreadByThreadId PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlertThreadByThreadId_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlertThreadByThreadId_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlertThreadByThreadId_Check_10_0_XXXX jmp NtAlertThreadByThreadId_SystemCall_Unknown NtAlertThreadByThreadId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtAlertThreadByThreadId_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlertThreadByThreadId_SystemCall_6_3_XXXX jmp NtAlertThreadByThreadId_SystemCall_Unknown NtAlertThreadByThreadId_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlertThreadByThreadId_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlertThreadByThreadId_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlertThreadByThreadId_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlertThreadByThreadId_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlertThreadByThreadId_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlertThreadByThreadId_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlertThreadByThreadId_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlertThreadByThreadId_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlertThreadByThreadId_SystemCall_10_0_18363 jmp NtAlertThreadByThreadId_SystemCall_Unknown NtAlertThreadByThreadId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006eh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006eh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006eh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006eh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006eh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 006fh jmp NtAlertThreadByThreadId_Epilogue NtAlertThreadByThreadId_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlertThreadByThreadId_Epilogue: mov r10, rcx syscall ret NtAlertThreadByThreadId ENDP NtAllocateLocallyUniqueId PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateLocallyUniqueId_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAllocateLocallyUniqueId_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAllocateLocallyUniqueId_Check_10_0_XXXX jmp NtAllocateLocallyUniqueId_SystemCall_Unknown NtAllocateLocallyUniqueId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAllocateLocallyUniqueId_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAllocateLocallyUniqueId_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX jmp NtAllocateLocallyUniqueId_SystemCall_Unknown NtAllocateLocallyUniqueId_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAllocateLocallyUniqueId_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAllocateLocallyUniqueId_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAllocateLocallyUniqueId_SystemCall_6_0_6002 jmp NtAllocateLocallyUniqueId_SystemCall_Unknown NtAllocateLocallyUniqueId_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAllocateLocallyUniqueId_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAllocateLocallyUniqueId_SystemCall_6_1_7601 jmp NtAllocateLocallyUniqueId_SystemCall_Unknown NtAllocateLocallyUniqueId_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAllocateLocallyUniqueId_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAllocateLocallyUniqueId_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAllocateLocallyUniqueId_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAllocateLocallyUniqueId_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAllocateLocallyUniqueId_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAllocateLocallyUniqueId_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateLocallyUniqueId_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateLocallyUniqueId_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateLocallyUniqueId_SystemCall_10_0_18363 jmp NtAllocateLocallyUniqueId_SystemCall_Unknown NtAllocateLocallyUniqueId_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006bh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006ch jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006ch jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006ch jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006bh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006bh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 006fh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 006fh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 006fh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 006fh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 006fh jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0070h jmp NtAllocateLocallyUniqueId_Epilogue NtAllocateLocallyUniqueId_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateLocallyUniqueId_Epilogue: mov r10, rcx syscall ret NtAllocateLocallyUniqueId ENDP NtAllocateReserveObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateReserveObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAllocateReserveObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAllocateReserveObject_Check_10_0_XXXX jmp NtAllocateReserveObject_SystemCall_Unknown NtAllocateReserveObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtAllocateReserveObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateReserveObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateReserveObject_SystemCall_6_3_XXXX jmp NtAllocateReserveObject_SystemCall_Unknown NtAllocateReserveObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAllocateReserveObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAllocateReserveObject_SystemCall_6_1_7601 jmp NtAllocateReserveObject_SystemCall_Unknown NtAllocateReserveObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAllocateReserveObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAllocateReserveObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAllocateReserveObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAllocateReserveObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAllocateReserveObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAllocateReserveObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateReserveObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateReserveObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateReserveObject_SystemCall_10_0_18363 jmp NtAllocateReserveObject_SystemCall_Unknown NtAllocateReserveObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006ch jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006ch jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0070h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0070h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0070h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0070h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0070h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0071h jmp NtAllocateReserveObject_Epilogue NtAllocateReserveObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateReserveObject_Epilogue: mov r10, rcx syscall ret NtAllocateReserveObject ENDP NtAllocateUserPhysicalPages PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateUserPhysicalPages_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAllocateUserPhysicalPages_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAllocateUserPhysicalPages_Check_10_0_XXXX jmp NtAllocateUserPhysicalPages_SystemCall_Unknown NtAllocateUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAllocateUserPhysicalPages_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAllocateUserPhysicalPages_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX jmp NtAllocateUserPhysicalPages_SystemCall_Unknown NtAllocateUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAllocateUserPhysicalPages_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAllocateUserPhysicalPages_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAllocateUserPhysicalPages_SystemCall_6_0_6002 jmp NtAllocateUserPhysicalPages_SystemCall_Unknown NtAllocateUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAllocateUserPhysicalPages_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAllocateUserPhysicalPages_SystemCall_6_1_7601 jmp NtAllocateUserPhysicalPages_SystemCall_Unknown NtAllocateUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAllocateUserPhysicalPages_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAllocateUserPhysicalPages_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAllocateUserPhysicalPages_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAllocateUserPhysicalPages_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAllocateUserPhysicalPages_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAllocateUserPhysicalPages_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateUserPhysicalPages_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateUserPhysicalPages_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateUserPhysicalPages_SystemCall_10_0_18363 jmp NtAllocateUserPhysicalPages_SystemCall_Unknown NtAllocateUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006ch jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006dh jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006dh jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006dh jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006dh jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006dh jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0071h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0071h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0071h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0071h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0071h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0072h jmp NtAllocateUserPhysicalPages_Epilogue NtAllocateUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateUserPhysicalPages_Epilogue: mov r10, rcx syscall ret NtAllocateUserPhysicalPages ENDP NtAllocateUuids PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateUuids_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAllocateUuids_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAllocateUuids_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAllocateUuids_Check_10_0_XXXX jmp NtAllocateUuids_SystemCall_Unknown NtAllocateUuids_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAllocateUuids_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAllocateUuids_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateUuids_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateUuids_SystemCall_6_3_XXXX jmp NtAllocateUuids_SystemCall_Unknown NtAllocateUuids_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAllocateUuids_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAllocateUuids_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAllocateUuids_SystemCall_6_0_6002 jmp NtAllocateUuids_SystemCall_Unknown NtAllocateUuids_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAllocateUuids_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAllocateUuids_SystemCall_6_1_7601 jmp NtAllocateUuids_SystemCall_Unknown NtAllocateUuids_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAllocateUuids_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAllocateUuids_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAllocateUuids_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAllocateUuids_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAllocateUuids_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAllocateUuids_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateUuids_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateUuids_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateUuids_SystemCall_10_0_18363 jmp NtAllocateUuids_SystemCall_Unknown NtAllocateUuids_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006dh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006eh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006eh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006eh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006eh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006eh jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0072h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0072h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0072h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0072h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0072h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0073h jmp NtAllocateUuids_Epilogue NtAllocateUuids_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateUuids_Epilogue: mov r10, rcx syscall ret NtAllocateUuids ENDP NtAllocateVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAllocateVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAllocateVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAllocateVirtualMemory_Check_10_0_XXXX jmp NtAllocateVirtualMemory_SystemCall_Unknown NtAllocateVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAllocateVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAllocateVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAllocateVirtualMemory_SystemCall_6_3_XXXX jmp NtAllocateVirtualMemory_SystemCall_Unknown NtAllocateVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAllocateVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAllocateVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAllocateVirtualMemory_SystemCall_6_0_6002 jmp NtAllocateVirtualMemory_SystemCall_Unknown NtAllocateVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAllocateVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAllocateVirtualMemory_SystemCall_6_1_7601 jmp NtAllocateVirtualMemory_SystemCall_Unknown NtAllocateVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAllocateVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAllocateVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAllocateVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAllocateVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAllocateVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAllocateVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateVirtualMemory_SystemCall_10_0_18363 jmp NtAllocateVirtualMemory_SystemCall_Unknown NtAllocateVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0015h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0016h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0017h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0018h jmp NtAllocateVirtualMemory_Epilogue NtAllocateVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateVirtualMemory_Epilogue: mov r10, rcx syscall ret NtAllocateVirtualMemory ENDP NtAllocateVirtualMemoryEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAllocateVirtualMemoryEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtAllocateVirtualMemoryEx_Check_10_0_XXXX jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown NtAllocateVirtualMemoryEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 17134 je NtAllocateVirtualMemoryEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAllocateVirtualMemoryEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAllocateVirtualMemoryEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAllocateVirtualMemoryEx_SystemCall_10_0_18363 jmp NtAllocateVirtualMemoryEx_SystemCall_Unknown NtAllocateVirtualMemoryEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0074h jmp NtAllocateVirtualMemoryEx_Epilogue NtAllocateVirtualMemoryEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0074h jmp NtAllocateVirtualMemoryEx_Epilogue NtAllocateVirtualMemoryEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0074h jmp NtAllocateVirtualMemoryEx_Epilogue NtAllocateVirtualMemoryEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0074h jmp NtAllocateVirtualMemoryEx_Epilogue NtAllocateVirtualMemoryEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAllocateVirtualMemoryEx_Epilogue: mov r10, rcx syscall ret NtAllocateVirtualMemoryEx ENDP NtAlpcAcceptConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcAcceptConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcAcceptConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcAcceptConnectPort_Check_10_0_XXXX jmp NtAlpcAcceptConnectPort_SystemCall_Unknown NtAlpcAcceptConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcAcceptConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcAcceptConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX jmp NtAlpcAcceptConnectPort_SystemCall_Unknown NtAlpcAcceptConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcAcceptConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcAcceptConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcAcceptConnectPort_SystemCall_6_0_6002 jmp NtAlpcAcceptConnectPort_SystemCall_Unknown NtAlpcAcceptConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcAcceptConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcAcceptConnectPort_SystemCall_6_1_7601 jmp NtAlpcAcceptConnectPort_SystemCall_Unknown NtAlpcAcceptConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcAcceptConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcAcceptConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcAcceptConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcAcceptConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcAcceptConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcAcceptConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcAcceptConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcAcceptConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcAcceptConnectPort_SystemCall_10_0_18363 jmp NtAlpcAcceptConnectPort_SystemCall_Unknown NtAlpcAcceptConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 006fh jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 006fh jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 006fh jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 006fh jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 006fh jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0073h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0073h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0073h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0073h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0073h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0074h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0074h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0075h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0075h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0075h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0075h jmp NtAlpcAcceptConnectPort_Epilogue NtAlpcAcceptConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcAcceptConnectPort_Epilogue: mov r10, rcx syscall ret NtAlpcAcceptConnectPort ENDP NtAlpcCancelMessage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCancelMessage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCancelMessage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCancelMessage_Check_10_0_XXXX jmp NtAlpcCancelMessage_SystemCall_Unknown NtAlpcCancelMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCancelMessage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCancelMessage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCancelMessage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCancelMessage_SystemCall_6_3_XXXX jmp NtAlpcCancelMessage_SystemCall_Unknown NtAlpcCancelMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCancelMessage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCancelMessage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCancelMessage_SystemCall_6_0_6002 jmp NtAlpcCancelMessage_SystemCall_Unknown NtAlpcCancelMessage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCancelMessage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCancelMessage_SystemCall_6_1_7601 jmp NtAlpcCancelMessage_SystemCall_Unknown NtAlpcCancelMessage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCancelMessage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCancelMessage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCancelMessage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCancelMessage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCancelMessage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCancelMessage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCancelMessage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCancelMessage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCancelMessage_SystemCall_10_0_18363 jmp NtAlpcCancelMessage_SystemCall_Unknown NtAlpcCancelMessage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0070h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0070h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0070h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0070h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0070h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0074h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0074h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0074h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0074h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0074h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0075h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0075h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0076h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0076h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0076h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0076h jmp NtAlpcCancelMessage_Epilogue NtAlpcCancelMessage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCancelMessage_Epilogue: mov r10, rcx syscall ret NtAlpcCancelMessage ENDP NtAlpcConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcConnectPort_Check_10_0_XXXX jmp NtAlpcConnectPort_SystemCall_Unknown NtAlpcConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcConnectPort_SystemCall_6_3_XXXX jmp NtAlpcConnectPort_SystemCall_Unknown NtAlpcConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcConnectPort_SystemCall_6_0_6002 jmp NtAlpcConnectPort_SystemCall_Unknown NtAlpcConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcConnectPort_SystemCall_6_1_7601 jmp NtAlpcConnectPort_SystemCall_Unknown NtAlpcConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcConnectPort_SystemCall_10_0_18363 jmp NtAlpcConnectPort_SystemCall_Unknown NtAlpcConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0071h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0071h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0071h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0071h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0071h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0075h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0075h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0075h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0075h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0075h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0076h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0076h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0077h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0077h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0077h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0077h jmp NtAlpcConnectPort_Epilogue NtAlpcConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcConnectPort_Epilogue: mov r10, rcx syscall ret NtAlpcConnectPort ENDP NtAlpcConnectPortEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcConnectPortEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcConnectPortEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcConnectPortEx_Check_10_0_XXXX jmp NtAlpcConnectPortEx_SystemCall_Unknown NtAlpcConnectPortEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtAlpcConnectPortEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcConnectPortEx_SystemCall_6_3_XXXX jmp NtAlpcConnectPortEx_SystemCall_Unknown NtAlpcConnectPortEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcConnectPortEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcConnectPortEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcConnectPortEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcConnectPortEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcConnectPortEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcConnectPortEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcConnectPortEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcConnectPortEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcConnectPortEx_SystemCall_10_0_18363 jmp NtAlpcConnectPortEx_SystemCall_Unknown NtAlpcConnectPortEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0076h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0076h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0076h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0076h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0076h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0077h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0077h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0078h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0078h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0078h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0078h jmp NtAlpcConnectPortEx_Epilogue NtAlpcConnectPortEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcConnectPortEx_Epilogue: mov r10, rcx syscall ret NtAlpcConnectPortEx ENDP NtAlpcCreatePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCreatePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCreatePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCreatePort_Check_10_0_XXXX jmp NtAlpcCreatePort_SystemCall_Unknown NtAlpcCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCreatePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCreatePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreatePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreatePort_SystemCall_6_3_XXXX jmp NtAlpcCreatePort_SystemCall_Unknown NtAlpcCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCreatePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCreatePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCreatePort_SystemCall_6_0_6002 jmp NtAlpcCreatePort_SystemCall_Unknown NtAlpcCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCreatePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCreatePort_SystemCall_6_1_7601 jmp NtAlpcCreatePort_SystemCall_Unknown NtAlpcCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCreatePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCreatePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCreatePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCreatePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCreatePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCreatePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCreatePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCreatePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCreatePort_SystemCall_10_0_18363 jmp NtAlpcCreatePort_SystemCall_Unknown NtAlpcCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0072h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0072h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0072h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0072h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0072h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0077h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0077h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0077h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0077h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0077h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0078h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0078h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0079h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0079h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0079h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0079h jmp NtAlpcCreatePort_Epilogue NtAlpcCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCreatePort_Epilogue: mov r10, rcx syscall ret NtAlpcCreatePort ENDP NtAlpcCreatePortSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCreatePortSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCreatePortSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCreatePortSection_Check_10_0_XXXX jmp NtAlpcCreatePortSection_SystemCall_Unknown NtAlpcCreatePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCreatePortSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCreatePortSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreatePortSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreatePortSection_SystemCall_6_3_XXXX jmp NtAlpcCreatePortSection_SystemCall_Unknown NtAlpcCreatePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCreatePortSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCreatePortSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCreatePortSection_SystemCall_6_0_6002 jmp NtAlpcCreatePortSection_SystemCall_Unknown NtAlpcCreatePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCreatePortSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCreatePortSection_SystemCall_6_1_7601 jmp NtAlpcCreatePortSection_SystemCall_Unknown NtAlpcCreatePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCreatePortSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCreatePortSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCreatePortSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCreatePortSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCreatePortSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCreatePortSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCreatePortSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCreatePortSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCreatePortSection_SystemCall_10_0_18363 jmp NtAlpcCreatePortSection_SystemCall_Unknown NtAlpcCreatePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0073h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0073h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0073h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0073h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0073h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0078h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0078h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0078h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0078h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0078h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0079h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0079h jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007ah jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007ah jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007ah jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007ah jmp NtAlpcCreatePortSection_Epilogue NtAlpcCreatePortSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCreatePortSection_Epilogue: mov r10, rcx syscall ret NtAlpcCreatePortSection ENDP NtAlpcCreateResourceReserve PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCreateResourceReserve_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCreateResourceReserve_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCreateResourceReserve_Check_10_0_XXXX jmp NtAlpcCreateResourceReserve_SystemCall_Unknown NtAlpcCreateResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCreateResourceReserve_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCreateResourceReserve_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX jmp NtAlpcCreateResourceReserve_SystemCall_Unknown NtAlpcCreateResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCreateResourceReserve_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCreateResourceReserve_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCreateResourceReserve_SystemCall_6_0_6002 jmp NtAlpcCreateResourceReserve_SystemCall_Unknown NtAlpcCreateResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCreateResourceReserve_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCreateResourceReserve_SystemCall_6_1_7601 jmp NtAlpcCreateResourceReserve_SystemCall_Unknown NtAlpcCreateResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCreateResourceReserve_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCreateResourceReserve_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCreateResourceReserve_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCreateResourceReserve_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCreateResourceReserve_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCreateResourceReserve_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCreateResourceReserve_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCreateResourceReserve_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCreateResourceReserve_SystemCall_10_0_18363 jmp NtAlpcCreateResourceReserve_SystemCall_Unknown NtAlpcCreateResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0074h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0074h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0074h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0074h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0074h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0079h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0079h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0079h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0079h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0079h jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007ah jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007ah jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007bh jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007bh jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007bh jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007bh jmp NtAlpcCreateResourceReserve_Epilogue NtAlpcCreateResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCreateResourceReserve_Epilogue: mov r10, rcx syscall ret NtAlpcCreateResourceReserve ENDP NtAlpcCreateSectionView PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCreateSectionView_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCreateSectionView_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCreateSectionView_Check_10_0_XXXX jmp NtAlpcCreateSectionView_SystemCall_Unknown NtAlpcCreateSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCreateSectionView_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCreateSectionView_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateSectionView_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateSectionView_SystemCall_6_3_XXXX jmp NtAlpcCreateSectionView_SystemCall_Unknown NtAlpcCreateSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCreateSectionView_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCreateSectionView_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCreateSectionView_SystemCall_6_0_6002 jmp NtAlpcCreateSectionView_SystemCall_Unknown NtAlpcCreateSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCreateSectionView_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCreateSectionView_SystemCall_6_1_7601 jmp NtAlpcCreateSectionView_SystemCall_Unknown NtAlpcCreateSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCreateSectionView_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCreateSectionView_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCreateSectionView_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCreateSectionView_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCreateSectionView_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCreateSectionView_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCreateSectionView_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCreateSectionView_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCreateSectionView_SystemCall_10_0_18363 jmp NtAlpcCreateSectionView_SystemCall_Unknown NtAlpcCreateSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0075h jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0075h jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0075h jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0075h jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0075h jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007ah jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007ah jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007ah jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007ah jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007ah jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007bh jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007bh jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007ch jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007ch jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007ch jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007ch jmp NtAlpcCreateSectionView_Epilogue NtAlpcCreateSectionView_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCreateSectionView_Epilogue: mov r10, rcx syscall ret NtAlpcCreateSectionView ENDP NtAlpcCreateSecurityContext PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcCreateSecurityContext_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcCreateSecurityContext_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcCreateSecurityContext_Check_10_0_XXXX jmp NtAlpcCreateSecurityContext_SystemCall_Unknown NtAlpcCreateSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcCreateSecurityContext_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcCreateSecurityContext_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX jmp NtAlpcCreateSecurityContext_SystemCall_Unknown NtAlpcCreateSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcCreateSecurityContext_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcCreateSecurityContext_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcCreateSecurityContext_SystemCall_6_0_6002 jmp NtAlpcCreateSecurityContext_SystemCall_Unknown NtAlpcCreateSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcCreateSecurityContext_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcCreateSecurityContext_SystemCall_6_1_7601 jmp NtAlpcCreateSecurityContext_SystemCall_Unknown NtAlpcCreateSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcCreateSecurityContext_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcCreateSecurityContext_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcCreateSecurityContext_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcCreateSecurityContext_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcCreateSecurityContext_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcCreateSecurityContext_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcCreateSecurityContext_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcCreateSecurityContext_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcCreateSecurityContext_SystemCall_10_0_18363 jmp NtAlpcCreateSecurityContext_SystemCall_Unknown NtAlpcCreateSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0076h jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0076h jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0076h jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0076h jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0076h jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007bh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007bh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007bh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007bh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007bh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007ch jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007ch jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007dh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007dh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007dh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007dh jmp NtAlpcCreateSecurityContext_Epilogue NtAlpcCreateSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcCreateSecurityContext_Epilogue: mov r10, rcx syscall ret NtAlpcCreateSecurityContext ENDP NtAlpcDeletePortSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcDeletePortSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcDeletePortSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcDeletePortSection_Check_10_0_XXXX jmp NtAlpcDeletePortSection_SystemCall_Unknown NtAlpcDeletePortSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcDeletePortSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcDeletePortSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeletePortSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeletePortSection_SystemCall_6_3_XXXX jmp NtAlpcDeletePortSection_SystemCall_Unknown NtAlpcDeletePortSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcDeletePortSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcDeletePortSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcDeletePortSection_SystemCall_6_0_6002 jmp NtAlpcDeletePortSection_SystemCall_Unknown NtAlpcDeletePortSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcDeletePortSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcDeletePortSection_SystemCall_6_1_7601 jmp NtAlpcDeletePortSection_SystemCall_Unknown NtAlpcDeletePortSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcDeletePortSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcDeletePortSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcDeletePortSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcDeletePortSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcDeletePortSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcDeletePortSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcDeletePortSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcDeletePortSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcDeletePortSection_SystemCall_10_0_18363 jmp NtAlpcDeletePortSection_SystemCall_Unknown NtAlpcDeletePortSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0077h jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0077h jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0077h jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0077h jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0077h jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007ch jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007ch jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007ch jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007ch jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007ch jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007dh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007dh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007eh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007eh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007eh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007eh jmp NtAlpcDeletePortSection_Epilogue NtAlpcDeletePortSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcDeletePortSection_Epilogue: mov r10, rcx syscall ret NtAlpcDeletePortSection ENDP NtAlpcDeleteResourceReserve PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcDeleteResourceReserve_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcDeleteResourceReserve_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcDeleteResourceReserve_Check_10_0_XXXX jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown NtAlpcDeleteResourceReserve_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcDeleteResourceReserve_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcDeleteResourceReserve_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown NtAlpcDeleteResourceReserve_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcDeleteResourceReserve_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcDeleteResourceReserve_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcDeleteResourceReserve_SystemCall_6_0_6002 jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown NtAlpcDeleteResourceReserve_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcDeleteResourceReserve_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcDeleteResourceReserve_SystemCall_6_1_7601 jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown NtAlpcDeleteResourceReserve_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcDeleteResourceReserve_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcDeleteResourceReserve_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcDeleteResourceReserve_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcDeleteResourceReserve_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcDeleteResourceReserve_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcDeleteResourceReserve_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcDeleteResourceReserve_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcDeleteResourceReserve_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcDeleteResourceReserve_SystemCall_10_0_18363 jmp NtAlpcDeleteResourceReserve_SystemCall_Unknown NtAlpcDeleteResourceReserve_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0078h jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0078h jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0078h jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0078h jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0078h jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007dh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007dh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007dh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007dh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007dh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007eh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007eh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 007fh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 007fh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 007fh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 007fh jmp NtAlpcDeleteResourceReserve_Epilogue NtAlpcDeleteResourceReserve_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcDeleteResourceReserve_Epilogue: mov r10, rcx syscall ret NtAlpcDeleteResourceReserve ENDP NtAlpcDeleteSectionView PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcDeleteSectionView_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcDeleteSectionView_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcDeleteSectionView_Check_10_0_XXXX jmp NtAlpcDeleteSectionView_SystemCall_Unknown NtAlpcDeleteSectionView_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcDeleteSectionView_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcDeleteSectionView_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteSectionView_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteSectionView_SystemCall_6_3_XXXX jmp NtAlpcDeleteSectionView_SystemCall_Unknown NtAlpcDeleteSectionView_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcDeleteSectionView_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcDeleteSectionView_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcDeleteSectionView_SystemCall_6_0_6002 jmp NtAlpcDeleteSectionView_SystemCall_Unknown NtAlpcDeleteSectionView_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcDeleteSectionView_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcDeleteSectionView_SystemCall_6_1_7601 jmp NtAlpcDeleteSectionView_SystemCall_Unknown NtAlpcDeleteSectionView_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcDeleteSectionView_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcDeleteSectionView_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcDeleteSectionView_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcDeleteSectionView_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcDeleteSectionView_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcDeleteSectionView_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcDeleteSectionView_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcDeleteSectionView_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcDeleteSectionView_SystemCall_10_0_18363 jmp NtAlpcDeleteSectionView_SystemCall_Unknown NtAlpcDeleteSectionView_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0079h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0079h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0079h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0079h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0079h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007eh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007eh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007eh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007eh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007eh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 007fh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 007fh jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0080h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0080h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0080h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0080h jmp NtAlpcDeleteSectionView_Epilogue NtAlpcDeleteSectionView_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcDeleteSectionView_Epilogue: mov r10, rcx syscall ret NtAlpcDeleteSectionView ENDP NtAlpcDeleteSecurityContext PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcDeleteSecurityContext_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcDeleteSecurityContext_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcDeleteSecurityContext_Check_10_0_XXXX jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown NtAlpcDeleteSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcDeleteSecurityContext_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcDeleteSecurityContext_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown NtAlpcDeleteSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcDeleteSecurityContext_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcDeleteSecurityContext_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcDeleteSecurityContext_SystemCall_6_0_6002 jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown NtAlpcDeleteSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcDeleteSecurityContext_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcDeleteSecurityContext_SystemCall_6_1_7601 jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown NtAlpcDeleteSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcDeleteSecurityContext_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcDeleteSecurityContext_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcDeleteSecurityContext_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcDeleteSecurityContext_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcDeleteSecurityContext_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcDeleteSecurityContext_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcDeleteSecurityContext_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcDeleteSecurityContext_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcDeleteSecurityContext_SystemCall_10_0_18363 jmp NtAlpcDeleteSecurityContext_SystemCall_Unknown NtAlpcDeleteSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007ah jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007ah jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007ah jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007ah jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007ah jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 007fh jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 007fh jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 007fh jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 007fh jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 007fh jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0080h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0080h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0081h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0081h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0081h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0081h jmp NtAlpcDeleteSecurityContext_Epilogue NtAlpcDeleteSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcDeleteSecurityContext_Epilogue: mov r10, rcx syscall ret NtAlpcDeleteSecurityContext ENDP NtAlpcDisconnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcDisconnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcDisconnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcDisconnectPort_Check_10_0_XXXX jmp NtAlpcDisconnectPort_SystemCall_Unknown NtAlpcDisconnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcDisconnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcDisconnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDisconnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcDisconnectPort_SystemCall_6_3_XXXX jmp NtAlpcDisconnectPort_SystemCall_Unknown NtAlpcDisconnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcDisconnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcDisconnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcDisconnectPort_SystemCall_6_0_6002 jmp NtAlpcDisconnectPort_SystemCall_Unknown NtAlpcDisconnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcDisconnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcDisconnectPort_SystemCall_6_1_7601 jmp NtAlpcDisconnectPort_SystemCall_Unknown NtAlpcDisconnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcDisconnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcDisconnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcDisconnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcDisconnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcDisconnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcDisconnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcDisconnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcDisconnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcDisconnectPort_SystemCall_10_0_18363 jmp NtAlpcDisconnectPort_SystemCall_Unknown NtAlpcDisconnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007bh jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007bh jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007bh jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007bh jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007bh jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0080h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0080h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0080h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0080h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0080h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0081h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0081h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0082h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0082h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0082h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0082h jmp NtAlpcDisconnectPort_Epilogue NtAlpcDisconnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcDisconnectPort_Epilogue: mov r10, rcx syscall ret NtAlpcDisconnectPort ENDP NtAlpcImpersonateClientContainerOfPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcImpersonateClientContainerOfPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown NtAlpcImpersonateClientContainerOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363 jmp NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0081h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0081h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0081h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0082h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0082h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0083h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0083h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0083h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0083h jmp NtAlpcImpersonateClientContainerOfPort_Epilogue NtAlpcImpersonateClientContainerOfPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcImpersonateClientContainerOfPort_Epilogue: mov r10, rcx syscall ret NtAlpcImpersonateClientContainerOfPort ENDP NtAlpcImpersonateClientOfPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcImpersonateClientOfPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcImpersonateClientOfPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcImpersonateClientOfPort_Check_10_0_XXXX jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown NtAlpcImpersonateClientOfPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcImpersonateClientOfPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcImpersonateClientOfPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown NtAlpcImpersonateClientOfPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002 jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown NtAlpcImpersonateClientOfPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601 jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown NtAlpcImpersonateClientOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363 jmp NtAlpcImpersonateClientOfPort_SystemCall_Unknown NtAlpcImpersonateClientOfPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007ch jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007ch jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007ch jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007ch jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007ch jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0081h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0081h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0082h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0082h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0082h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0083h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0083h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0084h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0084h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0084h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0084h jmp NtAlpcImpersonateClientOfPort_Epilogue NtAlpcImpersonateClientOfPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcImpersonateClientOfPort_Epilogue: mov r10, rcx syscall ret NtAlpcImpersonateClientOfPort ENDP NtAlpcOpenSenderProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcOpenSenderProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcOpenSenderProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcOpenSenderProcess_Check_10_0_XXXX jmp NtAlpcOpenSenderProcess_SystemCall_Unknown NtAlpcOpenSenderProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcOpenSenderProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcOpenSenderProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX jmp NtAlpcOpenSenderProcess_SystemCall_Unknown NtAlpcOpenSenderProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcOpenSenderProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcOpenSenderProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcOpenSenderProcess_SystemCall_6_0_6002 jmp NtAlpcOpenSenderProcess_SystemCall_Unknown NtAlpcOpenSenderProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcOpenSenderProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcOpenSenderProcess_SystemCall_6_1_7601 jmp NtAlpcOpenSenderProcess_SystemCall_Unknown NtAlpcOpenSenderProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcOpenSenderProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcOpenSenderProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcOpenSenderProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcOpenSenderProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcOpenSenderProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcOpenSenderProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcOpenSenderProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcOpenSenderProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcOpenSenderProcess_SystemCall_10_0_18363 jmp NtAlpcOpenSenderProcess_SystemCall_Unknown NtAlpcOpenSenderProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007dh jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007dh jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007dh jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007dh jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007dh jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0082h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0082h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0083h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0083h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0083h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0084h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0084h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0085h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0085h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0085h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0085h jmp NtAlpcOpenSenderProcess_Epilogue NtAlpcOpenSenderProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcOpenSenderProcess_Epilogue: mov r10, rcx syscall ret NtAlpcOpenSenderProcess ENDP NtAlpcOpenSenderThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcOpenSenderThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcOpenSenderThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcOpenSenderThread_Check_10_0_XXXX jmp NtAlpcOpenSenderThread_SystemCall_Unknown NtAlpcOpenSenderThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcOpenSenderThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcOpenSenderThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcOpenSenderThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcOpenSenderThread_SystemCall_6_3_XXXX jmp NtAlpcOpenSenderThread_SystemCall_Unknown NtAlpcOpenSenderThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcOpenSenderThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcOpenSenderThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcOpenSenderThread_SystemCall_6_0_6002 jmp NtAlpcOpenSenderThread_SystemCall_Unknown NtAlpcOpenSenderThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcOpenSenderThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcOpenSenderThread_SystemCall_6_1_7601 jmp NtAlpcOpenSenderThread_SystemCall_Unknown NtAlpcOpenSenderThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcOpenSenderThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcOpenSenderThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcOpenSenderThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcOpenSenderThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcOpenSenderThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcOpenSenderThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcOpenSenderThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcOpenSenderThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcOpenSenderThread_SystemCall_10_0_18363 jmp NtAlpcOpenSenderThread_SystemCall_Unknown NtAlpcOpenSenderThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007eh jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007eh jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007eh jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007eh jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007eh jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0083h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0083h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0084h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0084h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0084h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0085h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0085h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0086h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0086h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0086h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0086h jmp NtAlpcOpenSenderThread_Epilogue NtAlpcOpenSenderThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcOpenSenderThread_Epilogue: mov r10, rcx syscall ret NtAlpcOpenSenderThread ENDP NtAlpcQueryInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcQueryInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcQueryInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcQueryInformation_Check_10_0_XXXX jmp NtAlpcQueryInformation_SystemCall_Unknown NtAlpcQueryInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcQueryInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcQueryInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcQueryInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcQueryInformation_SystemCall_6_3_XXXX jmp NtAlpcQueryInformation_SystemCall_Unknown NtAlpcQueryInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcQueryInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcQueryInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcQueryInformation_SystemCall_6_0_6002 jmp NtAlpcQueryInformation_SystemCall_Unknown NtAlpcQueryInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcQueryInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcQueryInformation_SystemCall_6_1_7601 jmp NtAlpcQueryInformation_SystemCall_Unknown NtAlpcQueryInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcQueryInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcQueryInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcQueryInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcQueryInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcQueryInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcQueryInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcQueryInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcQueryInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcQueryInformation_SystemCall_10_0_18363 jmp NtAlpcQueryInformation_SystemCall_Unknown NtAlpcQueryInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 007fh jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 007fh jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 007fh jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 007fh jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 007fh jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0084h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0084h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0085h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0085h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0085h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0086h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0086h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0087h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0087h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0087h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0087h jmp NtAlpcQueryInformation_Epilogue NtAlpcQueryInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcQueryInformation_Epilogue: mov r10, rcx syscall ret NtAlpcQueryInformation ENDP NtAlpcQueryInformationMessage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcQueryInformationMessage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcQueryInformationMessage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcQueryInformationMessage_Check_10_0_XXXX jmp NtAlpcQueryInformationMessage_SystemCall_Unknown NtAlpcQueryInformationMessage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcQueryInformationMessage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcQueryInformationMessage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX jmp NtAlpcQueryInformationMessage_SystemCall_Unknown NtAlpcQueryInformationMessage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcQueryInformationMessage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcQueryInformationMessage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcQueryInformationMessage_SystemCall_6_0_6002 jmp NtAlpcQueryInformationMessage_SystemCall_Unknown NtAlpcQueryInformationMessage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcQueryInformationMessage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcQueryInformationMessage_SystemCall_6_1_7601 jmp NtAlpcQueryInformationMessage_SystemCall_Unknown NtAlpcQueryInformationMessage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcQueryInformationMessage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcQueryInformationMessage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcQueryInformationMessage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcQueryInformationMessage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcQueryInformationMessage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcQueryInformationMessage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcQueryInformationMessage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcQueryInformationMessage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcQueryInformationMessage_SystemCall_10_0_18363 jmp NtAlpcQueryInformationMessage_SystemCall_Unknown NtAlpcQueryInformationMessage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0080h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0080h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0080h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0080h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0080h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0085h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0085h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0086h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0086h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0086h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0087h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0087h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0088h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0088h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0088h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0088h jmp NtAlpcQueryInformationMessage_Epilogue NtAlpcQueryInformationMessage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcQueryInformationMessage_Epilogue: mov r10, rcx syscall ret NtAlpcQueryInformationMessage ENDP NtAlpcRevokeSecurityContext PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcRevokeSecurityContext_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcRevokeSecurityContext_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcRevokeSecurityContext_Check_10_0_XXXX jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown NtAlpcRevokeSecurityContext_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcRevokeSecurityContext_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcRevokeSecurityContext_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown NtAlpcRevokeSecurityContext_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcRevokeSecurityContext_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcRevokeSecurityContext_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcRevokeSecurityContext_SystemCall_6_0_6002 jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown NtAlpcRevokeSecurityContext_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcRevokeSecurityContext_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcRevokeSecurityContext_SystemCall_6_1_7601 jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown NtAlpcRevokeSecurityContext_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcRevokeSecurityContext_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcRevokeSecurityContext_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcRevokeSecurityContext_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcRevokeSecurityContext_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcRevokeSecurityContext_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcRevokeSecurityContext_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcRevokeSecurityContext_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcRevokeSecurityContext_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcRevokeSecurityContext_SystemCall_10_0_18363 jmp NtAlpcRevokeSecurityContext_SystemCall_Unknown NtAlpcRevokeSecurityContext_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0081h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0081h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0081h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0081h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0081h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0086h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0086h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0087h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0087h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0087h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0088h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0088h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0089h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0089h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0089h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0089h jmp NtAlpcRevokeSecurityContext_Epilogue NtAlpcRevokeSecurityContext_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcRevokeSecurityContext_Epilogue: mov r10, rcx syscall ret NtAlpcRevokeSecurityContext ENDP NtAlpcSendWaitReceivePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcSendWaitReceivePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcSendWaitReceivePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcSendWaitReceivePort_Check_10_0_XXXX jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown NtAlpcSendWaitReceivePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcSendWaitReceivePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcSendWaitReceivePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown NtAlpcSendWaitReceivePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcSendWaitReceivePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcSendWaitReceivePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcSendWaitReceivePort_SystemCall_6_0_6002 jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown NtAlpcSendWaitReceivePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcSendWaitReceivePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcSendWaitReceivePort_SystemCall_6_1_7601 jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown NtAlpcSendWaitReceivePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcSendWaitReceivePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcSendWaitReceivePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcSendWaitReceivePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcSendWaitReceivePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcSendWaitReceivePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcSendWaitReceivePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcSendWaitReceivePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcSendWaitReceivePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcSendWaitReceivePort_SystemCall_10_0_18363 jmp NtAlpcSendWaitReceivePort_SystemCall_Unknown NtAlpcSendWaitReceivePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0082h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0082h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0082h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0082h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0082h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0087h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0087h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0088h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0088h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0088h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0089h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0089h jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008ah jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008ah jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008ah jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008ah jmp NtAlpcSendWaitReceivePort_Epilogue NtAlpcSendWaitReceivePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcSendWaitReceivePort_Epilogue: mov r10, rcx syscall ret NtAlpcSendWaitReceivePort ENDP NtAlpcSetInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAlpcSetInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAlpcSetInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAlpcSetInformation_Check_10_0_XXXX jmp NtAlpcSetInformation_SystemCall_Unknown NtAlpcSetInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAlpcSetInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAlpcSetInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcSetInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAlpcSetInformation_SystemCall_6_3_XXXX jmp NtAlpcSetInformation_SystemCall_Unknown NtAlpcSetInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAlpcSetInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAlpcSetInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAlpcSetInformation_SystemCall_6_0_6002 jmp NtAlpcSetInformation_SystemCall_Unknown NtAlpcSetInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAlpcSetInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAlpcSetInformation_SystemCall_6_1_7601 jmp NtAlpcSetInformation_SystemCall_Unknown NtAlpcSetInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAlpcSetInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAlpcSetInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAlpcSetInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAlpcSetInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAlpcSetInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAlpcSetInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAlpcSetInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAlpcSetInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAlpcSetInformation_SystemCall_10_0_18363 jmp NtAlpcSetInformation_SystemCall_Unknown NtAlpcSetInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0083h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0083h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0083h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0083h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0083h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0088h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0088h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0089h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0089h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0089h jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008ah jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008ah jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008bh jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008bh jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008bh jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008bh jmp NtAlpcSetInformation_Epilogue NtAlpcSetInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAlpcSetInformation_Epilogue: mov r10, rcx syscall ret NtAlpcSetInformation ENDP NtApphelpCacheControl PROC mov rax, gs:[60h] ; Load PEB into RAX. NtApphelpCacheControl_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtApphelpCacheControl_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtApphelpCacheControl_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtApphelpCacheControl_Check_10_0_XXXX jmp NtApphelpCacheControl_SystemCall_Unknown NtApphelpCacheControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtApphelpCacheControl_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtApphelpCacheControl_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtApphelpCacheControl_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtApphelpCacheControl_SystemCall_6_3_XXXX jmp NtApphelpCacheControl_SystemCall_Unknown NtApphelpCacheControl_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtApphelpCacheControl_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtApphelpCacheControl_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtApphelpCacheControl_SystemCall_6_0_6002 jmp NtApphelpCacheControl_SystemCall_Unknown NtApphelpCacheControl_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtApphelpCacheControl_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtApphelpCacheControl_SystemCall_6_1_7601 jmp NtApphelpCacheControl_SystemCall_Unknown NtApphelpCacheControl_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtApphelpCacheControl_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtApphelpCacheControl_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtApphelpCacheControl_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtApphelpCacheControl_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtApphelpCacheControl_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtApphelpCacheControl_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtApphelpCacheControl_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtApphelpCacheControl_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtApphelpCacheControl_SystemCall_10_0_18363 jmp NtApphelpCacheControl_SystemCall_Unknown NtApphelpCacheControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0049h jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004ah jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004bh jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004ch jmp NtApphelpCacheControl_Epilogue NtApphelpCacheControl_SystemCall_Unknown: ; Unknown/unsupported version. ret NtApphelpCacheControl_Epilogue: mov r10, rcx syscall ret NtApphelpCacheControl ENDP NtAreMappedFilesTheSame PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAreMappedFilesTheSame_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAreMappedFilesTheSame_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAreMappedFilesTheSame_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAreMappedFilesTheSame_Check_10_0_XXXX jmp NtAreMappedFilesTheSame_SystemCall_Unknown NtAreMappedFilesTheSame_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAreMappedFilesTheSame_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAreMappedFilesTheSame_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAreMappedFilesTheSame_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAreMappedFilesTheSame_SystemCall_6_3_XXXX jmp NtAreMappedFilesTheSame_SystemCall_Unknown NtAreMappedFilesTheSame_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAreMappedFilesTheSame_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAreMappedFilesTheSame_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAreMappedFilesTheSame_SystemCall_6_0_6002 jmp NtAreMappedFilesTheSame_SystemCall_Unknown NtAreMappedFilesTheSame_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAreMappedFilesTheSame_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAreMappedFilesTheSame_SystemCall_6_1_7601 jmp NtAreMappedFilesTheSame_SystemCall_Unknown NtAreMappedFilesTheSame_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAreMappedFilesTheSame_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAreMappedFilesTheSame_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAreMappedFilesTheSame_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAreMappedFilesTheSame_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAreMappedFilesTheSame_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAreMappedFilesTheSame_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAreMappedFilesTheSame_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAreMappedFilesTheSame_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAreMappedFilesTheSame_SystemCall_10_0_18363 jmp NtAreMappedFilesTheSame_SystemCall_Unknown NtAreMappedFilesTheSame_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006eh jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0084h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0084h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0084h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0084h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0084h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0089h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0089h jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008ah jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008ah jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008ah jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008bh jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008bh jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008ch jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008ch jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008ch jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008ch jmp NtAreMappedFilesTheSame_Epilogue NtAreMappedFilesTheSame_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAreMappedFilesTheSame_Epilogue: mov r10, rcx syscall ret NtAreMappedFilesTheSame ENDP NtAssignProcessToJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAssignProcessToJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtAssignProcessToJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtAssignProcessToJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAssignProcessToJobObject_Check_10_0_XXXX jmp NtAssignProcessToJobObject_SystemCall_Unknown NtAssignProcessToJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtAssignProcessToJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtAssignProcessToJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtAssignProcessToJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAssignProcessToJobObject_SystemCall_6_3_XXXX jmp NtAssignProcessToJobObject_SystemCall_Unknown NtAssignProcessToJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtAssignProcessToJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtAssignProcessToJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtAssignProcessToJobObject_SystemCall_6_0_6002 jmp NtAssignProcessToJobObject_SystemCall_Unknown NtAssignProcessToJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtAssignProcessToJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtAssignProcessToJobObject_SystemCall_6_1_7601 jmp NtAssignProcessToJobObject_SystemCall_Unknown NtAssignProcessToJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAssignProcessToJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAssignProcessToJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAssignProcessToJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAssignProcessToJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAssignProcessToJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAssignProcessToJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAssignProcessToJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAssignProcessToJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAssignProcessToJobObject_SystemCall_10_0_18363 jmp NtAssignProcessToJobObject_SystemCall_Unknown NtAssignProcessToJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 006fh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0085h jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0085h jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0085h jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0085h jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0085h jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008ah jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008ah jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008bh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008bh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008bh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008ch jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008ch jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008dh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008dh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008dh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008dh jmp NtAssignProcessToJobObject_Epilogue NtAssignProcessToJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAssignProcessToJobObject_Epilogue: mov r10, rcx syscall ret NtAssignProcessToJobObject ENDP NtAssociateWaitCompletionPacket PROC mov rax, gs:[60h] ; Load PEB into RAX. NtAssociateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtAssociateWaitCompletionPacket_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtAssociateWaitCompletionPacket_Check_10_0_XXXX jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown NtAssociateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown NtAssociateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtAssociateWaitCompletionPacket_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtAssociateWaitCompletionPacket_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtAssociateWaitCompletionPacket_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtAssociateWaitCompletionPacket_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtAssociateWaitCompletionPacket_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtAssociateWaitCompletionPacket_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtAssociateWaitCompletionPacket_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtAssociateWaitCompletionPacket_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtAssociateWaitCompletionPacket_SystemCall_10_0_18363 jmp NtAssociateWaitCompletionPacket_SystemCall_Unknown NtAssociateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008bh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008bh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008ch jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008ch jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008ch jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008dh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008dh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008eh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008eh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008eh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008eh jmp NtAssociateWaitCompletionPacket_Epilogue NtAssociateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. ret NtAssociateWaitCompletionPacket_Epilogue: mov r10, rcx syscall ret NtAssociateWaitCompletionPacket ENDP NtCallEnclave PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCallEnclave_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCallEnclave_Check_10_0_XXXX jmp NtCallEnclave_SystemCall_Unknown NtCallEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 16299 je NtCallEnclave_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCallEnclave_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCallEnclave_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCallEnclave_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCallEnclave_SystemCall_10_0_18363 jmp NtCallEnclave_SystemCall_Unknown NtCallEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008eh jmp NtCallEnclave_Epilogue NtCallEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 008fh jmp NtCallEnclave_Epilogue NtCallEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 008fh jmp NtCallEnclave_Epilogue NtCallEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 008fh jmp NtCallEnclave_Epilogue NtCallEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 008fh jmp NtCallEnclave_Epilogue NtCallEnclave_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCallEnclave_Epilogue: mov r10, rcx syscall ret NtCallEnclave ENDP NtCallbackReturn PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCallbackReturn_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCallbackReturn_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCallbackReturn_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCallbackReturn_Check_10_0_XXXX jmp NtCallbackReturn_SystemCall_Unknown NtCallbackReturn_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCallbackReturn_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCallbackReturn_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCallbackReturn_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCallbackReturn_SystemCall_6_3_XXXX jmp NtCallbackReturn_SystemCall_Unknown NtCallbackReturn_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCallbackReturn_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCallbackReturn_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCallbackReturn_SystemCall_6_0_6002 jmp NtCallbackReturn_SystemCall_Unknown NtCallbackReturn_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCallbackReturn_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCallbackReturn_SystemCall_6_1_7601 jmp NtCallbackReturn_SystemCall_Unknown NtCallbackReturn_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCallbackReturn_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCallbackReturn_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCallbackReturn_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCallbackReturn_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCallbackReturn_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCallbackReturn_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCallbackReturn_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCallbackReturn_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCallbackReturn_SystemCall_10_0_18363 jmp NtCallbackReturn_SystemCall_Unknown NtCallbackReturn_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0002h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0003h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0004h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0005h jmp NtCallbackReturn_Epilogue NtCallbackReturn_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCallbackReturn_Epilogue: mov r10, rcx syscall ret NtCallbackReturn ENDP NtCancelDeviceWakeupRequest PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelDeviceWakeupRequest_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCancelDeviceWakeupRequest_Check_6_X_XXXX jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown NtCancelDeviceWakeupRequest_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCancelDeviceWakeupRequest_Check_6_0_XXXX jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown NtCancelDeviceWakeupRequest_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCancelDeviceWakeupRequest_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCancelDeviceWakeupRequest_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCancelDeviceWakeupRequest_SystemCall_6_0_6002 jmp NtCancelDeviceWakeupRequest_SystemCall_Unknown NtCancelDeviceWakeupRequest_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0070h jmp NtCancelDeviceWakeupRequest_Epilogue NtCancelDeviceWakeupRequest_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0086h jmp NtCancelDeviceWakeupRequest_Epilogue NtCancelDeviceWakeupRequest_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0086h jmp NtCancelDeviceWakeupRequest_Epilogue NtCancelDeviceWakeupRequest_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0086h jmp NtCancelDeviceWakeupRequest_Epilogue NtCancelDeviceWakeupRequest_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelDeviceWakeupRequest_Epilogue: mov r10, rcx syscall ret NtCancelDeviceWakeupRequest ENDP NtCancelIoFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelIoFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCancelIoFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCancelIoFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelIoFile_Check_10_0_XXXX jmp NtCancelIoFile_SystemCall_Unknown NtCancelIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCancelIoFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCancelIoFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelIoFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelIoFile_SystemCall_6_3_XXXX jmp NtCancelIoFile_SystemCall_Unknown NtCancelIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCancelIoFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCancelIoFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCancelIoFile_SystemCall_6_0_6002 jmp NtCancelIoFile_SystemCall_Unknown NtCancelIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCancelIoFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCancelIoFile_SystemCall_6_1_7601 jmp NtCancelIoFile_SystemCall_Unknown NtCancelIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelIoFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelIoFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelIoFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelIoFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelIoFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelIoFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelIoFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelIoFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelIoFile_SystemCall_10_0_18363 jmp NtCancelIoFile_SystemCall_Unknown NtCancelIoFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005ah jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005bh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005ch jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005dh jmp NtCancelIoFile_Epilogue NtCancelIoFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelIoFile_Epilogue: mov r10, rcx syscall ret NtCancelIoFile ENDP NtCancelIoFileEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelIoFileEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCancelIoFileEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelIoFileEx_Check_10_0_XXXX jmp NtCancelIoFileEx_SystemCall_Unknown NtCancelIoFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCancelIoFileEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCancelIoFileEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelIoFileEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelIoFileEx_SystemCall_6_3_XXXX jmp NtCancelIoFileEx_SystemCall_Unknown NtCancelIoFileEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCancelIoFileEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCancelIoFileEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCancelIoFileEx_SystemCall_6_0_6002 jmp NtCancelIoFileEx_SystemCall_Unknown NtCancelIoFileEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCancelIoFileEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCancelIoFileEx_SystemCall_6_1_7601 jmp NtCancelIoFileEx_SystemCall_Unknown NtCancelIoFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelIoFileEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelIoFileEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelIoFileEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelIoFileEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelIoFileEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelIoFileEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelIoFileEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelIoFileEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelIoFileEx_SystemCall_10_0_18363 jmp NtCancelIoFileEx_SystemCall_Unknown NtCancelIoFileEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0087h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0087h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0087h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0086h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0086h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008ch jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008ch jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008dh jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008dh jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008dh jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008eh jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 008fh jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0090h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0090h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0090h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0090h jmp NtCancelIoFileEx_Epilogue NtCancelIoFileEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelIoFileEx_Epilogue: mov r10, rcx syscall ret NtCancelIoFileEx ENDP NtCancelSynchronousIoFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelSynchronousIoFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCancelSynchronousIoFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelSynchronousIoFile_Check_10_0_XXXX jmp NtCancelSynchronousIoFile_SystemCall_Unknown NtCancelSynchronousIoFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCancelSynchronousIoFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCancelSynchronousIoFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelSynchronousIoFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelSynchronousIoFile_SystemCall_6_3_XXXX jmp NtCancelSynchronousIoFile_SystemCall_Unknown NtCancelSynchronousIoFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCancelSynchronousIoFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCancelSynchronousIoFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCancelSynchronousIoFile_SystemCall_6_0_6002 jmp NtCancelSynchronousIoFile_SystemCall_Unknown NtCancelSynchronousIoFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCancelSynchronousIoFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCancelSynchronousIoFile_SystemCall_6_1_7601 jmp NtCancelSynchronousIoFile_SystemCall_Unknown NtCancelSynchronousIoFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelSynchronousIoFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelSynchronousIoFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelSynchronousIoFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelSynchronousIoFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelSynchronousIoFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelSynchronousIoFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelSynchronousIoFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelSynchronousIoFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelSynchronousIoFile_SystemCall_10_0_18363 jmp NtCancelSynchronousIoFile_SystemCall_Unknown NtCancelSynchronousIoFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0088h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0088h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0088h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0087h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0087h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008dh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008dh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008eh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008eh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008eh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 008fh jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0090h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0091h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0091h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0091h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0091h jmp NtCancelSynchronousIoFile_Epilogue NtCancelSynchronousIoFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelSynchronousIoFile_Epilogue: mov r10, rcx syscall ret NtCancelSynchronousIoFile ENDP NtCancelTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCancelTimer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCancelTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelTimer_Check_10_0_XXXX jmp NtCancelTimer_SystemCall_Unknown NtCancelTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCancelTimer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCancelTimer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelTimer_SystemCall_6_3_XXXX jmp NtCancelTimer_SystemCall_Unknown NtCancelTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCancelTimer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCancelTimer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCancelTimer_SystemCall_6_0_6002 jmp NtCancelTimer_SystemCall_Unknown NtCancelTimer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCancelTimer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCancelTimer_SystemCall_6_1_7601 jmp NtCancelTimer_SystemCall_Unknown NtCancelTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelTimer_SystemCall_10_0_18363 jmp NtCancelTimer_SystemCall_Unknown NtCancelTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005eh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005fh jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0060h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0061h jmp NtCancelTimer_Epilogue NtCancelTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelTimer_Epilogue: mov r10, rcx syscall ret NtCancelTimer ENDP NtCancelTimer2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelTimer2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCancelTimer2_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelTimer2_Check_10_0_XXXX jmp NtCancelTimer2_SystemCall_Unknown NtCancelTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCancelTimer2_SystemCall_6_3_XXXX jmp NtCancelTimer2_SystemCall_Unknown NtCancelTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelTimer2_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelTimer2_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelTimer2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelTimer2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelTimer2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelTimer2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelTimer2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelTimer2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelTimer2_SystemCall_10_0_18363 jmp NtCancelTimer2_SystemCall_Unknown NtCancelTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008eh jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 008fh jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 008fh jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 008fh jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0090h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0091h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0092h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0092h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0092h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0092h jmp NtCancelTimer2_Epilogue NtCancelTimer2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelTimer2_Epilogue: mov r10, rcx syscall ret NtCancelTimer2 ENDP NtCancelWaitCompletionPacket PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCancelWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCancelWaitCompletionPacket_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCancelWaitCompletionPacket_Check_10_0_XXXX jmp NtCancelWaitCompletionPacket_SystemCall_Unknown NtCancelWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX jmp NtCancelWaitCompletionPacket_SystemCall_Unknown NtCancelWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCancelWaitCompletionPacket_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCancelWaitCompletionPacket_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCancelWaitCompletionPacket_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCancelWaitCompletionPacket_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCancelWaitCompletionPacket_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCancelWaitCompletionPacket_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCancelWaitCompletionPacket_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCancelWaitCompletionPacket_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCancelWaitCompletionPacket_SystemCall_10_0_18363 jmp NtCancelWaitCompletionPacket_SystemCall_Unknown NtCancelWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008eh jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 008fh jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0090h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0090h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0090h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0091h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0092h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0093h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0093h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0093h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0093h jmp NtCancelWaitCompletionPacket_Epilogue NtCancelWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCancelWaitCompletionPacket_Epilogue: mov r10, rcx syscall ret NtCancelWaitCompletionPacket ENDP NtClearAllSavepointsTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtClearAllSavepointsTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtClearAllSavepointsTransaction_Check_6_X_XXXX jmp NtClearAllSavepointsTransaction_SystemCall_Unknown NtClearAllSavepointsTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtClearAllSavepointsTransaction_Check_6_0_XXXX jmp NtClearAllSavepointsTransaction_SystemCall_Unknown NtClearAllSavepointsTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtClearAllSavepointsTransaction_SystemCall_6_0_6000 jmp NtClearAllSavepointsTransaction_SystemCall_Unknown NtClearAllSavepointsTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0089h jmp NtClearAllSavepointsTransaction_Epilogue NtClearAllSavepointsTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtClearAllSavepointsTransaction_Epilogue: mov r10, rcx syscall ret NtClearAllSavepointsTransaction ENDP NtClearEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtClearEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtClearEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtClearEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtClearEvent_Check_10_0_XXXX jmp NtClearEvent_SystemCall_Unknown NtClearEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtClearEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtClearEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtClearEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtClearEvent_SystemCall_6_3_XXXX jmp NtClearEvent_SystemCall_Unknown NtClearEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtClearEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtClearEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtClearEvent_SystemCall_6_0_6002 jmp NtClearEvent_SystemCall_Unknown NtClearEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtClearEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtClearEvent_SystemCall_6_1_7601 jmp NtClearEvent_SystemCall_Unknown NtClearEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtClearEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtClearEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtClearEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtClearEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtClearEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtClearEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtClearEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtClearEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtClearEvent_SystemCall_10_0_18363 jmp NtClearEvent_SystemCall_Unknown NtClearEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003bh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003ch jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003dh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003eh jmp NtClearEvent_Epilogue NtClearEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtClearEvent_Epilogue: mov r10, rcx syscall ret NtClearEvent ENDP NtClearSavepointTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtClearSavepointTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtClearSavepointTransaction_Check_6_X_XXXX jmp NtClearSavepointTransaction_SystemCall_Unknown NtClearSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtClearSavepointTransaction_Check_6_0_XXXX jmp NtClearSavepointTransaction_SystemCall_Unknown NtClearSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtClearSavepointTransaction_SystemCall_6_0_6000 jmp NtClearSavepointTransaction_SystemCall_Unknown NtClearSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008ah jmp NtClearSavepointTransaction_Epilogue NtClearSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtClearSavepointTransaction_Epilogue: mov r10, rcx syscall ret NtClearSavepointTransaction ENDP NtClose PROC mov rax, gs:[60h] ; Load PEB into RAX. NtClose_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtClose_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtClose_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtClose_Check_10_0_XXXX jmp NtClose_SystemCall_Unknown NtClose_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtClose_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtClose_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtClose_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtClose_SystemCall_6_3_XXXX jmp NtClose_SystemCall_Unknown NtClose_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtClose_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtClose_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtClose_SystemCall_6_0_6002 jmp NtClose_SystemCall_Unknown NtClose_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtClose_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtClose_SystemCall_6_1_7601 jmp NtClose_SystemCall_Unknown NtClose_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtClose_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtClose_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtClose_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtClose_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtClose_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtClose_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtClose_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtClose_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtClose_SystemCall_10_0_18363 jmp NtClose_SystemCall_Unknown NtClose_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000ch jmp NtClose_Epilogue NtClose_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000dh jmp NtClose_Epilogue NtClose_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000eh jmp NtClose_Epilogue NtClose_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000fh jmp NtClose_Epilogue NtClose_SystemCall_Unknown: ; Unknown/unsupported version. ret NtClose_Epilogue: mov r10, rcx syscall ret NtClose ENDP NtCloseObjectAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCloseObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCloseObjectAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCloseObjectAuditAlarm_Check_10_0_XXXX jmp NtCloseObjectAuditAlarm_SystemCall_Unknown NtCloseObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCloseObjectAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCloseObjectAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX jmp NtCloseObjectAuditAlarm_SystemCall_Unknown NtCloseObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCloseObjectAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCloseObjectAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCloseObjectAuditAlarm_SystemCall_6_0_6002 jmp NtCloseObjectAuditAlarm_SystemCall_Unknown NtCloseObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCloseObjectAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCloseObjectAuditAlarm_SystemCall_6_1_7601 jmp NtCloseObjectAuditAlarm_SystemCall_Unknown NtCloseObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCloseObjectAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCloseObjectAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCloseObjectAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCloseObjectAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCloseObjectAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCloseObjectAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCloseObjectAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCloseObjectAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCloseObjectAuditAlarm_SystemCall_10_0_18363 jmp NtCloseObjectAuditAlarm_SystemCall_Unknown NtCloseObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0038h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0039h jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003ah jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003bh jmp NtCloseObjectAuditAlarm_Epilogue NtCloseObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCloseObjectAuditAlarm_Epilogue: mov r10, rcx syscall ret NtCloseObjectAuditAlarm ENDP NtCommitComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCommitComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCommitComplete_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCommitComplete_Check_10_0_XXXX jmp NtCommitComplete_SystemCall_Unknown NtCommitComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCommitComplete_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCommitComplete_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitComplete_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitComplete_SystemCall_6_3_XXXX jmp NtCommitComplete_SystemCall_Unknown NtCommitComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCommitComplete_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCommitComplete_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCommitComplete_SystemCall_6_0_6002 jmp NtCommitComplete_SystemCall_Unknown NtCommitComplete_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCommitComplete_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCommitComplete_SystemCall_6_1_7601 jmp NtCommitComplete_SystemCall_Unknown NtCommitComplete_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCommitComplete_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCommitComplete_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCommitComplete_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCommitComplete_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCommitComplete_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCommitComplete_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCommitComplete_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCommitComplete_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCommitComplete_SystemCall_10_0_18363 jmp NtCommitComplete_SystemCall_Unknown NtCommitComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008bh jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0089h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0089h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0088h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0088h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 008fh jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0090h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0091h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0091h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0091h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0092h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0093h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0094h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0094h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0094h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0094h jmp NtCommitComplete_Epilogue NtCommitComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCommitComplete_Epilogue: mov r10, rcx syscall ret NtCommitComplete ENDP NtCommitEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCommitEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCommitEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCommitEnlistment_Check_10_0_XXXX jmp NtCommitEnlistment_SystemCall_Unknown NtCommitEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCommitEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCommitEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitEnlistment_SystemCall_6_3_XXXX jmp NtCommitEnlistment_SystemCall_Unknown NtCommitEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCommitEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCommitEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCommitEnlistment_SystemCall_6_0_6002 jmp NtCommitEnlistment_SystemCall_Unknown NtCommitEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCommitEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCommitEnlistment_SystemCall_6_1_7601 jmp NtCommitEnlistment_SystemCall_Unknown NtCommitEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCommitEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCommitEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCommitEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCommitEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCommitEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCommitEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCommitEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCommitEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCommitEnlistment_SystemCall_10_0_18363 jmp NtCommitEnlistment_SystemCall_Unknown NtCommitEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008ch jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008ah jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008ah jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0089h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0089h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0090h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0091h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0092h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0092h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0092h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0093h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0094h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0095h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0095h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0095h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0095h jmp NtCommitEnlistment_Epilogue NtCommitEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCommitEnlistment_Epilogue: mov r10, rcx syscall ret NtCommitEnlistment ENDP NtCommitRegistryTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCommitRegistryTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCommitRegistryTransaction_Check_10_0_XXXX jmp NtCommitRegistryTransaction_SystemCall_Unknown NtCommitRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtCommitRegistryTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCommitRegistryTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCommitRegistryTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCommitRegistryTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCommitRegistryTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCommitRegistryTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCommitRegistryTransaction_SystemCall_10_0_18363 jmp NtCommitRegistryTransaction_SystemCall_Unknown NtCommitRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0093h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0094h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0095h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0096h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0096h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0096h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0096h jmp NtCommitRegistryTransaction_Epilogue NtCommitRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCommitRegistryTransaction_Epilogue: mov r10, rcx syscall ret NtCommitRegistryTransaction ENDP NtCommitTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCommitTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCommitTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCommitTransaction_Check_10_0_XXXX jmp NtCommitTransaction_SystemCall_Unknown NtCommitTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCommitTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCommitTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCommitTransaction_SystemCall_6_3_XXXX jmp NtCommitTransaction_SystemCall_Unknown NtCommitTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCommitTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCommitTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCommitTransaction_SystemCall_6_0_6002 jmp NtCommitTransaction_SystemCall_Unknown NtCommitTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCommitTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCommitTransaction_SystemCall_6_1_7601 jmp NtCommitTransaction_SystemCall_Unknown NtCommitTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCommitTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCommitTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCommitTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCommitTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCommitTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCommitTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCommitTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCommitTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCommitTransaction_SystemCall_10_0_18363 jmp NtCommitTransaction_SystemCall_Unknown NtCommitTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008dh jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008bh jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008bh jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008ah jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008ah jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0091h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0092h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0093h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0093h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0094h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0095h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0096h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0097h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0097h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0097h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0097h jmp NtCommitTransaction_Epilogue NtCommitTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCommitTransaction_Epilogue: mov r10, rcx syscall ret NtCommitTransaction ENDP NtCompactKeys PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompactKeys_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCompactKeys_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCompactKeys_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCompactKeys_Check_10_0_XXXX jmp NtCompactKeys_SystemCall_Unknown NtCompactKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCompactKeys_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCompactKeys_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCompactKeys_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCompactKeys_SystemCall_6_3_XXXX jmp NtCompactKeys_SystemCall_Unknown NtCompactKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCompactKeys_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCompactKeys_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCompactKeys_SystemCall_6_0_6002 jmp NtCompactKeys_SystemCall_Unknown NtCompactKeys_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCompactKeys_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCompactKeys_SystemCall_6_1_7601 jmp NtCompactKeys_SystemCall_Unknown NtCompactKeys_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCompactKeys_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCompactKeys_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCompactKeys_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCompactKeys_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompactKeys_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompactKeys_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompactKeys_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompactKeys_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompactKeys_SystemCall_10_0_18363 jmp NtCompactKeys_SystemCall_Unknown NtCompactKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0071h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008eh jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008ch jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008ch jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008bh jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008bh jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0092h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0093h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0094h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0094h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0095h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0096h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0097h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0098h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0098h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0098h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0098h jmp NtCompactKeys_Epilogue NtCompactKeys_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompactKeys_Epilogue: mov r10, rcx syscall ret NtCompactKeys ENDP NtCompareObjects PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompareObjects_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCompareObjects_Check_10_0_XXXX jmp NtCompareObjects_SystemCall_Unknown NtCompareObjects_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCompareObjects_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCompareObjects_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCompareObjects_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCompareObjects_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompareObjects_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompareObjects_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompareObjects_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompareObjects_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompareObjects_SystemCall_10_0_18363 jmp NtCompareObjects_SystemCall_Unknown NtCompareObjects_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0095h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0095h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0096h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0097h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0098h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0099h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0099h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0099h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0099h jmp NtCompareObjects_Epilogue NtCompareObjects_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompareObjects_Epilogue: mov r10, rcx syscall ret NtCompareObjects ENDP NtCompareSigningLevels PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompareSigningLevels_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCompareSigningLevels_Check_10_0_XXXX jmp NtCompareSigningLevels_SystemCall_Unknown NtCompareSigningLevels_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtCompareSigningLevels_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompareSigningLevels_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompareSigningLevels_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompareSigningLevels_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompareSigningLevels_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompareSigningLevels_SystemCall_10_0_18363 jmp NtCompareSigningLevels_SystemCall_Unknown NtCompareSigningLevels_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0098h jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0099h jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009ah jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009ah jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009ah jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009ah jmp NtCompareSigningLevels_Epilogue NtCompareSigningLevels_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompareSigningLevels_Epilogue: mov r10, rcx syscall ret NtCompareSigningLevels ENDP NtCompareTokens PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompareTokens_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCompareTokens_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCompareTokens_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCompareTokens_Check_10_0_XXXX jmp NtCompareTokens_SystemCall_Unknown NtCompareTokens_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCompareTokens_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCompareTokens_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCompareTokens_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCompareTokens_SystemCall_6_3_XXXX jmp NtCompareTokens_SystemCall_Unknown NtCompareTokens_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCompareTokens_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCompareTokens_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCompareTokens_SystemCall_6_0_6002 jmp NtCompareTokens_SystemCall_Unknown NtCompareTokens_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCompareTokens_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCompareTokens_SystemCall_6_1_7601 jmp NtCompareTokens_SystemCall_Unknown NtCompareTokens_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCompareTokens_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCompareTokens_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCompareTokens_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCompareTokens_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompareTokens_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompareTokens_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompareTokens_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompareTokens_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompareTokens_SystemCall_10_0_18363 jmp NtCompareTokens_SystemCall_Unknown NtCompareTokens_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0072h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 008fh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008dh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008dh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008ch jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008ch jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0093h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0094h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0096h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0096h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0097h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0099h jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009ah jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009bh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009bh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009bh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009bh jmp NtCompareTokens_Epilogue NtCompareTokens_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompareTokens_Epilogue: mov r10, rcx syscall ret NtCompareTokens ENDP NtCompleteConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompleteConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCompleteConnectPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCompleteConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCompleteConnectPort_Check_10_0_XXXX jmp NtCompleteConnectPort_SystemCall_Unknown NtCompleteConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCompleteConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCompleteConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCompleteConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCompleteConnectPort_SystemCall_6_3_XXXX jmp NtCompleteConnectPort_SystemCall_Unknown NtCompleteConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCompleteConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCompleteConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCompleteConnectPort_SystemCall_6_0_6002 jmp NtCompleteConnectPort_SystemCall_Unknown NtCompleteConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCompleteConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCompleteConnectPort_SystemCall_6_1_7601 jmp NtCompleteConnectPort_SystemCall_Unknown NtCompleteConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCompleteConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCompleteConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCompleteConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCompleteConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompleteConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompleteConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompleteConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompleteConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompleteConnectPort_SystemCall_10_0_18363 jmp NtCompleteConnectPort_SystemCall_Unknown NtCompleteConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0073h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0090h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008eh jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008eh jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008dh jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008dh jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0094h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0095h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0097h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0097h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0098h jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009ah jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009bh jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009ch jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009ch jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009ch jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009ch jmp NtCompleteConnectPort_Epilogue NtCompleteConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompleteConnectPort_Epilogue: mov r10, rcx syscall ret NtCompleteConnectPort ENDP NtCompressKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCompressKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCompressKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCompressKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCompressKey_Check_10_0_XXXX jmp NtCompressKey_SystemCall_Unknown NtCompressKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCompressKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCompressKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCompressKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCompressKey_SystemCall_6_3_XXXX jmp NtCompressKey_SystemCall_Unknown NtCompressKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCompressKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCompressKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCompressKey_SystemCall_6_0_6002 jmp NtCompressKey_SystemCall_Unknown NtCompressKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCompressKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCompressKey_SystemCall_6_1_7601 jmp NtCompressKey_SystemCall_Unknown NtCompressKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCompressKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCompressKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCompressKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCompressKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCompressKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCompressKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCompressKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCompressKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCompressKey_SystemCall_10_0_18363 jmp NtCompressKey_SystemCall_Unknown NtCompressKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0074h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0091h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 008fh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 008fh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008eh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008eh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0095h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0096h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0098h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0098h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0099h jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009bh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009ch jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009dh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009dh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009dh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009dh jmp NtCompressKey_Epilogue NtCompressKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCompressKey_Epilogue: mov r10, rcx syscall ret NtCompressKey ENDP NtConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtConnectPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtConnectPort_Check_10_0_XXXX jmp NtConnectPort_SystemCall_Unknown NtConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtConnectPort_SystemCall_6_3_XXXX jmp NtConnectPort_SystemCall_Unknown NtConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtConnectPort_SystemCall_6_0_6002 jmp NtConnectPort_SystemCall_Unknown NtConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtConnectPort_SystemCall_6_1_7601 jmp NtConnectPort_SystemCall_Unknown NtConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtConnectPort_SystemCall_10_0_18363 jmp NtConnectPort_SystemCall_Unknown NtConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0075h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0092h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0090h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0090h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 008fh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 008fh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0096h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0097h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0099h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0099h jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009ah jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009ch jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009dh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009eh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009eh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009eh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009eh jmp NtConnectPort_Epilogue NtConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtConnectPort_Epilogue: mov r10, rcx syscall ret NtConnectPort ENDP NtContinue PROC mov rax, gs:[60h] ; Load PEB into RAX. NtContinue_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtContinue_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtContinue_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtContinue_Check_10_0_XXXX jmp NtContinue_SystemCall_Unknown NtContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtContinue_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtContinue_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtContinue_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtContinue_SystemCall_6_3_XXXX jmp NtContinue_SystemCall_Unknown NtContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtContinue_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtContinue_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtContinue_SystemCall_6_0_6002 jmp NtContinue_SystemCall_Unknown NtContinue_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtContinue_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtContinue_SystemCall_6_1_7601 jmp NtContinue_SystemCall_Unknown NtContinue_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtContinue_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtContinue_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtContinue_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtContinue_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtContinue_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtContinue_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtContinue_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtContinue_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtContinue_SystemCall_10_0_18363 jmp NtContinue_SystemCall_Unknown NtContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0040h jmp NtContinue_Epilogue NtContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0041h jmp NtContinue_Epilogue NtContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0042h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0043h jmp NtContinue_Epilogue NtContinue_SystemCall_Unknown: ; Unknown/unsupported version. ret NtContinue_Epilogue: mov r10, rcx syscall ret NtContinue ENDP NtConvertBetweenAuxiliaryCounterAndPerformanceCounter PROC mov rax, gs:[60h] ; Load PEB into RAX. NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363 jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009dh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009eh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 009fh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 009fh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 009fh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 009fh jmp NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_SystemCall_Unknown: ; Unknown/unsupported version. ret NtConvertBetweenAuxiliaryCounterAndPerformanceCounter_Epilogue: mov r10, rcx syscall ret NtConvertBetweenAuxiliaryCounterAndPerformanceCounter ENDP NtCreateCrossVmEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateCrossVmEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCreateCrossVmEvent_Check_10_0_XXXX jmp NtCreateCrossVmEvent_SystemCall_Unknown NtCreateCrossVmEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 18362 je NtCreateCrossVmEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateCrossVmEvent_SystemCall_10_0_18363 jmp NtCreateCrossVmEvent_SystemCall_Unknown NtCreateCrossVmEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a0h jmp NtCreateCrossVmEvent_Epilogue NtCreateCrossVmEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a0h jmp NtCreateCrossVmEvent_Epilogue NtCreateCrossVmEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateCrossVmEvent_Epilogue: mov r10, rcx syscall ret NtCreateCrossVmEvent ENDP NtCreateDebugObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateDebugObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateDebugObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateDebugObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateDebugObject_Check_10_0_XXXX jmp NtCreateDebugObject_SystemCall_Unknown NtCreateDebugObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateDebugObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateDebugObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateDebugObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateDebugObject_SystemCall_6_3_XXXX jmp NtCreateDebugObject_SystemCall_Unknown NtCreateDebugObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateDebugObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateDebugObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateDebugObject_SystemCall_6_0_6002 jmp NtCreateDebugObject_SystemCall_Unknown NtCreateDebugObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateDebugObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateDebugObject_SystemCall_6_1_7601 jmp NtCreateDebugObject_SystemCall_Unknown NtCreateDebugObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateDebugObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateDebugObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateDebugObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateDebugObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateDebugObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateDebugObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateDebugObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateDebugObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateDebugObject_SystemCall_10_0_18363 jmp NtCreateDebugObject_SystemCall_Unknown NtCreateDebugObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0076h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0093h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0091h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0091h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0090h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0090h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0097h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0098h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009ah jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009ah jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009bh jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009eh jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 009fh jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a0h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a0h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a1h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a1h jmp NtCreateDebugObject_Epilogue NtCreateDebugObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateDebugObject_Epilogue: mov r10, rcx syscall ret NtCreateDebugObject ENDP NtCreateDirectoryObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateDirectoryObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateDirectoryObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateDirectoryObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateDirectoryObject_Check_10_0_XXXX jmp NtCreateDirectoryObject_SystemCall_Unknown NtCreateDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateDirectoryObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateDirectoryObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateDirectoryObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateDirectoryObject_SystemCall_6_3_XXXX jmp NtCreateDirectoryObject_SystemCall_Unknown NtCreateDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateDirectoryObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateDirectoryObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateDirectoryObject_SystemCall_6_0_6002 jmp NtCreateDirectoryObject_SystemCall_Unknown NtCreateDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateDirectoryObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateDirectoryObject_SystemCall_6_1_7601 jmp NtCreateDirectoryObject_SystemCall_Unknown NtCreateDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateDirectoryObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateDirectoryObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateDirectoryObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateDirectoryObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateDirectoryObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateDirectoryObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateDirectoryObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateDirectoryObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateDirectoryObject_SystemCall_10_0_18363 jmp NtCreateDirectoryObject_SystemCall_Unknown NtCreateDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0077h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0094h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0092h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0092h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0091h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0091h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0098h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0099h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009bh jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009bh jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009ch jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 009fh jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a0h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a1h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a1h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a2h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a2h jmp NtCreateDirectoryObject_Epilogue NtCreateDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateDirectoryObject_Epilogue: mov r10, rcx syscall ret NtCreateDirectoryObject ENDP NtCreateDirectoryObjectEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateDirectoryObjectEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateDirectoryObjectEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateDirectoryObjectEx_Check_10_0_XXXX jmp NtCreateDirectoryObjectEx_SystemCall_Unknown NtCreateDirectoryObjectEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX jmp NtCreateDirectoryObjectEx_SystemCall_Unknown NtCreateDirectoryObjectEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateDirectoryObjectEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateDirectoryObjectEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateDirectoryObjectEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateDirectoryObjectEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateDirectoryObjectEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateDirectoryObjectEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateDirectoryObjectEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateDirectoryObjectEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateDirectoryObjectEx_SystemCall_10_0_18363 jmp NtCreateDirectoryObjectEx_SystemCall_Unknown NtCreateDirectoryObjectEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0099h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009ah jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009ch jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009ch jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009dh jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a0h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a1h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a2h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a2h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a3h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a3h jmp NtCreateDirectoryObjectEx_Epilogue NtCreateDirectoryObjectEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateDirectoryObjectEx_Epilogue: mov r10, rcx syscall ret NtCreateDirectoryObjectEx ENDP NtCreateEnclave PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateEnclave_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCreateEnclave_Check_10_0_XXXX jmp NtCreateEnclave_SystemCall_Unknown NtCreateEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10586 je NtCreateEnclave_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateEnclave_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateEnclave_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateEnclave_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateEnclave_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateEnclave_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateEnclave_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateEnclave_SystemCall_10_0_18363 jmp NtCreateEnclave_SystemCall_Unknown NtCreateEnclave_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009dh jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009eh jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a1h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a2h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a3h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a3h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a4h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a4h jmp NtCreateEnclave_Epilogue NtCreateEnclave_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateEnclave_Epilogue: mov r10, rcx syscall ret NtCreateEnclave ENDP NtCreateEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateEnlistment_Check_10_0_XXXX jmp NtCreateEnlistment_SystemCall_Unknown NtCreateEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEnlistment_SystemCall_6_3_XXXX jmp NtCreateEnlistment_SystemCall_Unknown NtCreateEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateEnlistment_SystemCall_6_0_6002 jmp NtCreateEnlistment_SystemCall_Unknown NtCreateEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateEnlistment_SystemCall_6_1_7601 jmp NtCreateEnlistment_SystemCall_Unknown NtCreateEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateEnlistment_SystemCall_10_0_18363 jmp NtCreateEnlistment_SystemCall_Unknown NtCreateEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0095h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0093h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0093h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0092h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0092h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009ah jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009bh jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009dh jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009eh jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 009fh jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a2h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a3h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a4h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a4h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a5h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a5h jmp NtCreateEnlistment_Epilogue NtCreateEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateEnlistment_Epilogue: mov r10, rcx syscall ret NtCreateEnlistment ENDP NtCreateEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateEvent_Check_10_0_XXXX jmp NtCreateEvent_SystemCall_Unknown NtCreateEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEvent_SystemCall_6_3_XXXX jmp NtCreateEvent_SystemCall_Unknown NtCreateEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateEvent_SystemCall_6_0_6002 jmp NtCreateEvent_SystemCall_Unknown NtCreateEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateEvent_SystemCall_6_1_7601 jmp NtCreateEvent_SystemCall_Unknown NtCreateEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateEvent_SystemCall_10_0_18363 jmp NtCreateEvent_SystemCall_Unknown NtCreateEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0045h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0046h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0047h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0048h jmp NtCreateEvent_Epilogue NtCreateEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateEvent_Epilogue: mov r10, rcx syscall ret NtCreateEvent ENDP NtCreateEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateEventPair_Check_10_0_XXXX jmp NtCreateEventPair_SystemCall_Unknown NtCreateEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateEventPair_SystemCall_6_3_XXXX jmp NtCreateEventPair_SystemCall_Unknown NtCreateEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateEventPair_SystemCall_6_0_6002 jmp NtCreateEventPair_SystemCall_Unknown NtCreateEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateEventPair_SystemCall_6_1_7601 jmp NtCreateEventPair_SystemCall_Unknown NtCreateEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateEventPair_SystemCall_10_0_18363 jmp NtCreateEventPair_SystemCall_Unknown NtCreateEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0078h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0096h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0094h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0094h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0093h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0093h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009bh jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009ch jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009eh jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 009fh jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a0h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a3h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a4h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a5h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a5h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a6h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a6h jmp NtCreateEventPair_Epilogue NtCreateEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateEventPair_Epilogue: mov r10, rcx syscall ret NtCreateEventPair ENDP NtCreateFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateFile_Check_10_0_XXXX jmp NtCreateFile_SystemCall_Unknown NtCreateFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateFile_SystemCall_6_3_XXXX jmp NtCreateFile_SystemCall_Unknown NtCreateFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateFile_SystemCall_6_0_6002 jmp NtCreateFile_SystemCall_Unknown NtCreateFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateFile_SystemCall_6_1_7601 jmp NtCreateFile_SystemCall_Unknown NtCreateFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateFile_SystemCall_10_0_18363 jmp NtCreateFile_SystemCall_Unknown NtCreateFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0052h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0053h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0054h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0055h jmp NtCreateFile_Epilogue NtCreateFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateFile_Epilogue: mov r10, rcx syscall ret NtCreateFile ENDP NtCreateIRTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateIRTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateIRTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateIRTimer_Check_10_0_XXXX jmp NtCreateIRTimer_SystemCall_Unknown NtCreateIRTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateIRTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateIRTimer_SystemCall_6_3_XXXX jmp NtCreateIRTimer_SystemCall_Unknown NtCreateIRTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateIRTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateIRTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateIRTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateIRTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateIRTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateIRTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateIRTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateIRTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateIRTimer_SystemCall_10_0_18363 jmp NtCreateIRTimer_SystemCall_Unknown NtCreateIRTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009ch jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009dh jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 009fh jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a0h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a1h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a4h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a5h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a6h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a6h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a7h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a7h jmp NtCreateIRTimer_Epilogue NtCreateIRTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateIRTimer_Epilogue: mov r10, rcx syscall ret NtCreateIRTimer ENDP NtCreateIoCompletion PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateIoCompletion_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateIoCompletion_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateIoCompletion_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateIoCompletion_Check_10_0_XXXX jmp NtCreateIoCompletion_SystemCall_Unknown NtCreateIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateIoCompletion_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateIoCompletion_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateIoCompletion_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateIoCompletion_SystemCall_6_3_XXXX jmp NtCreateIoCompletion_SystemCall_Unknown NtCreateIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateIoCompletion_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateIoCompletion_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateIoCompletion_SystemCall_6_0_6002 jmp NtCreateIoCompletion_SystemCall_Unknown NtCreateIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateIoCompletion_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateIoCompletion_SystemCall_6_1_7601 jmp NtCreateIoCompletion_SystemCall_Unknown NtCreateIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateIoCompletion_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateIoCompletion_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateIoCompletion_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateIoCompletion_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateIoCompletion_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateIoCompletion_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateIoCompletion_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateIoCompletion_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateIoCompletion_SystemCall_10_0_18363 jmp NtCreateIoCompletion_SystemCall_Unknown NtCreateIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0079h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0097h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0095h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0095h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0094h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0094h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009dh jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009eh jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a0h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a1h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a2h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a5h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a6h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a7h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a7h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a8h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a8h jmp NtCreateIoCompletion_Epilogue NtCreateIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateIoCompletion_Epilogue: mov r10, rcx syscall ret NtCreateIoCompletion ENDP NtCreateJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateJobObject_Check_10_0_XXXX jmp NtCreateJobObject_SystemCall_Unknown NtCreateJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateJobObject_SystemCall_6_3_XXXX jmp NtCreateJobObject_SystemCall_Unknown NtCreateJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateJobObject_SystemCall_6_0_6002 jmp NtCreateJobObject_SystemCall_Unknown NtCreateJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateJobObject_SystemCall_6_1_7601 jmp NtCreateJobObject_SystemCall_Unknown NtCreateJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateJobObject_SystemCall_10_0_18363 jmp NtCreateJobObject_SystemCall_Unknown NtCreateJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007ah jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0098h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0096h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0096h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0095h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0095h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009eh jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 009fh jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a1h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a2h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a3h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a6h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a7h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a8h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a8h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00a9h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00a9h jmp NtCreateJobObject_Epilogue NtCreateJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateJobObject_Epilogue: mov r10, rcx syscall ret NtCreateJobObject ENDP NtCreateJobSet PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateJobSet_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateJobSet_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateJobSet_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateJobSet_Check_10_0_XXXX jmp NtCreateJobSet_SystemCall_Unknown NtCreateJobSet_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateJobSet_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateJobSet_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateJobSet_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateJobSet_SystemCall_6_3_XXXX jmp NtCreateJobSet_SystemCall_Unknown NtCreateJobSet_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateJobSet_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateJobSet_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateJobSet_SystemCall_6_0_6002 jmp NtCreateJobSet_SystemCall_Unknown NtCreateJobSet_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateJobSet_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateJobSet_SystemCall_6_1_7601 jmp NtCreateJobSet_SystemCall_Unknown NtCreateJobSet_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateJobSet_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateJobSet_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateJobSet_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateJobSet_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateJobSet_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateJobSet_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateJobSet_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateJobSet_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateJobSet_SystemCall_10_0_18363 jmp NtCreateJobSet_SystemCall_Unknown NtCreateJobSet_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007bh jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0099h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0097h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0097h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0096h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0096h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 009fh jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a0h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a2h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a3h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a4h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a7h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a8h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00a9h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00a9h jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00aah jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00aah jmp NtCreateJobSet_Epilogue NtCreateJobSet_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateJobSet_Epilogue: mov r10, rcx syscall ret NtCreateJobSet ENDP NtCreateKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateKey_Check_10_0_XXXX jmp NtCreateKey_SystemCall_Unknown NtCreateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKey_SystemCall_6_3_XXXX jmp NtCreateKey_SystemCall_Unknown NtCreateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateKey_SystemCall_6_0_6002 jmp NtCreateKey_SystemCall_Unknown NtCreateKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateKey_SystemCall_6_1_7601 jmp NtCreateKey_SystemCall_Unknown NtCreateKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateKey_SystemCall_10_0_18363 jmp NtCreateKey_SystemCall_Unknown NtCreateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001ah jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001bh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001ch jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001dh jmp NtCreateKey_Epilogue NtCreateKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateKey_Epilogue: mov r10, rcx syscall ret NtCreateKey ENDP NtCreateKeyTransacted PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateKeyTransacted_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateKeyTransacted_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateKeyTransacted_Check_10_0_XXXX jmp NtCreateKeyTransacted_SystemCall_Unknown NtCreateKeyTransacted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateKeyTransacted_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateKeyTransacted_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKeyTransacted_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKeyTransacted_SystemCall_6_3_XXXX jmp NtCreateKeyTransacted_SystemCall_Unknown NtCreateKeyTransacted_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateKeyTransacted_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateKeyTransacted_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateKeyTransacted_SystemCall_6_0_6002 jmp NtCreateKeyTransacted_SystemCall_Unknown NtCreateKeyTransacted_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateKeyTransacted_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateKeyTransacted_SystemCall_6_1_7601 jmp NtCreateKeyTransacted_SystemCall_Unknown NtCreateKeyTransacted_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateKeyTransacted_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateKeyTransacted_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateKeyTransacted_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateKeyTransacted_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateKeyTransacted_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateKeyTransacted_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateKeyTransacted_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateKeyTransacted_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateKeyTransacted_SystemCall_10_0_18363 jmp NtCreateKeyTransacted_SystemCall_Unknown NtCreateKeyTransacted_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009ah jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0098h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0098h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0097h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0097h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a0h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a1h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a3h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a4h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a5h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a8h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00a9h jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00aah jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00aah jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00abh jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00abh jmp NtCreateKeyTransacted_Epilogue NtCreateKeyTransacted_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateKeyTransacted_Epilogue: mov r10, rcx syscall ret NtCreateKeyTransacted ENDP NtCreateKeyedEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateKeyedEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateKeyedEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateKeyedEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateKeyedEvent_Check_10_0_XXXX jmp NtCreateKeyedEvent_SystemCall_Unknown NtCreateKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateKeyedEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateKeyedEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKeyedEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateKeyedEvent_SystemCall_6_3_XXXX jmp NtCreateKeyedEvent_SystemCall_Unknown NtCreateKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateKeyedEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateKeyedEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateKeyedEvent_SystemCall_6_0_6002 jmp NtCreateKeyedEvent_SystemCall_Unknown NtCreateKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateKeyedEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateKeyedEvent_SystemCall_6_1_7601 jmp NtCreateKeyedEvent_SystemCall_Unknown NtCreateKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateKeyedEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateKeyedEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateKeyedEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateKeyedEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateKeyedEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateKeyedEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateKeyedEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateKeyedEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateKeyedEvent_SystemCall_10_0_18363 jmp NtCreateKeyedEvent_SystemCall_Unknown NtCreateKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007ch jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009bh jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0099h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0099h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0098h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0098h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a1h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a2h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a4h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a5h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a6h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00a9h jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00aah jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00abh jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00abh jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ach jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ach jmp NtCreateKeyedEvent_Epilogue NtCreateKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateKeyedEvent_Epilogue: mov r10, rcx syscall ret NtCreateKeyedEvent ENDP NtCreateLowBoxToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateLowBoxToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateLowBoxToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateLowBoxToken_Check_10_0_XXXX jmp NtCreateLowBoxToken_SystemCall_Unknown NtCreateLowBoxToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateLowBoxToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateLowBoxToken_SystemCall_6_3_XXXX jmp NtCreateLowBoxToken_SystemCall_Unknown NtCreateLowBoxToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateLowBoxToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateLowBoxToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateLowBoxToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateLowBoxToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateLowBoxToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateLowBoxToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateLowBoxToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateLowBoxToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateLowBoxToken_SystemCall_10_0_18363 jmp NtCreateLowBoxToken_SystemCall_Unknown NtCreateLowBoxToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a2h jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a3h jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a5h jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a6h jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a7h jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00aah jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00abh jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ach jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ach jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00adh jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00adh jmp NtCreateLowBoxToken_Epilogue NtCreateLowBoxToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateLowBoxToken_Epilogue: mov r10, rcx syscall ret NtCreateLowBoxToken ENDP NtCreateMailslotFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateMailslotFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateMailslotFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateMailslotFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateMailslotFile_Check_10_0_XXXX jmp NtCreateMailslotFile_SystemCall_Unknown NtCreateMailslotFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateMailslotFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateMailslotFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateMailslotFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateMailslotFile_SystemCall_6_3_XXXX jmp NtCreateMailslotFile_SystemCall_Unknown NtCreateMailslotFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateMailslotFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateMailslotFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateMailslotFile_SystemCall_6_0_6002 jmp NtCreateMailslotFile_SystemCall_Unknown NtCreateMailslotFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateMailslotFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateMailslotFile_SystemCall_6_1_7601 jmp NtCreateMailslotFile_SystemCall_Unknown NtCreateMailslotFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateMailslotFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateMailslotFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateMailslotFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateMailslotFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateMailslotFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateMailslotFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateMailslotFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateMailslotFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateMailslotFile_SystemCall_10_0_18363 jmp NtCreateMailslotFile_SystemCall_Unknown NtCreateMailslotFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007dh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009ch jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009ah jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009ah jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0099h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0099h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a3h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a4h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a6h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a7h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a8h jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00abh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ach jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00adh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00adh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00aeh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00aeh jmp NtCreateMailslotFile_Epilogue NtCreateMailslotFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateMailslotFile_Epilogue: mov r10, rcx syscall ret NtCreateMailslotFile ENDP NtCreateMutant PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateMutant_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateMutant_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateMutant_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateMutant_Check_10_0_XXXX jmp NtCreateMutant_SystemCall_Unknown NtCreateMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateMutant_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateMutant_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateMutant_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateMutant_SystemCall_6_3_XXXX jmp NtCreateMutant_SystemCall_Unknown NtCreateMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateMutant_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateMutant_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateMutant_SystemCall_6_0_6002 jmp NtCreateMutant_SystemCall_Unknown NtCreateMutant_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateMutant_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateMutant_SystemCall_6_1_7601 jmp NtCreateMutant_SystemCall_Unknown NtCreateMutant_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateMutant_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateMutant_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateMutant_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateMutant_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateMutant_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateMutant_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateMutant_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateMutant_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateMutant_SystemCall_10_0_18363 jmp NtCreateMutant_SystemCall_Unknown NtCreateMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007eh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009dh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009bh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009bh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009ah jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009ah jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a4h jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a5h jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a7h jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a8h jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00a9h jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ach jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00adh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00aeh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00aeh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00afh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00afh jmp NtCreateMutant_Epilogue NtCreateMutant_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateMutant_Epilogue: mov r10, rcx syscall ret NtCreateMutant ENDP NtCreateNamedPipeFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateNamedPipeFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateNamedPipeFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateNamedPipeFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateNamedPipeFile_Check_10_0_XXXX jmp NtCreateNamedPipeFile_SystemCall_Unknown NtCreateNamedPipeFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateNamedPipeFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateNamedPipeFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateNamedPipeFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateNamedPipeFile_SystemCall_6_3_XXXX jmp NtCreateNamedPipeFile_SystemCall_Unknown NtCreateNamedPipeFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateNamedPipeFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateNamedPipeFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateNamedPipeFile_SystemCall_6_0_6002 jmp NtCreateNamedPipeFile_SystemCall_Unknown NtCreateNamedPipeFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateNamedPipeFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateNamedPipeFile_SystemCall_6_1_7601 jmp NtCreateNamedPipeFile_SystemCall_Unknown NtCreateNamedPipeFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateNamedPipeFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateNamedPipeFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateNamedPipeFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateNamedPipeFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateNamedPipeFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateNamedPipeFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateNamedPipeFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateNamedPipeFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateNamedPipeFile_SystemCall_10_0_18363 jmp NtCreateNamedPipeFile_SystemCall_Unknown NtCreateNamedPipeFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 007fh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009eh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009ch jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009ch jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009bh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009bh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a5h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a6h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a8h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00a9h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00aah jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00adh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00aeh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00afh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00afh jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b0h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b0h jmp NtCreateNamedPipeFile_Epilogue NtCreateNamedPipeFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateNamedPipeFile_Epilogue: mov r10, rcx syscall ret NtCreateNamedPipeFile ENDP NtCreatePagingFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreatePagingFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreatePagingFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreatePagingFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreatePagingFile_Check_10_0_XXXX jmp NtCreatePagingFile_SystemCall_Unknown NtCreatePagingFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreatePagingFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreatePagingFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePagingFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePagingFile_SystemCall_6_3_XXXX jmp NtCreatePagingFile_SystemCall_Unknown NtCreatePagingFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreatePagingFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreatePagingFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreatePagingFile_SystemCall_6_0_6002 jmp NtCreatePagingFile_SystemCall_Unknown NtCreatePagingFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreatePagingFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreatePagingFile_SystemCall_6_1_7601 jmp NtCreatePagingFile_SystemCall_Unknown NtCreatePagingFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreatePagingFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreatePagingFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreatePagingFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreatePagingFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreatePagingFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreatePagingFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreatePagingFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreatePagingFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreatePagingFile_SystemCall_10_0_18363 jmp NtCreatePagingFile_SystemCall_Unknown NtCreatePagingFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0080h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 009fh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009dh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009dh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009ch jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009ch jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a6h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a7h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00a9h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00aah jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00abh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00aeh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00afh jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b0h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b0h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b1h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b1h jmp NtCreatePagingFile_Epilogue NtCreatePagingFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreatePagingFile_Epilogue: mov r10, rcx syscall ret NtCreatePagingFile ENDP NtCreatePartition PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreatePartition_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCreatePartition_Check_10_0_XXXX jmp NtCreatePartition_SystemCall_Unknown NtCreatePartition_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreatePartition_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreatePartition_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreatePartition_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreatePartition_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreatePartition_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreatePartition_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreatePartition_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreatePartition_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreatePartition_SystemCall_10_0_18363 jmp NtCreatePartition_SystemCall_Unknown NtCreatePartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00aah jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00abh jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ach jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00afh jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b0h jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b1h jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b1h jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b2h jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b2h jmp NtCreatePartition_Epilogue NtCreatePartition_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreatePartition_Epilogue: mov r10, rcx syscall ret NtCreatePartition ENDP NtCreatePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreatePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreatePort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreatePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreatePort_Check_10_0_XXXX jmp NtCreatePort_SystemCall_Unknown NtCreatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreatePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreatePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePort_SystemCall_6_3_XXXX jmp NtCreatePort_SystemCall_Unknown NtCreatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreatePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreatePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreatePort_SystemCall_6_0_6002 jmp NtCreatePort_SystemCall_Unknown NtCreatePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreatePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreatePort_SystemCall_6_1_7601 jmp NtCreatePort_SystemCall_Unknown NtCreatePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreatePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreatePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreatePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreatePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreatePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreatePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreatePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreatePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreatePort_SystemCall_10_0_18363 jmp NtCreatePort_SystemCall_Unknown NtCreatePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0081h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a0h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009eh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009eh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009dh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009dh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a7h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a8h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00abh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ach jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00adh jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b0h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b1h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b2h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b2h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b3h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b3h jmp NtCreatePort_Epilogue NtCreatePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreatePort_Epilogue: mov r10, rcx syscall ret NtCreatePort ENDP NtCreatePrivateNamespace PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreatePrivateNamespace_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreatePrivateNamespace_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreatePrivateNamespace_Check_10_0_XXXX jmp NtCreatePrivateNamespace_SystemCall_Unknown NtCreatePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreatePrivateNamespace_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreatePrivateNamespace_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePrivateNamespace_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreatePrivateNamespace_SystemCall_6_3_XXXX jmp NtCreatePrivateNamespace_SystemCall_Unknown NtCreatePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreatePrivateNamespace_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreatePrivateNamespace_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreatePrivateNamespace_SystemCall_6_0_6002 jmp NtCreatePrivateNamespace_SystemCall_Unknown NtCreatePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreatePrivateNamespace_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreatePrivateNamespace_SystemCall_6_1_7601 jmp NtCreatePrivateNamespace_SystemCall_Unknown NtCreatePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreatePrivateNamespace_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreatePrivateNamespace_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreatePrivateNamespace_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreatePrivateNamespace_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreatePrivateNamespace_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreatePrivateNamespace_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreatePrivateNamespace_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreatePrivateNamespace_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreatePrivateNamespace_SystemCall_10_0_18363 jmp NtCreatePrivateNamespace_SystemCall_Unknown NtCreatePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a1h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 009fh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 009fh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009eh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009eh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a8h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00a9h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ach jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00adh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00aeh jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b1h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b2h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b3h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b3h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b4h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b4h jmp NtCreatePrivateNamespace_Epilogue NtCreatePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreatePrivateNamespace_Epilogue: mov r10, rcx syscall ret NtCreatePrivateNamespace ENDP NtCreateProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateProcess_Check_10_0_XXXX jmp NtCreateProcess_SystemCall_Unknown NtCreateProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProcess_SystemCall_6_3_XXXX jmp NtCreateProcess_SystemCall_Unknown NtCreateProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateProcess_SystemCall_6_0_6002 jmp NtCreateProcess_SystemCall_Unknown NtCreateProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateProcess_SystemCall_6_1_7601 jmp NtCreateProcess_SystemCall_Unknown NtCreateProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateProcess_SystemCall_10_0_18363 jmp NtCreateProcess_SystemCall_Unknown NtCreateProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0082h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a2h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a0h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a0h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 009fh jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 009fh jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00a9h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00aah jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00adh jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00aeh jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00afh jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b2h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b3h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b4h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b4h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b5h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b5h jmp NtCreateProcess_Epilogue NtCreateProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateProcess_Epilogue: mov r10, rcx syscall ret NtCreateProcess ENDP NtCreateProcessEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateProcessEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateProcessEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateProcessEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateProcessEx_Check_10_0_XXXX jmp NtCreateProcessEx_SystemCall_Unknown NtCreateProcessEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateProcessEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateProcessEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProcessEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProcessEx_SystemCall_6_3_XXXX jmp NtCreateProcessEx_SystemCall_Unknown NtCreateProcessEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateProcessEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateProcessEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateProcessEx_SystemCall_6_0_6002 jmp NtCreateProcessEx_SystemCall_Unknown NtCreateProcessEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateProcessEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateProcessEx_SystemCall_6_1_7601 jmp NtCreateProcessEx_SystemCall_Unknown NtCreateProcessEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateProcessEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateProcessEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateProcessEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateProcessEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateProcessEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateProcessEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateProcessEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateProcessEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateProcessEx_SystemCall_10_0_18363 jmp NtCreateProcessEx_SystemCall_Unknown NtCreateProcessEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004ah jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004bh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004ch jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004dh jmp NtCreateProcessEx_Epilogue NtCreateProcessEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateProcessEx_Epilogue: mov r10, rcx syscall ret NtCreateProcessEx ENDP NtCreateProfile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateProfile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateProfile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateProfile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateProfile_Check_10_0_XXXX jmp NtCreateProfile_SystemCall_Unknown NtCreateProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateProfile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateProfile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProfile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProfile_SystemCall_6_3_XXXX jmp NtCreateProfile_SystemCall_Unknown NtCreateProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateProfile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateProfile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateProfile_SystemCall_6_0_6002 jmp NtCreateProfile_SystemCall_Unknown NtCreateProfile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateProfile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateProfile_SystemCall_6_1_7601 jmp NtCreateProfile_SystemCall_Unknown NtCreateProfile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateProfile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateProfile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateProfile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateProfile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateProfile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateProfile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateProfile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateProfile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateProfile_SystemCall_10_0_18363 jmp NtCreateProfile_SystemCall_Unknown NtCreateProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0083h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a3h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a1h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a1h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a0h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a0h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00aah jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00abh jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00aeh jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00afh jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b0h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b3h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b4h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b5h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b5h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b6h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b6h jmp NtCreateProfile_Epilogue NtCreateProfile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateProfile_Epilogue: mov r10, rcx syscall ret NtCreateProfile ENDP NtCreateProfileEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateProfileEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateProfileEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateProfileEx_Check_10_0_XXXX jmp NtCreateProfileEx_SystemCall_Unknown NtCreateProfileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtCreateProfileEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProfileEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateProfileEx_SystemCall_6_3_XXXX jmp NtCreateProfileEx_SystemCall_Unknown NtCreateProfileEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateProfileEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateProfileEx_SystemCall_6_1_7601 jmp NtCreateProfileEx_SystemCall_Unknown NtCreateProfileEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateProfileEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateProfileEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateProfileEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateProfileEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateProfileEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateProfileEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateProfileEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateProfileEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateProfileEx_SystemCall_10_0_18363 jmp NtCreateProfileEx_SystemCall_Unknown NtCreateProfileEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a1h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a1h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00abh jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ach jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00afh jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b0h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b1h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b4h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b5h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b6h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b6h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b7h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b7h jmp NtCreateProfileEx_Epilogue NtCreateProfileEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateProfileEx_Epilogue: mov r10, rcx syscall ret NtCreateProfileEx ENDP NtCreateRegistryTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateRegistryTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCreateRegistryTransaction_Check_10_0_XXXX jmp NtCreateRegistryTransaction_SystemCall_Unknown NtCreateRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtCreateRegistryTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateRegistryTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateRegistryTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateRegistryTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateRegistryTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateRegistryTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateRegistryTransaction_SystemCall_10_0_18363 jmp NtCreateRegistryTransaction_SystemCall_Unknown NtCreateRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b2h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b5h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b6h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b7h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b7h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b8h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b8h jmp NtCreateRegistryTransaction_Epilogue NtCreateRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateRegistryTransaction_Epilogue: mov r10, rcx syscall ret NtCreateRegistryTransaction ENDP NtCreateResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateResourceManager_Check_10_0_XXXX jmp NtCreateResourceManager_SystemCall_Unknown NtCreateResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateResourceManager_SystemCall_6_3_XXXX jmp NtCreateResourceManager_SystemCall_Unknown NtCreateResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateResourceManager_SystemCall_6_0_6002 jmp NtCreateResourceManager_SystemCall_Unknown NtCreateResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateResourceManager_SystemCall_6_1_7601 jmp NtCreateResourceManager_SystemCall_Unknown NtCreateResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateResourceManager_SystemCall_10_0_18363 jmp NtCreateResourceManager_SystemCall_Unknown NtCreateResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a4h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a2h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a2h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a2h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a2h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ach jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00adh jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b0h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b1h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b3h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b6h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b7h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b8h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b8h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00b9h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00b9h jmp NtCreateResourceManager_Epilogue NtCreateResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateResourceManager_Epilogue: mov r10, rcx syscall ret NtCreateResourceManager ENDP NtCreateSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateSection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateSection_Check_10_0_XXXX jmp NtCreateSection_SystemCall_Unknown NtCreateSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSection_SystemCall_6_3_XXXX jmp NtCreateSection_SystemCall_Unknown NtCreateSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateSection_SystemCall_6_0_6002 jmp NtCreateSection_SystemCall_Unknown NtCreateSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateSection_SystemCall_6_1_7601 jmp NtCreateSection_SystemCall_Unknown NtCreateSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateSection_SystemCall_10_0_18363 jmp NtCreateSection_SystemCall_Unknown NtCreateSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0047h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0048h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0049h jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004ah jmp NtCreateSection_Epilogue NtCreateSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateSection_Epilogue: mov r10, rcx syscall ret NtCreateSection ENDP NtCreateSectionEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateSectionEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtCreateSectionEx_Check_10_0_XXXX jmp NtCreateSectionEx_SystemCall_Unknown NtCreateSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 17763 je NtCreateSectionEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateSectionEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateSectionEx_SystemCall_10_0_18363 jmp NtCreateSectionEx_SystemCall_Unknown NtCreateSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00b9h jmp NtCreateSectionEx_Epilogue NtCreateSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00bah jmp NtCreateSectionEx_Epilogue NtCreateSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00bah jmp NtCreateSectionEx_Epilogue NtCreateSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateSectionEx_Epilogue: mov r10, rcx syscall ret NtCreateSectionEx ENDP NtCreateSemaphore PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateSemaphore_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateSemaphore_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateSemaphore_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateSemaphore_Check_10_0_XXXX jmp NtCreateSemaphore_SystemCall_Unknown NtCreateSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateSemaphore_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateSemaphore_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSemaphore_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSemaphore_SystemCall_6_3_XXXX jmp NtCreateSemaphore_SystemCall_Unknown NtCreateSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateSemaphore_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateSemaphore_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateSemaphore_SystemCall_6_0_6002 jmp NtCreateSemaphore_SystemCall_Unknown NtCreateSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateSemaphore_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateSemaphore_SystemCall_6_1_7601 jmp NtCreateSemaphore_SystemCall_Unknown NtCreateSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateSemaphore_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateSemaphore_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateSemaphore_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateSemaphore_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateSemaphore_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateSemaphore_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateSemaphore_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateSemaphore_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateSemaphore_SystemCall_10_0_18363 jmp NtCreateSemaphore_SystemCall_Unknown NtCreateSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0084h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a5h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a3h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a3h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a3h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a3h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00adh jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00aeh jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b1h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b2h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b4h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b7h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b8h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00b9h jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00bah jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00bbh jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00bbh jmp NtCreateSemaphore_Epilogue NtCreateSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateSemaphore_Epilogue: mov r10, rcx syscall ret NtCreateSemaphore ENDP NtCreateSymbolicLinkObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateSymbolicLinkObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateSymbolicLinkObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateSymbolicLinkObject_Check_10_0_XXXX jmp NtCreateSymbolicLinkObject_SystemCall_Unknown NtCreateSymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateSymbolicLinkObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateSymbolicLinkObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX jmp NtCreateSymbolicLinkObject_SystemCall_Unknown NtCreateSymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateSymbolicLinkObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateSymbolicLinkObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateSymbolicLinkObject_SystemCall_6_0_6002 jmp NtCreateSymbolicLinkObject_SystemCall_Unknown NtCreateSymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateSymbolicLinkObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateSymbolicLinkObject_SystemCall_6_1_7601 jmp NtCreateSymbolicLinkObject_SystemCall_Unknown NtCreateSymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateSymbolicLinkObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateSymbolicLinkObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateSymbolicLinkObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateSymbolicLinkObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateSymbolicLinkObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateSymbolicLinkObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateSymbolicLinkObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateSymbolicLinkObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateSymbolicLinkObject_SystemCall_10_0_18363 jmp NtCreateSymbolicLinkObject_SystemCall_Unknown NtCreateSymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0085h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a6h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a4h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a4h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a4h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a4h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00aeh jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00afh jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b2h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b3h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b5h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b8h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00b9h jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00bah jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00bbh jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00bch jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00bch jmp NtCreateSymbolicLinkObject_Epilogue NtCreateSymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateSymbolicLinkObject_Epilogue: mov r10, rcx syscall ret NtCreateSymbolicLinkObject ENDP NtCreateThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateThread_Check_10_0_XXXX jmp NtCreateThread_SystemCall_Unknown NtCreateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateThread_SystemCall_6_3_XXXX jmp NtCreateThread_SystemCall_Unknown NtCreateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateThread_SystemCall_6_0_6002 jmp NtCreateThread_SystemCall_Unknown NtCreateThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateThread_SystemCall_6_1_7601 jmp NtCreateThread_SystemCall_Unknown NtCreateThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateThread_SystemCall_10_0_18363 jmp NtCreateThread_SystemCall_Unknown NtCreateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004bh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004ch jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004dh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004eh jmp NtCreateThread_Epilogue NtCreateThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateThread_Epilogue: mov r10, rcx syscall ret NtCreateThread ENDP NtCreateThreadEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateThreadEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateThreadEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateThreadEx_Check_10_0_XXXX jmp NtCreateThreadEx_SystemCall_Unknown NtCreateThreadEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateThreadEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateThreadEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateThreadEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateThreadEx_SystemCall_6_3_XXXX jmp NtCreateThreadEx_SystemCall_Unknown NtCreateThreadEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateThreadEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateThreadEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateThreadEx_SystemCall_6_0_6002 jmp NtCreateThreadEx_SystemCall_Unknown NtCreateThreadEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateThreadEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateThreadEx_SystemCall_6_1_7601 jmp NtCreateThreadEx_SystemCall_Unknown NtCreateThreadEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateThreadEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateThreadEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateThreadEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateThreadEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateThreadEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateThreadEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateThreadEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateThreadEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateThreadEx_SystemCall_10_0_18363 jmp NtCreateThreadEx_SystemCall_Unknown NtCreateThreadEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a7h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a5h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a5h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a5h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a5h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00afh jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b0h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b3h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b4h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b6h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00b9h jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00bah jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00bbh jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00bch jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00bdh jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00bdh jmp NtCreateThreadEx_Epilogue NtCreateThreadEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateThreadEx_Epilogue: mov r10, rcx syscall ret NtCreateThreadEx ENDP NtCreateTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateTimer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateTimer_Check_10_0_XXXX jmp NtCreateTimer_SystemCall_Unknown NtCreateTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateTimer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateTimer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTimer_SystemCall_6_3_XXXX jmp NtCreateTimer_SystemCall_Unknown NtCreateTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateTimer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateTimer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateTimer_SystemCall_6_0_6002 jmp NtCreateTimer_SystemCall_Unknown NtCreateTimer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateTimer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateTimer_SystemCall_6_1_7601 jmp NtCreateTimer_SystemCall_Unknown NtCreateTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateTimer_SystemCall_10_0_18363 jmp NtCreateTimer_SystemCall_Unknown NtCreateTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0086h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a8h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a6h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a6h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a6h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a6h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b0h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b1h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b4h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b5h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b7h jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00bah jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00bbh jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00bch jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00bdh jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00beh jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00beh jmp NtCreateTimer_Epilogue NtCreateTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateTimer_Epilogue: mov r10, rcx syscall ret NtCreateTimer ENDP NtCreateTimer2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateTimer2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateTimer2_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateTimer2_Check_10_0_XXXX jmp NtCreateTimer2_SystemCall_Unknown NtCreateTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateTimer2_SystemCall_6_3_XXXX jmp NtCreateTimer2_SystemCall_Unknown NtCreateTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateTimer2_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateTimer2_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateTimer2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateTimer2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateTimer2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateTimer2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateTimer2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateTimer2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateTimer2_SystemCall_10_0_18363 jmp NtCreateTimer2_SystemCall_Unknown NtCreateTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b2h jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b5h jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b6h jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b8h jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00bbh jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00bch jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00bdh jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00beh jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00bfh jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00bfh jmp NtCreateTimer2_Epilogue NtCreateTimer2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateTimer2_Epilogue: mov r10, rcx syscall ret NtCreateTimer2 ENDP NtCreateToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateToken_Check_10_0_XXXX jmp NtCreateToken_SystemCall_Unknown NtCreateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateToken_SystemCall_6_3_XXXX jmp NtCreateToken_SystemCall_Unknown NtCreateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateToken_SystemCall_6_0_6002 jmp NtCreateToken_SystemCall_Unknown NtCreateToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateToken_SystemCall_6_1_7601 jmp NtCreateToken_SystemCall_Unknown NtCreateToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateToken_SystemCall_10_0_18363 jmp NtCreateToken_SystemCall_Unknown NtCreateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0087h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00a9h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a7h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a7h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a7h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a7h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b1h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b3h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b6h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b7h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00b9h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00bch jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00bdh jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00beh jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00bfh jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c0h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c0h jmp NtCreateToken_Epilogue NtCreateToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateToken_Epilogue: mov r10, rcx syscall ret NtCreateToken ENDP NtCreateTokenEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateTokenEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateTokenEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateTokenEx_Check_10_0_XXXX jmp NtCreateTokenEx_SystemCall_Unknown NtCreateTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateTokenEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTokenEx_SystemCall_6_3_XXXX jmp NtCreateTokenEx_SystemCall_Unknown NtCreateTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateTokenEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateTokenEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateTokenEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateTokenEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateTokenEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateTokenEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateTokenEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateTokenEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateTokenEx_SystemCall_10_0_18363 jmp NtCreateTokenEx_SystemCall_Unknown NtCreateTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b2h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b4h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b7h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b8h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00bah jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00bdh jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00beh jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00bfh jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c0h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c1h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c1h jmp NtCreateTokenEx_Epilogue NtCreateTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateTokenEx_Epilogue: mov r10, rcx syscall ret NtCreateTokenEx ENDP NtCreateTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateTransaction_Check_10_0_XXXX jmp NtCreateTransaction_SystemCall_Unknown NtCreateTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTransaction_SystemCall_6_3_XXXX jmp NtCreateTransaction_SystemCall_Unknown NtCreateTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateTransaction_SystemCall_6_0_6002 jmp NtCreateTransaction_SystemCall_Unknown NtCreateTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateTransaction_SystemCall_6_1_7601 jmp NtCreateTransaction_SystemCall_Unknown NtCreateTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateTransaction_SystemCall_10_0_18363 jmp NtCreateTransaction_SystemCall_Unknown NtCreateTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00aah jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a8h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a8h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a8h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a8h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b3h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b5h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b8h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00b9h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00bbh jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00beh jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00bfh jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c0h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c1h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c2h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c2h jmp NtCreateTransaction_Epilogue NtCreateTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateTransaction_Epilogue: mov r10, rcx syscall ret NtCreateTransaction ENDP NtCreateTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateTransactionManager_Check_10_0_XXXX jmp NtCreateTransactionManager_SystemCall_Unknown NtCreateTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateTransactionManager_SystemCall_6_3_XXXX jmp NtCreateTransactionManager_SystemCall_Unknown NtCreateTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateTransactionManager_SystemCall_6_0_6002 jmp NtCreateTransactionManager_SystemCall_Unknown NtCreateTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateTransactionManager_SystemCall_6_1_7601 jmp NtCreateTransactionManager_SystemCall_Unknown NtCreateTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateTransactionManager_SystemCall_10_0_18363 jmp NtCreateTransactionManager_SystemCall_Unknown NtCreateTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00abh jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00a9h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00a9h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00a9h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00a9h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b4h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b6h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00b9h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00bah jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00bch jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00bfh jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c0h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c1h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c2h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c3h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c3h jmp NtCreateTransactionManager_Epilogue NtCreateTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateTransactionManager_Epilogue: mov r10, rcx syscall ret NtCreateTransactionManager ENDP NtCreateUserProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateUserProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateUserProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateUserProcess_Check_10_0_XXXX jmp NtCreateUserProcess_SystemCall_Unknown NtCreateUserProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateUserProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateUserProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateUserProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateUserProcess_SystemCall_6_3_XXXX jmp NtCreateUserProcess_SystemCall_Unknown NtCreateUserProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateUserProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateUserProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateUserProcess_SystemCall_6_0_6002 jmp NtCreateUserProcess_SystemCall_Unknown NtCreateUserProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateUserProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateUserProcess_SystemCall_6_1_7601 jmp NtCreateUserProcess_SystemCall_Unknown NtCreateUserProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateUserProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateUserProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateUserProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateUserProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateUserProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateUserProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateUserProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateUserProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateUserProcess_SystemCall_10_0_18363 jmp NtCreateUserProcess_SystemCall_Unknown NtCreateUserProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ach jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00aah jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00aah jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00aah jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00aah jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b5h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b7h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00bah jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00bbh jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00bdh jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c0h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c1h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c2h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c3h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c4h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c4h jmp NtCreateUserProcess_Epilogue NtCreateUserProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateUserProcess_Epilogue: mov r10, rcx syscall ret NtCreateUserProcess ENDP NtCreateWaitCompletionPacket PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateWaitCompletionPacket_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateWaitCompletionPacket_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateWaitCompletionPacket_Check_10_0_XXXX jmp NtCreateWaitCompletionPacket_SystemCall_Unknown NtCreateWaitCompletionPacket_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX jmp NtCreateWaitCompletionPacket_SystemCall_Unknown NtCreateWaitCompletionPacket_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateWaitCompletionPacket_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateWaitCompletionPacket_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateWaitCompletionPacket_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateWaitCompletionPacket_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateWaitCompletionPacket_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateWaitCompletionPacket_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateWaitCompletionPacket_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateWaitCompletionPacket_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateWaitCompletionPacket_SystemCall_10_0_18363 jmp NtCreateWaitCompletionPacket_SystemCall_Unknown NtCreateWaitCompletionPacket_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b6h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b8h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00bbh jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00bch jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00beh jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c1h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c2h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c3h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c4h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c5h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c5h jmp NtCreateWaitCompletionPacket_Epilogue NtCreateWaitCompletionPacket_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateWaitCompletionPacket_Epilogue: mov r10, rcx syscall ret NtCreateWaitCompletionPacket ENDP NtCreateWaitablePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateWaitablePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtCreateWaitablePort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtCreateWaitablePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateWaitablePort_Check_10_0_XXXX jmp NtCreateWaitablePort_SystemCall_Unknown NtCreateWaitablePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateWaitablePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateWaitablePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWaitablePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWaitablePort_SystemCall_6_3_XXXX jmp NtCreateWaitablePort_SystemCall_Unknown NtCreateWaitablePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateWaitablePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateWaitablePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateWaitablePort_SystemCall_6_0_6002 jmp NtCreateWaitablePort_SystemCall_Unknown NtCreateWaitablePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateWaitablePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateWaitablePort_SystemCall_6_1_7601 jmp NtCreateWaitablePort_SystemCall_Unknown NtCreateWaitablePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateWaitablePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateWaitablePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateWaitablePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateWaitablePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateWaitablePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateWaitablePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateWaitablePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateWaitablePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateWaitablePort_SystemCall_10_0_18363 jmp NtCreateWaitablePort_SystemCall_Unknown NtCreateWaitablePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0088h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00adh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00abh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00abh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00abh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00abh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b7h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00b9h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00bch jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00bdh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00bfh jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c2h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c3h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c4h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c5h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c6h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c6h jmp NtCreateWaitablePort_Epilogue NtCreateWaitablePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateWaitablePort_Epilogue: mov r10, rcx syscall ret NtCreateWaitablePort ENDP NtCreateWnfStateName PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateWnfStateName_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateWnfStateName_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateWnfStateName_Check_10_0_XXXX jmp NtCreateWnfStateName_SystemCall_Unknown NtCreateWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtCreateWnfStateName_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWnfStateName_SystemCall_6_3_XXXX jmp NtCreateWnfStateName_SystemCall_Unknown NtCreateWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateWnfStateName_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateWnfStateName_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateWnfStateName_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateWnfStateName_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateWnfStateName_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateWnfStateName_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateWnfStateName_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateWnfStateName_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateWnfStateName_SystemCall_10_0_18363 jmp NtCreateWnfStateName_SystemCall_Unknown NtCreateWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b8h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00bah jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00bdh jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00beh jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c0h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c3h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c4h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c5h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c6h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c7h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c7h jmp NtCreateWnfStateName_Epilogue NtCreateWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateWnfStateName_Epilogue: mov r10, rcx syscall ret NtCreateWnfStateName ENDP NtCreateWorkerFactory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtCreateWorkerFactory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtCreateWorkerFactory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtCreateWorkerFactory_Check_10_0_XXXX jmp NtCreateWorkerFactory_SystemCall_Unknown NtCreateWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtCreateWorkerFactory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtCreateWorkerFactory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWorkerFactory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtCreateWorkerFactory_SystemCall_6_3_XXXX jmp NtCreateWorkerFactory_SystemCall_Unknown NtCreateWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtCreateWorkerFactory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtCreateWorkerFactory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtCreateWorkerFactory_SystemCall_6_0_6002 jmp NtCreateWorkerFactory_SystemCall_Unknown NtCreateWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtCreateWorkerFactory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtCreateWorkerFactory_SystemCall_6_1_7601 jmp NtCreateWorkerFactory_SystemCall_Unknown NtCreateWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtCreateWorkerFactory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtCreateWorkerFactory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtCreateWorkerFactory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtCreateWorkerFactory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtCreateWorkerFactory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtCreateWorkerFactory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtCreateWorkerFactory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtCreateWorkerFactory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtCreateWorkerFactory_SystemCall_10_0_18363 jmp NtCreateWorkerFactory_SystemCall_Unknown NtCreateWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00aeh jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ach jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ach jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ach jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ach jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00b9h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00bbh jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00beh jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00bfh jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c1h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c4h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c5h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c6h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c7h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c8h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c8h jmp NtCreateWorkerFactory_Epilogue NtCreateWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtCreateWorkerFactory_Epilogue: mov r10, rcx syscall ret NtCreateWorkerFactory ENDP NtDebugActiveProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDebugActiveProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDebugActiveProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDebugActiveProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDebugActiveProcess_Check_10_0_XXXX jmp NtDebugActiveProcess_SystemCall_Unknown NtDebugActiveProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDebugActiveProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDebugActiveProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDebugActiveProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDebugActiveProcess_SystemCall_6_3_XXXX jmp NtDebugActiveProcess_SystemCall_Unknown NtDebugActiveProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDebugActiveProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDebugActiveProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDebugActiveProcess_SystemCall_6_0_6002 jmp NtDebugActiveProcess_SystemCall_Unknown NtDebugActiveProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDebugActiveProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDebugActiveProcess_SystemCall_6_1_7601 jmp NtDebugActiveProcess_SystemCall_Unknown NtDebugActiveProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDebugActiveProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDebugActiveProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDebugActiveProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDebugActiveProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDebugActiveProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDebugActiveProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDebugActiveProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDebugActiveProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDebugActiveProcess_SystemCall_10_0_18363 jmp NtDebugActiveProcess_SystemCall_Unknown NtDebugActiveProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0089h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00afh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00adh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00adh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00adh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00adh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00bah jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00bch jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00bfh jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c0h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c2h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c5h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c6h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c7h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c8h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00c9h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00c9h jmp NtDebugActiveProcess_Epilogue NtDebugActiveProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDebugActiveProcess_Epilogue: mov r10, rcx syscall ret NtDebugActiveProcess ENDP NtDebugContinue PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDebugContinue_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDebugContinue_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDebugContinue_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDebugContinue_Check_10_0_XXXX jmp NtDebugContinue_SystemCall_Unknown NtDebugContinue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDebugContinue_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDebugContinue_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDebugContinue_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDebugContinue_SystemCall_6_3_XXXX jmp NtDebugContinue_SystemCall_Unknown NtDebugContinue_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDebugContinue_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDebugContinue_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDebugContinue_SystemCall_6_0_6002 jmp NtDebugContinue_SystemCall_Unknown NtDebugContinue_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDebugContinue_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDebugContinue_SystemCall_6_1_7601 jmp NtDebugContinue_SystemCall_Unknown NtDebugContinue_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDebugContinue_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDebugContinue_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDebugContinue_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDebugContinue_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDebugContinue_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDebugContinue_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDebugContinue_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDebugContinue_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDebugContinue_SystemCall_10_0_18363 jmp NtDebugContinue_SystemCall_Unknown NtDebugContinue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008ah jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b0h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00aeh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00aeh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00aeh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00aeh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00bbh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00bdh jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c0h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c1h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c3h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c6h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c7h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c8h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00c9h jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00cah jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00cah jmp NtDebugContinue_Epilogue NtDebugContinue_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDebugContinue_Epilogue: mov r10, rcx syscall ret NtDebugContinue ENDP NtDelayExecution PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDelayExecution_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDelayExecution_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDelayExecution_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDelayExecution_Check_10_0_XXXX jmp NtDelayExecution_SystemCall_Unknown NtDelayExecution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDelayExecution_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDelayExecution_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDelayExecution_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDelayExecution_SystemCall_6_3_XXXX jmp NtDelayExecution_SystemCall_Unknown NtDelayExecution_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDelayExecution_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDelayExecution_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDelayExecution_SystemCall_6_0_6002 jmp NtDelayExecution_SystemCall_Unknown NtDelayExecution_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDelayExecution_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDelayExecution_SystemCall_6_1_7601 jmp NtDelayExecution_SystemCall_Unknown NtDelayExecution_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDelayExecution_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDelayExecution_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDelayExecution_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDelayExecution_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDelayExecution_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDelayExecution_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDelayExecution_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDelayExecution_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDelayExecution_SystemCall_10_0_18363 jmp NtDelayExecution_SystemCall_Unknown NtDelayExecution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0031h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0032h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0033h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0034h jmp NtDelayExecution_Epilogue NtDelayExecution_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDelayExecution_Epilogue: mov r10, rcx syscall ret NtDelayExecution ENDP NtDeleteAtom PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteAtom_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteAtom_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteAtom_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteAtom_Check_10_0_XXXX jmp NtDeleteAtom_SystemCall_Unknown NtDeleteAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteAtom_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteAtom_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteAtom_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteAtom_SystemCall_6_3_XXXX jmp NtDeleteAtom_SystemCall_Unknown NtDeleteAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteAtom_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteAtom_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteAtom_SystemCall_6_0_6002 jmp NtDeleteAtom_SystemCall_Unknown NtDeleteAtom_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteAtom_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteAtom_SystemCall_6_1_7601 jmp NtDeleteAtom_SystemCall_Unknown NtDeleteAtom_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteAtom_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteAtom_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteAtom_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteAtom_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteAtom_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteAtom_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteAtom_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteAtom_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteAtom_SystemCall_10_0_18363 jmp NtDeleteAtom_SystemCall_Unknown NtDeleteAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008bh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b1h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00afh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00afh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00afh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00afh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00bch jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00beh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c1h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c2h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c4h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c7h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c8h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00c9h jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00cah jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00cbh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00cbh jmp NtDeleteAtom_Epilogue NtDeleteAtom_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteAtom_Epilogue: mov r10, rcx syscall ret NtDeleteAtom ENDP NtDeleteBootEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteBootEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteBootEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteBootEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteBootEntry_Check_10_0_XXXX jmp NtDeleteBootEntry_SystemCall_Unknown NtDeleteBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteBootEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteBootEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteBootEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteBootEntry_SystemCall_6_3_XXXX jmp NtDeleteBootEntry_SystemCall_Unknown NtDeleteBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteBootEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteBootEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteBootEntry_SystemCall_6_0_6002 jmp NtDeleteBootEntry_SystemCall_Unknown NtDeleteBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteBootEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteBootEntry_SystemCall_6_1_7601 jmp NtDeleteBootEntry_SystemCall_Unknown NtDeleteBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteBootEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteBootEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteBootEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteBootEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteBootEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteBootEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteBootEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteBootEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteBootEntry_SystemCall_10_0_18363 jmp NtDeleteBootEntry_SystemCall_Unknown NtDeleteBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008ch jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b2h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b0h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b0h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b0h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b0h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00bdh jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00bfh jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c2h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c3h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c5h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c8h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00c9h jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00cah jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00cbh jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00cch jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00cch jmp NtDeleteBootEntry_Epilogue NtDeleteBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteBootEntry_Epilogue: mov r10, rcx syscall ret NtDeleteBootEntry ENDP NtDeleteDriverEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteDriverEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteDriverEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteDriverEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteDriverEntry_Check_10_0_XXXX jmp NtDeleteDriverEntry_SystemCall_Unknown NtDeleteDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteDriverEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteDriverEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteDriverEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteDriverEntry_SystemCall_6_3_XXXX jmp NtDeleteDriverEntry_SystemCall_Unknown NtDeleteDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteDriverEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteDriverEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteDriverEntry_SystemCall_6_0_6002 jmp NtDeleteDriverEntry_SystemCall_Unknown NtDeleteDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteDriverEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteDriverEntry_SystemCall_6_1_7601 jmp NtDeleteDriverEntry_SystemCall_Unknown NtDeleteDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteDriverEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteDriverEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteDriverEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteDriverEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteDriverEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteDriverEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteDriverEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteDriverEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteDriverEntry_SystemCall_10_0_18363 jmp NtDeleteDriverEntry_SystemCall_Unknown NtDeleteDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008dh jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b3h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b1h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b1h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b1h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b1h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00beh jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c0h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c3h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c4h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c6h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00c9h jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00cah jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00cbh jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00cch jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00cdh jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00cdh jmp NtDeleteDriverEntry_Epilogue NtDeleteDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteDriverEntry_Epilogue: mov r10, rcx syscall ret NtDeleteDriverEntry ENDP NtDeleteFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteFile_Check_10_0_XXXX jmp NtDeleteFile_SystemCall_Unknown NtDeleteFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteFile_SystemCall_6_3_XXXX jmp NtDeleteFile_SystemCall_Unknown NtDeleteFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteFile_SystemCall_6_0_6002 jmp NtDeleteFile_SystemCall_Unknown NtDeleteFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteFile_SystemCall_6_1_7601 jmp NtDeleteFile_SystemCall_Unknown NtDeleteFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteFile_SystemCall_10_0_18363 jmp NtDeleteFile_SystemCall_Unknown NtDeleteFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008eh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b4h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b2h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b2h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b2h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b2h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00bfh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c1h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c4h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c5h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c7h jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00cah jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00cbh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00cch jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00cdh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ceh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ceh jmp NtDeleteFile_Epilogue NtDeleteFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteFile_Epilogue: mov r10, rcx syscall ret NtDeleteFile ENDP NtDeleteKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteKey_Check_10_0_XXXX jmp NtDeleteKey_SystemCall_Unknown NtDeleteKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteKey_SystemCall_6_3_XXXX jmp NtDeleteKey_SystemCall_Unknown NtDeleteKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteKey_SystemCall_6_0_6002 jmp NtDeleteKey_SystemCall_Unknown NtDeleteKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteKey_SystemCall_6_1_7601 jmp NtDeleteKey_SystemCall_Unknown NtDeleteKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteKey_SystemCall_10_0_18363 jmp NtDeleteKey_SystemCall_Unknown NtDeleteKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 008fh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b5h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b3h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b3h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b3h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b3h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c0h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c2h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c5h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c6h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c8h jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00cbh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00cch jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00cdh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ceh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00cfh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00cfh jmp NtDeleteKey_Epilogue NtDeleteKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteKey_Epilogue: mov r10, rcx syscall ret NtDeleteKey ENDP NtDeleteObjectAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteObjectAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteObjectAuditAlarm_Check_10_0_XXXX jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown NtDeleteObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteObjectAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteObjectAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown NtDeleteObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteObjectAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteObjectAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteObjectAuditAlarm_SystemCall_6_0_6002 jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown NtDeleteObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteObjectAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteObjectAuditAlarm_SystemCall_6_1_7601 jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown NtDeleteObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteObjectAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteObjectAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteObjectAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteObjectAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteObjectAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteObjectAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteObjectAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteObjectAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteObjectAuditAlarm_SystemCall_10_0_18363 jmp NtDeleteObjectAuditAlarm_SystemCall_Unknown NtDeleteObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0090h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b6h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b4h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b4h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b4h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b4h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c1h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c3h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c6h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c7h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00c9h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00cch jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00cdh jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ceh jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00cfh jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d0h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d0h jmp NtDeleteObjectAuditAlarm_Epilogue NtDeleteObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteObjectAuditAlarm_Epilogue: mov r10, rcx syscall ret NtDeleteObjectAuditAlarm ENDP NtDeletePrivateNamespace PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeletePrivateNamespace_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtDeletePrivateNamespace_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeletePrivateNamespace_Check_10_0_XXXX jmp NtDeletePrivateNamespace_SystemCall_Unknown NtDeletePrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeletePrivateNamespace_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeletePrivateNamespace_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeletePrivateNamespace_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeletePrivateNamespace_SystemCall_6_3_XXXX jmp NtDeletePrivateNamespace_SystemCall_Unknown NtDeletePrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeletePrivateNamespace_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeletePrivateNamespace_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeletePrivateNamespace_SystemCall_6_0_6002 jmp NtDeletePrivateNamespace_SystemCall_Unknown NtDeletePrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeletePrivateNamespace_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeletePrivateNamespace_SystemCall_6_1_7601 jmp NtDeletePrivateNamespace_SystemCall_Unknown NtDeletePrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeletePrivateNamespace_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeletePrivateNamespace_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeletePrivateNamespace_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeletePrivateNamespace_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeletePrivateNamespace_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeletePrivateNamespace_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeletePrivateNamespace_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeletePrivateNamespace_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeletePrivateNamespace_SystemCall_10_0_18363 jmp NtDeletePrivateNamespace_SystemCall_Unknown NtDeletePrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b7h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b5h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b5h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b5h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b5h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c2h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c4h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c7h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c8h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00cah jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00cdh jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ceh jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00cfh jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d0h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d1h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d1h jmp NtDeletePrivateNamespace_Epilogue NtDeletePrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeletePrivateNamespace_Epilogue: mov r10, rcx syscall ret NtDeletePrivateNamespace ENDP NtDeleteValueKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteValueKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeleteValueKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeleteValueKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteValueKey_Check_10_0_XXXX jmp NtDeleteValueKey_SystemCall_Unknown NtDeleteValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeleteValueKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeleteValueKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteValueKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteValueKey_SystemCall_6_3_XXXX jmp NtDeleteValueKey_SystemCall_Unknown NtDeleteValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeleteValueKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeleteValueKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeleteValueKey_SystemCall_6_0_6002 jmp NtDeleteValueKey_SystemCall_Unknown NtDeleteValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeleteValueKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeleteValueKey_SystemCall_6_1_7601 jmp NtDeleteValueKey_SystemCall_Unknown NtDeleteValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteValueKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteValueKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteValueKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteValueKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteValueKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteValueKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteValueKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteValueKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteValueKey_SystemCall_10_0_18363 jmp NtDeleteValueKey_SystemCall_Unknown NtDeleteValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0091h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b8h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b6h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b6h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b6h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b6h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c3h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c5h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c8h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00c9h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00cbh jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ceh jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00cfh jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d0h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d1h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d2h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d2h jmp NtDeleteValueKey_Epilogue NtDeleteValueKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteValueKey_Epilogue: mov r10, rcx syscall ret NtDeleteValueKey ENDP NtDeleteWnfStateData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteWnfStateData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtDeleteWnfStateData_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteWnfStateData_Check_10_0_XXXX jmp NtDeleteWnfStateData_SystemCall_Unknown NtDeleteWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtDeleteWnfStateData_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteWnfStateData_SystemCall_6_3_XXXX jmp NtDeleteWnfStateData_SystemCall_Unknown NtDeleteWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteWnfStateData_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteWnfStateData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteWnfStateData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteWnfStateData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteWnfStateData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteWnfStateData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteWnfStateData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteWnfStateData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteWnfStateData_SystemCall_10_0_18363 jmp NtDeleteWnfStateData_SystemCall_Unknown NtDeleteWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c4h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c6h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00c9h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00cah jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00cch jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00cfh jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d0h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d1h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d2h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d3h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d3h jmp NtDeleteWnfStateData_Epilogue NtDeleteWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteWnfStateData_Epilogue: mov r10, rcx syscall ret NtDeleteWnfStateData ENDP NtDeleteWnfStateName PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeleteWnfStateName_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtDeleteWnfStateName_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeleteWnfStateName_Check_10_0_XXXX jmp NtDeleteWnfStateName_SystemCall_Unknown NtDeleteWnfStateName_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtDeleteWnfStateName_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeleteWnfStateName_SystemCall_6_3_XXXX jmp NtDeleteWnfStateName_SystemCall_Unknown NtDeleteWnfStateName_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeleteWnfStateName_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeleteWnfStateName_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeleteWnfStateName_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeleteWnfStateName_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeleteWnfStateName_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeleteWnfStateName_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeleteWnfStateName_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeleteWnfStateName_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeleteWnfStateName_SystemCall_10_0_18363 jmp NtDeleteWnfStateName_SystemCall_Unknown NtDeleteWnfStateName_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c5h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c7h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00cah jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00cbh jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00cdh jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d0h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d1h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d2h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d3h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d4h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d4h jmp NtDeleteWnfStateName_Epilogue NtDeleteWnfStateName_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeleteWnfStateName_Epilogue: mov r10, rcx syscall ret NtDeleteWnfStateName ENDP NtDeviceIoControlFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDeviceIoControlFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDeviceIoControlFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDeviceIoControlFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDeviceIoControlFile_Check_10_0_XXXX jmp NtDeviceIoControlFile_SystemCall_Unknown NtDeviceIoControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDeviceIoControlFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDeviceIoControlFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDeviceIoControlFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDeviceIoControlFile_SystemCall_6_3_XXXX jmp NtDeviceIoControlFile_SystemCall_Unknown NtDeviceIoControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDeviceIoControlFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDeviceIoControlFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDeviceIoControlFile_SystemCall_6_0_6002 jmp NtDeviceIoControlFile_SystemCall_Unknown NtDeviceIoControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDeviceIoControlFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDeviceIoControlFile_SystemCall_6_1_7601 jmp NtDeviceIoControlFile_SystemCall_Unknown NtDeviceIoControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDeviceIoControlFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDeviceIoControlFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDeviceIoControlFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDeviceIoControlFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDeviceIoControlFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDeviceIoControlFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDeviceIoControlFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDeviceIoControlFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDeviceIoControlFile_SystemCall_10_0_18363 jmp NtDeviceIoControlFile_SystemCall_Unknown NtDeviceIoControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0004h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0005h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0006h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0007h jmp NtDeviceIoControlFile_Epilogue NtDeviceIoControlFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDeviceIoControlFile_Epilogue: mov r10, rcx syscall ret NtDeviceIoControlFile ENDP NtDisableLastKnownGood PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDisableLastKnownGood_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtDisableLastKnownGood_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDisableLastKnownGood_Check_10_0_XXXX jmp NtDisableLastKnownGood_SystemCall_Unknown NtDisableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtDisableLastKnownGood_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDisableLastKnownGood_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDisableLastKnownGood_SystemCall_6_3_XXXX jmp NtDisableLastKnownGood_SystemCall_Unknown NtDisableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDisableLastKnownGood_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDisableLastKnownGood_SystemCall_6_1_7601 jmp NtDisableLastKnownGood_SystemCall_Unknown NtDisableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDisableLastKnownGood_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDisableLastKnownGood_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDisableLastKnownGood_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDisableLastKnownGood_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDisableLastKnownGood_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDisableLastKnownGood_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDisableLastKnownGood_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDisableLastKnownGood_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDisableLastKnownGood_SystemCall_10_0_18363 jmp NtDisableLastKnownGood_SystemCall_Unknown NtDisableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b7h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b7h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c6h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c8h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00cbh jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00cch jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ceh jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d1h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d2h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d3h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d4h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d5h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d5h jmp NtDisableLastKnownGood_Epilogue NtDisableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDisableLastKnownGood_Epilogue: mov r10, rcx syscall ret NtDisableLastKnownGood ENDP NtDisplayString PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDisplayString_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDisplayString_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDisplayString_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDisplayString_Check_10_0_XXXX jmp NtDisplayString_SystemCall_Unknown NtDisplayString_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDisplayString_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDisplayString_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDisplayString_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDisplayString_SystemCall_6_3_XXXX jmp NtDisplayString_SystemCall_Unknown NtDisplayString_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDisplayString_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDisplayString_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDisplayString_SystemCall_6_0_6002 jmp NtDisplayString_SystemCall_Unknown NtDisplayString_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDisplayString_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDisplayString_SystemCall_6_1_7601 jmp NtDisplayString_SystemCall_Unknown NtDisplayString_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDisplayString_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDisplayString_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDisplayString_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDisplayString_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDisplayString_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDisplayString_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDisplayString_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDisplayString_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDisplayString_SystemCall_10_0_18363 jmp NtDisplayString_SystemCall_Unknown NtDisplayString_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0092h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00b9h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b7h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b7h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b8h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b8h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c7h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00c9h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00cch jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00cdh jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00cfh jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d2h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d3h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d4h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d5h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d6h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d6h jmp NtDisplayString_Epilogue NtDisplayString_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDisplayString_Epilogue: mov r10, rcx syscall ret NtDisplayString ENDP NtDrawText PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDrawText_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtDrawText_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDrawText_Check_10_0_XXXX jmp NtDrawText_SystemCall_Unknown NtDrawText_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtDrawText_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDrawText_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDrawText_SystemCall_6_3_XXXX jmp NtDrawText_SystemCall_Unknown NtDrawText_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDrawText_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDrawText_SystemCall_6_1_7601 jmp NtDrawText_SystemCall_Unknown NtDrawText_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDrawText_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDrawText_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDrawText_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDrawText_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDrawText_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDrawText_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDrawText_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDrawText_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDrawText_SystemCall_10_0_18363 jmp NtDrawText_SystemCall_Unknown NtDrawText_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00b9h jmp NtDrawText_Epilogue NtDrawText_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00b9h jmp NtDrawText_Epilogue NtDrawText_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c8h jmp NtDrawText_Epilogue NtDrawText_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00cah jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00cdh jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ceh jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d0h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d3h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d4h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d5h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d6h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d7h jmp NtDrawText_Epilogue NtDrawText_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d7h jmp NtDrawText_Epilogue NtDrawText_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDrawText_Epilogue: mov r10, rcx syscall ret NtDrawText ENDP NtDuplicateObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDuplicateObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDuplicateObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDuplicateObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDuplicateObject_Check_10_0_XXXX jmp NtDuplicateObject_SystemCall_Unknown NtDuplicateObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDuplicateObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDuplicateObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDuplicateObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDuplicateObject_SystemCall_6_3_XXXX jmp NtDuplicateObject_SystemCall_Unknown NtDuplicateObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDuplicateObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDuplicateObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDuplicateObject_SystemCall_6_0_6002 jmp NtDuplicateObject_SystemCall_Unknown NtDuplicateObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDuplicateObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDuplicateObject_SystemCall_6_1_7601 jmp NtDuplicateObject_SystemCall_Unknown NtDuplicateObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDuplicateObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDuplicateObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDuplicateObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDuplicateObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDuplicateObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDuplicateObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDuplicateObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDuplicateObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDuplicateObject_SystemCall_10_0_18363 jmp NtDuplicateObject_SystemCall_Unknown NtDuplicateObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0039h jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003ah jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003bh jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003ch jmp NtDuplicateObject_Epilogue NtDuplicateObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDuplicateObject_Epilogue: mov r10, rcx syscall ret NtDuplicateObject ENDP NtDuplicateToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtDuplicateToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtDuplicateToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtDuplicateToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtDuplicateToken_Check_10_0_XXXX jmp NtDuplicateToken_SystemCall_Unknown NtDuplicateToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtDuplicateToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtDuplicateToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtDuplicateToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtDuplicateToken_SystemCall_6_3_XXXX jmp NtDuplicateToken_SystemCall_Unknown NtDuplicateToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtDuplicateToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtDuplicateToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtDuplicateToken_SystemCall_6_0_6002 jmp NtDuplicateToken_SystemCall_Unknown NtDuplicateToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtDuplicateToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtDuplicateToken_SystemCall_6_1_7601 jmp NtDuplicateToken_SystemCall_Unknown NtDuplicateToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtDuplicateToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtDuplicateToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtDuplicateToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtDuplicateToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtDuplicateToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtDuplicateToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtDuplicateToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtDuplicateToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtDuplicateToken_SystemCall_10_0_18363 jmp NtDuplicateToken_SystemCall_Unknown NtDuplicateToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003fh jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0040h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0041h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0042h jmp NtDuplicateToken_Epilogue NtDuplicateToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtDuplicateToken_Epilogue: mov r10, rcx syscall ret NtDuplicateToken ENDP NtEnableLastKnownGood PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnableLastKnownGood_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtEnableLastKnownGood_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnableLastKnownGood_Check_10_0_XXXX jmp NtEnableLastKnownGood_SystemCall_Unknown NtEnableLastKnownGood_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtEnableLastKnownGood_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnableLastKnownGood_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnableLastKnownGood_SystemCall_6_3_XXXX jmp NtEnableLastKnownGood_SystemCall_Unknown NtEnableLastKnownGood_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnableLastKnownGood_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnableLastKnownGood_SystemCall_6_1_7601 jmp NtEnableLastKnownGood_SystemCall_Unknown NtEnableLastKnownGood_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnableLastKnownGood_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnableLastKnownGood_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnableLastKnownGood_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnableLastKnownGood_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnableLastKnownGood_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnableLastKnownGood_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnableLastKnownGood_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnableLastKnownGood_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnableLastKnownGood_SystemCall_10_0_18363 jmp NtEnableLastKnownGood_SystemCall_Unknown NtEnableLastKnownGood_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00bah jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00bah jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00c9h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00cbh jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ceh jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00cfh jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d1h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d4h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d5h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d6h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d7h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d8h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d8h jmp NtEnableLastKnownGood_Epilogue NtEnableLastKnownGood_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnableLastKnownGood_Epilogue: mov r10, rcx syscall ret NtEnableLastKnownGood ENDP NtEnumerateBootEntries PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateBootEntries_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtEnumerateBootEntries_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtEnumerateBootEntries_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateBootEntries_Check_10_0_XXXX jmp NtEnumerateBootEntries_SystemCall_Unknown NtEnumerateBootEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateBootEntries_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateBootEntries_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateBootEntries_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateBootEntries_SystemCall_6_3_XXXX jmp NtEnumerateBootEntries_SystemCall_Unknown NtEnumerateBootEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateBootEntries_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateBootEntries_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateBootEntries_SystemCall_6_0_6002 jmp NtEnumerateBootEntries_SystemCall_Unknown NtEnumerateBootEntries_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateBootEntries_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateBootEntries_SystemCall_6_1_7601 jmp NtEnumerateBootEntries_SystemCall_Unknown NtEnumerateBootEntries_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateBootEntries_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateBootEntries_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateBootEntries_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateBootEntries_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateBootEntries_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateBootEntries_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateBootEntries_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateBootEntries_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateBootEntries_SystemCall_10_0_18363 jmp NtEnumerateBootEntries_SystemCall_Unknown NtEnumerateBootEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0093h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00bah jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b8h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b8h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00bbh jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00bbh jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00cah jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00cch jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00cfh jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d0h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d2h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d5h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d6h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d7h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d8h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00d9h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00d9h jmp NtEnumerateBootEntries_Epilogue NtEnumerateBootEntries_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateBootEntries_Epilogue: mov r10, rcx syscall ret NtEnumerateBootEntries ENDP NtEnumerateDriverEntries PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateDriverEntries_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtEnumerateDriverEntries_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtEnumerateDriverEntries_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateDriverEntries_Check_10_0_XXXX jmp NtEnumerateDriverEntries_SystemCall_Unknown NtEnumerateDriverEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateDriverEntries_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateDriverEntries_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateDriverEntries_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateDriverEntries_SystemCall_6_3_XXXX jmp NtEnumerateDriverEntries_SystemCall_Unknown NtEnumerateDriverEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateDriverEntries_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateDriverEntries_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateDriverEntries_SystemCall_6_0_6002 jmp NtEnumerateDriverEntries_SystemCall_Unknown NtEnumerateDriverEntries_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateDriverEntries_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateDriverEntries_SystemCall_6_1_7601 jmp NtEnumerateDriverEntries_SystemCall_Unknown NtEnumerateDriverEntries_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateDriverEntries_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateDriverEntries_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateDriverEntries_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateDriverEntries_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateDriverEntries_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateDriverEntries_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateDriverEntries_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateDriverEntries_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateDriverEntries_SystemCall_10_0_18363 jmp NtEnumerateDriverEntries_SystemCall_Unknown NtEnumerateDriverEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0094h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00bbh jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00b9h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00b9h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00bch jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00bch jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00cbh jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00cdh jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d0h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d1h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d3h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d6h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d7h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d8h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00d9h jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00dah jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00dah jmp NtEnumerateDriverEntries_Epilogue NtEnumerateDriverEntries_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateDriverEntries_Epilogue: mov r10, rcx syscall ret NtEnumerateDriverEntries ENDP NtEnumerateKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtEnumerateKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtEnumerateKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateKey_Check_10_0_XXXX jmp NtEnumerateKey_SystemCall_Unknown NtEnumerateKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateKey_SystemCall_6_3_XXXX jmp NtEnumerateKey_SystemCall_Unknown NtEnumerateKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateKey_SystemCall_6_0_6002 jmp NtEnumerateKey_SystemCall_Unknown NtEnumerateKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateKey_SystemCall_6_1_7601 jmp NtEnumerateKey_SystemCall_Unknown NtEnumerateKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateKey_SystemCall_10_0_18363 jmp NtEnumerateKey_SystemCall_Unknown NtEnumerateKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002fh jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0030h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0031h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0032h jmp NtEnumerateKey_Epilogue NtEnumerateKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateKey_Epilogue: mov r10, rcx syscall ret NtEnumerateKey ENDP NtEnumerateSystemEnvironmentValuesEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateSystemEnvironmentValuesEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown NtEnumerateSystemEnvironmentValuesEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown NtEnumerateSystemEnvironmentValuesEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002 jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown NtEnumerateSystemEnvironmentValuesEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601 jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown NtEnumerateSystemEnvironmentValuesEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363 jmp NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown NtEnumerateSystemEnvironmentValuesEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0095h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00bch jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00bah jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00bah jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00bdh jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00bdh jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00cch jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ceh jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d1h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d2h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d4h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d7h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d8h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00d9h jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00dah jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00dbh jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00dbh jmp NtEnumerateSystemEnvironmentValuesEx_Epilogue NtEnumerateSystemEnvironmentValuesEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateSystemEnvironmentValuesEx_Epilogue: mov r10, rcx syscall ret NtEnumerateSystemEnvironmentValuesEx ENDP NtEnumerateTransactionObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateTransactionObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtEnumerateTransactionObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateTransactionObject_Check_10_0_XXXX jmp NtEnumerateTransactionObject_SystemCall_Unknown NtEnumerateTransactionObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateTransactionObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateTransactionObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateTransactionObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateTransactionObject_SystemCall_6_3_XXXX jmp NtEnumerateTransactionObject_SystemCall_Unknown NtEnumerateTransactionObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateTransactionObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateTransactionObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateTransactionObject_SystemCall_6_0_6002 jmp NtEnumerateTransactionObject_SystemCall_Unknown NtEnumerateTransactionObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateTransactionObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateTransactionObject_SystemCall_6_1_7601 jmp NtEnumerateTransactionObject_SystemCall_Unknown NtEnumerateTransactionObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateTransactionObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateTransactionObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateTransactionObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateTransactionObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateTransactionObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateTransactionObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateTransactionObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateTransactionObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateTransactionObject_SystemCall_10_0_18363 jmp NtEnumerateTransactionObject_SystemCall_Unknown NtEnumerateTransactionObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00bdh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00bbh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00bbh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00beh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00beh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00cdh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00cfh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d2h jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d3h jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d5h jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d8h jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00d9h jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00dah jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00dbh jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00dch jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00dch jmp NtEnumerateTransactionObject_Epilogue NtEnumerateTransactionObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateTransactionObject_Epilogue: mov r10, rcx syscall ret NtEnumerateTransactionObject ENDP NtEnumerateValueKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtEnumerateValueKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtEnumerateValueKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtEnumerateValueKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtEnumerateValueKey_Check_10_0_XXXX jmp NtEnumerateValueKey_SystemCall_Unknown NtEnumerateValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtEnumerateValueKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtEnumerateValueKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateValueKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtEnumerateValueKey_SystemCall_6_3_XXXX jmp NtEnumerateValueKey_SystemCall_Unknown NtEnumerateValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtEnumerateValueKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtEnumerateValueKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtEnumerateValueKey_SystemCall_6_0_6002 jmp NtEnumerateValueKey_SystemCall_Unknown NtEnumerateValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtEnumerateValueKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtEnumerateValueKey_SystemCall_6_1_7601 jmp NtEnumerateValueKey_SystemCall_Unknown NtEnumerateValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtEnumerateValueKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtEnumerateValueKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtEnumerateValueKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtEnumerateValueKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtEnumerateValueKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtEnumerateValueKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtEnumerateValueKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtEnumerateValueKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtEnumerateValueKey_SystemCall_10_0_18363 jmp NtEnumerateValueKey_SystemCall_Unknown NtEnumerateValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0010h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0011h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0012h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0013h jmp NtEnumerateValueKey_Epilogue NtEnumerateValueKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtEnumerateValueKey_Epilogue: mov r10, rcx syscall ret NtEnumerateValueKey ENDP NtExtendSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtExtendSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtExtendSection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtExtendSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtExtendSection_Check_10_0_XXXX jmp NtExtendSection_SystemCall_Unknown NtExtendSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtExtendSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtExtendSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtExtendSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtExtendSection_SystemCall_6_3_XXXX jmp NtExtendSection_SystemCall_Unknown NtExtendSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtExtendSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtExtendSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtExtendSection_SystemCall_6_0_6002 jmp NtExtendSection_SystemCall_Unknown NtExtendSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtExtendSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtExtendSection_SystemCall_6_1_7601 jmp NtExtendSection_SystemCall_Unknown NtExtendSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtExtendSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtExtendSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtExtendSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtExtendSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtExtendSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtExtendSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtExtendSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtExtendSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtExtendSection_SystemCall_10_0_18363 jmp NtExtendSection_SystemCall_Unknown NtExtendSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0096h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00beh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00bch jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00bch jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00bfh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00bfh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ceh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d0h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d3h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d4h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d6h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00d9h jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00dah jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00dbh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00dch jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ddh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ddh jmp NtExtendSection_Epilogue NtExtendSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtExtendSection_Epilogue: mov r10, rcx syscall ret NtExtendSection ENDP NtFilterBootOption PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFilterBootOption_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFilterBootOption_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFilterBootOption_Check_10_0_XXXX jmp NtFilterBootOption_SystemCall_Unknown NtFilterBootOption_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtFilterBootOption_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFilterBootOption_SystemCall_6_3_XXXX jmp NtFilterBootOption_SystemCall_Unknown NtFilterBootOption_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFilterBootOption_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFilterBootOption_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFilterBootOption_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFilterBootOption_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFilterBootOption_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFilterBootOption_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFilterBootOption_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFilterBootOption_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFilterBootOption_SystemCall_10_0_18363 jmp NtFilterBootOption_SystemCall_Unknown NtFilterBootOption_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00cfh jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d1h jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d4h jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d5h jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d7h jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00dah jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00dbh jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00dch jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ddh jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00deh jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00deh jmp NtFilterBootOption_Epilogue NtFilterBootOption_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFilterBootOption_Epilogue: mov r10, rcx syscall ret NtFilterBootOption ENDP NtFilterToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFilterToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFilterToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFilterToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFilterToken_Check_10_0_XXXX jmp NtFilterToken_SystemCall_Unknown NtFilterToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFilterToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFilterToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFilterToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFilterToken_SystemCall_6_3_XXXX jmp NtFilterToken_SystemCall_Unknown NtFilterToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFilterToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFilterToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFilterToken_SystemCall_6_0_6002 jmp NtFilterToken_SystemCall_Unknown NtFilterToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFilterToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFilterToken_SystemCall_6_1_7601 jmp NtFilterToken_SystemCall_Unknown NtFilterToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFilterToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFilterToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFilterToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFilterToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFilterToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFilterToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFilterToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFilterToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFilterToken_SystemCall_10_0_18363 jmp NtFilterToken_SystemCall_Unknown NtFilterToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0097h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00bfh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00bdh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00bdh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c0h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c0h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d0h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d2h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d5h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d6h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d8h jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00dbh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00dch jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ddh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00deh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00dfh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00dfh jmp NtFilterToken_Epilogue NtFilterToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFilterToken_Epilogue: mov r10, rcx syscall ret NtFilterToken ENDP NtFilterTokenEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFilterTokenEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFilterTokenEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFilterTokenEx_Check_10_0_XXXX jmp NtFilterTokenEx_SystemCall_Unknown NtFilterTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtFilterTokenEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFilterTokenEx_SystemCall_6_3_XXXX jmp NtFilterTokenEx_SystemCall_Unknown NtFilterTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFilterTokenEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFilterTokenEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFilterTokenEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFilterTokenEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFilterTokenEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFilterTokenEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFilterTokenEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFilterTokenEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFilterTokenEx_SystemCall_10_0_18363 jmp NtFilterTokenEx_SystemCall_Unknown NtFilterTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d1h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d3h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d6h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d7h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00d9h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00dch jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ddh jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00deh jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00dfh jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e0h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e0h jmp NtFilterTokenEx_Epilogue NtFilterTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFilterTokenEx_Epilogue: mov r10, rcx syscall ret NtFilterTokenEx ENDP NtFindAtom PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFindAtom_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFindAtom_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFindAtom_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFindAtom_Check_10_0_XXXX jmp NtFindAtom_SystemCall_Unknown NtFindAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFindAtom_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFindAtom_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFindAtom_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFindAtom_SystemCall_6_3_XXXX jmp NtFindAtom_SystemCall_Unknown NtFindAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFindAtom_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFindAtom_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFindAtom_SystemCall_6_0_6002 jmp NtFindAtom_SystemCall_Unknown NtFindAtom_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFindAtom_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFindAtom_SystemCall_6_1_7601 jmp NtFindAtom_SystemCall_Unknown NtFindAtom_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFindAtom_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFindAtom_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFindAtom_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFindAtom_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFindAtom_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFindAtom_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFindAtom_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFindAtom_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFindAtom_SystemCall_10_0_18363 jmp NtFindAtom_SystemCall_Unknown NtFindAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0011h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0012h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0013h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0014h jmp NtFindAtom_Epilogue NtFindAtom_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFindAtom_Epilogue: mov r10, rcx syscall ret NtFindAtom ENDP NtFlushBuffersFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushBuffersFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFlushBuffersFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFlushBuffersFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushBuffersFile_Check_10_0_XXXX jmp NtFlushBuffersFile_SystemCall_Unknown NtFlushBuffersFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushBuffersFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushBuffersFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushBuffersFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushBuffersFile_SystemCall_6_3_XXXX jmp NtFlushBuffersFile_SystemCall_Unknown NtFlushBuffersFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushBuffersFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushBuffersFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushBuffersFile_SystemCall_6_0_6002 jmp NtFlushBuffersFile_SystemCall_Unknown NtFlushBuffersFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushBuffersFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushBuffersFile_SystemCall_6_1_7601 jmp NtFlushBuffersFile_SystemCall_Unknown NtFlushBuffersFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushBuffersFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushBuffersFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushBuffersFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushBuffersFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushBuffersFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushBuffersFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushBuffersFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushBuffersFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushBuffersFile_SystemCall_10_0_18363 jmp NtFlushBuffersFile_SystemCall_Unknown NtFlushBuffersFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0048h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0049h jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004ah jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004bh jmp NtFlushBuffersFile_Epilogue NtFlushBuffersFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushBuffersFile_Epilogue: mov r10, rcx syscall ret NtFlushBuffersFile ENDP NtFlushBuffersFileEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushBuffersFileEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFlushBuffersFileEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushBuffersFileEx_Check_10_0_XXXX jmp NtFlushBuffersFileEx_SystemCall_Unknown NtFlushBuffersFileEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtFlushBuffersFileEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushBuffersFileEx_SystemCall_6_3_XXXX jmp NtFlushBuffersFileEx_SystemCall_Unknown NtFlushBuffersFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushBuffersFileEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushBuffersFileEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushBuffersFileEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushBuffersFileEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushBuffersFileEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushBuffersFileEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushBuffersFileEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushBuffersFileEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushBuffersFileEx_SystemCall_10_0_18363 jmp NtFlushBuffersFileEx_SystemCall_Unknown NtFlushBuffersFileEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d2h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d4h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d7h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d8h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00dah jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ddh jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00deh jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00dfh jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e0h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e1h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e1h jmp NtFlushBuffersFileEx_Epilogue NtFlushBuffersFileEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushBuffersFileEx_Epilogue: mov r10, rcx syscall ret NtFlushBuffersFileEx ENDP NtFlushInstallUILanguage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushInstallUILanguage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFlushInstallUILanguage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushInstallUILanguage_Check_10_0_XXXX jmp NtFlushInstallUILanguage_SystemCall_Unknown NtFlushInstallUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushInstallUILanguage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushInstallUILanguage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushInstallUILanguage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushInstallUILanguage_SystemCall_6_3_XXXX jmp NtFlushInstallUILanguage_SystemCall_Unknown NtFlushInstallUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushInstallUILanguage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushInstallUILanguage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushInstallUILanguage_SystemCall_6_0_6002 jmp NtFlushInstallUILanguage_SystemCall_Unknown NtFlushInstallUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushInstallUILanguage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushInstallUILanguage_SystemCall_6_1_7601 jmp NtFlushInstallUILanguage_SystemCall_Unknown NtFlushInstallUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushInstallUILanguage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushInstallUILanguage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushInstallUILanguage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushInstallUILanguage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushInstallUILanguage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushInstallUILanguage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushInstallUILanguage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushInstallUILanguage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushInstallUILanguage_SystemCall_10_0_18363 jmp NtFlushInstallUILanguage_SystemCall_Unknown NtFlushInstallUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c0h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00beh jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00beh jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c1h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c1h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d3h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d5h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d8h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00d9h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00dbh jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00deh jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00dfh jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e0h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e1h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e2h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e2h jmp NtFlushInstallUILanguage_Epilogue NtFlushInstallUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushInstallUILanguage_Epilogue: mov r10, rcx syscall ret NtFlushInstallUILanguage ENDP NtFlushInstructionCache PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushInstructionCache_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFlushInstructionCache_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFlushInstructionCache_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushInstructionCache_Check_10_0_XXXX jmp NtFlushInstructionCache_SystemCall_Unknown NtFlushInstructionCache_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushInstructionCache_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushInstructionCache_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushInstructionCache_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushInstructionCache_SystemCall_6_3_XXXX jmp NtFlushInstructionCache_SystemCall_Unknown NtFlushInstructionCache_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushInstructionCache_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushInstructionCache_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushInstructionCache_SystemCall_6_0_6002 jmp NtFlushInstructionCache_SystemCall_Unknown NtFlushInstructionCache_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushInstructionCache_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushInstructionCache_SystemCall_6_1_7601 jmp NtFlushInstructionCache_SystemCall_Unknown NtFlushInstructionCache_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushInstructionCache_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushInstructionCache_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushInstructionCache_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushInstructionCache_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushInstructionCache_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushInstructionCache_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushInstructionCache_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushInstructionCache_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushInstructionCache_SystemCall_10_0_18363 jmp NtFlushInstructionCache_SystemCall_Unknown NtFlushInstructionCache_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0098h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c1h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00bfh jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00bfh jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c2h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c2h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d4h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d6h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00d9h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00dah jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00dch jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00dfh jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e0h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e1h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e2h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e3h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e3h jmp NtFlushInstructionCache_Epilogue NtFlushInstructionCache_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushInstructionCache_Epilogue: mov r10, rcx syscall ret NtFlushInstructionCache ENDP NtFlushKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFlushKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFlushKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushKey_Check_10_0_XXXX jmp NtFlushKey_SystemCall_Unknown NtFlushKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushKey_SystemCall_6_3_XXXX jmp NtFlushKey_SystemCall_Unknown NtFlushKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushKey_SystemCall_6_0_6002 jmp NtFlushKey_SystemCall_Unknown NtFlushKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushKey_SystemCall_6_1_7601 jmp NtFlushKey_SystemCall_Unknown NtFlushKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushKey_SystemCall_10_0_18363 jmp NtFlushKey_SystemCall_Unknown NtFlushKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0099h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c2h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c0h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c0h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c3h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c3h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d5h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d7h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00dah jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00dbh jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ddh jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e0h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e1h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e2h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e3h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e4h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e4h jmp NtFlushKey_Epilogue NtFlushKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushKey_Epilogue: mov r10, rcx syscall ret NtFlushKey ENDP NtFlushProcessWriteBuffers PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushProcessWriteBuffers_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFlushProcessWriteBuffers_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushProcessWriteBuffers_Check_10_0_XXXX jmp NtFlushProcessWriteBuffers_SystemCall_Unknown NtFlushProcessWriteBuffers_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushProcessWriteBuffers_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushProcessWriteBuffers_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX jmp NtFlushProcessWriteBuffers_SystemCall_Unknown NtFlushProcessWriteBuffers_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushProcessWriteBuffers_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushProcessWriteBuffers_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushProcessWriteBuffers_SystemCall_6_0_6002 jmp NtFlushProcessWriteBuffers_SystemCall_Unknown NtFlushProcessWriteBuffers_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushProcessWriteBuffers_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushProcessWriteBuffers_SystemCall_6_1_7601 jmp NtFlushProcessWriteBuffers_SystemCall_Unknown NtFlushProcessWriteBuffers_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushProcessWriteBuffers_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushProcessWriteBuffers_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushProcessWriteBuffers_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushProcessWriteBuffers_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushProcessWriteBuffers_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushProcessWriteBuffers_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushProcessWriteBuffers_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushProcessWriteBuffers_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushProcessWriteBuffers_SystemCall_10_0_18363 jmp NtFlushProcessWriteBuffers_SystemCall_Unknown NtFlushProcessWriteBuffers_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c3h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c1h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c1h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c4h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c4h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d6h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d8h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00dbh jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00dch jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00deh jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e1h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e2h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e3h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e4h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e5h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e5h jmp NtFlushProcessWriteBuffers_Epilogue NtFlushProcessWriteBuffers_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushProcessWriteBuffers_Epilogue: mov r10, rcx syscall ret NtFlushProcessWriteBuffers ENDP NtFlushVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFlushVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFlushVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushVirtualMemory_Check_10_0_XXXX jmp NtFlushVirtualMemory_SystemCall_Unknown NtFlushVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushVirtualMemory_SystemCall_6_3_XXXX jmp NtFlushVirtualMemory_SystemCall_Unknown NtFlushVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushVirtualMemory_SystemCall_6_0_6002 jmp NtFlushVirtualMemory_SystemCall_Unknown NtFlushVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushVirtualMemory_SystemCall_6_1_7601 jmp NtFlushVirtualMemory_SystemCall_Unknown NtFlushVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushVirtualMemory_SystemCall_10_0_18363 jmp NtFlushVirtualMemory_SystemCall_Unknown NtFlushVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009ah jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c4h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c2h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c2h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c5h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c5h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d7h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00d9h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00dch jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ddh jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00dfh jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e2h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e3h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e4h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e5h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e6h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e6h jmp NtFlushVirtualMemory_Epilogue NtFlushVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushVirtualMemory_Epilogue: mov r10, rcx syscall ret NtFlushVirtualMemory ENDP NtFlushWriteBuffer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFlushWriteBuffer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFlushWriteBuffer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFlushWriteBuffer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFlushWriteBuffer_Check_10_0_XXXX jmp NtFlushWriteBuffer_SystemCall_Unknown NtFlushWriteBuffer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFlushWriteBuffer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFlushWriteBuffer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushWriteBuffer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFlushWriteBuffer_SystemCall_6_3_XXXX jmp NtFlushWriteBuffer_SystemCall_Unknown NtFlushWriteBuffer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFlushWriteBuffer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFlushWriteBuffer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFlushWriteBuffer_SystemCall_6_0_6002 jmp NtFlushWriteBuffer_SystemCall_Unknown NtFlushWriteBuffer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFlushWriteBuffer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFlushWriteBuffer_SystemCall_6_1_7601 jmp NtFlushWriteBuffer_SystemCall_Unknown NtFlushWriteBuffer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFlushWriteBuffer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFlushWriteBuffer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFlushWriteBuffer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFlushWriteBuffer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFlushWriteBuffer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFlushWriteBuffer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFlushWriteBuffer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFlushWriteBuffer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFlushWriteBuffer_SystemCall_10_0_18363 jmp NtFlushWriteBuffer_SystemCall_Unknown NtFlushWriteBuffer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009bh jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c5h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c3h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c3h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c6h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c6h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d8h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00dah jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ddh jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00deh jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e0h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e3h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e4h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e5h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e6h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e7h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e7h jmp NtFlushWriteBuffer_Epilogue NtFlushWriteBuffer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFlushWriteBuffer_Epilogue: mov r10, rcx syscall ret NtFlushWriteBuffer ENDP NtFreeUserPhysicalPages PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFreeUserPhysicalPages_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFreeUserPhysicalPages_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFreeUserPhysicalPages_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFreeUserPhysicalPages_Check_10_0_XXXX jmp NtFreeUserPhysicalPages_SystemCall_Unknown NtFreeUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFreeUserPhysicalPages_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFreeUserPhysicalPages_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFreeUserPhysicalPages_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFreeUserPhysicalPages_SystemCall_6_3_XXXX jmp NtFreeUserPhysicalPages_SystemCall_Unknown NtFreeUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFreeUserPhysicalPages_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFreeUserPhysicalPages_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFreeUserPhysicalPages_SystemCall_6_0_6002 jmp NtFreeUserPhysicalPages_SystemCall_Unknown NtFreeUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFreeUserPhysicalPages_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFreeUserPhysicalPages_SystemCall_6_1_7601 jmp NtFreeUserPhysicalPages_SystemCall_Unknown NtFreeUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFreeUserPhysicalPages_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFreeUserPhysicalPages_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFreeUserPhysicalPages_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFreeUserPhysicalPages_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFreeUserPhysicalPages_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFreeUserPhysicalPages_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFreeUserPhysicalPages_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFreeUserPhysicalPages_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFreeUserPhysicalPages_SystemCall_10_0_18363 jmp NtFreeUserPhysicalPages_SystemCall_Unknown NtFreeUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009ch jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c6h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c4h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c4h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c7h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c7h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00d9h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00dbh jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00deh jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00dfh jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e1h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e4h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e5h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e6h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e7h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e8h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e8h jmp NtFreeUserPhysicalPages_Epilogue NtFreeUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFreeUserPhysicalPages_Epilogue: mov r10, rcx syscall ret NtFreeUserPhysicalPages ENDP NtFreeVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFreeVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFreeVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFreeVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFreeVirtualMemory_Check_10_0_XXXX jmp NtFreeVirtualMemory_SystemCall_Unknown NtFreeVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFreeVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFreeVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFreeVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFreeVirtualMemory_SystemCall_6_3_XXXX jmp NtFreeVirtualMemory_SystemCall_Unknown NtFreeVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFreeVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFreeVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFreeVirtualMemory_SystemCall_6_0_6002 jmp NtFreeVirtualMemory_SystemCall_Unknown NtFreeVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFreeVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFreeVirtualMemory_SystemCall_6_1_7601 jmp NtFreeVirtualMemory_SystemCall_Unknown NtFreeVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFreeVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFreeVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFreeVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFreeVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFreeVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFreeVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFreeVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFreeVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFreeVirtualMemory_SystemCall_10_0_18363 jmp NtFreeVirtualMemory_SystemCall_Unknown NtFreeVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001bh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001ch jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001dh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001eh jmp NtFreeVirtualMemory_Epilogue NtFreeVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFreeVirtualMemory_Epilogue: mov r10, rcx syscall ret NtFreeVirtualMemory ENDP NtFreezeRegistry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFreezeRegistry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFreezeRegistry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFreezeRegistry_Check_10_0_XXXX jmp NtFreezeRegistry_SystemCall_Unknown NtFreezeRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFreezeRegistry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFreezeRegistry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFreezeRegistry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFreezeRegistry_SystemCall_6_3_XXXX jmp NtFreezeRegistry_SystemCall_Unknown NtFreezeRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFreezeRegistry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFreezeRegistry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFreezeRegistry_SystemCall_6_0_6002 jmp NtFreezeRegistry_SystemCall_Unknown NtFreezeRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFreezeRegistry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFreezeRegistry_SystemCall_6_1_7601 jmp NtFreezeRegistry_SystemCall_Unknown NtFreezeRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFreezeRegistry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFreezeRegistry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFreezeRegistry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFreezeRegistry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFreezeRegistry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFreezeRegistry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFreezeRegistry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFreezeRegistry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFreezeRegistry_SystemCall_10_0_18363 jmp NtFreezeRegistry_SystemCall_Unknown NtFreezeRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c7h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c5h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c5h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c8h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c8h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00dah jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00dch jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00dfh jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e0h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e2h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e5h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e6h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e7h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e8h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00e9h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00e9h jmp NtFreezeRegistry_Epilogue NtFreezeRegistry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFreezeRegistry_Epilogue: mov r10, rcx syscall ret NtFreezeRegistry ENDP NtFreezeTransactions PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFreezeTransactions_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtFreezeTransactions_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFreezeTransactions_Check_10_0_XXXX jmp NtFreezeTransactions_SystemCall_Unknown NtFreezeTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFreezeTransactions_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFreezeTransactions_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFreezeTransactions_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFreezeTransactions_SystemCall_6_3_XXXX jmp NtFreezeTransactions_SystemCall_Unknown NtFreezeTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFreezeTransactions_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFreezeTransactions_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFreezeTransactions_SystemCall_6_0_6002 jmp NtFreezeTransactions_SystemCall_Unknown NtFreezeTransactions_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFreezeTransactions_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFreezeTransactions_SystemCall_6_1_7601 jmp NtFreezeTransactions_SystemCall_Unknown NtFreezeTransactions_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFreezeTransactions_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFreezeTransactions_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFreezeTransactions_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFreezeTransactions_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFreezeTransactions_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFreezeTransactions_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFreezeTransactions_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFreezeTransactions_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFreezeTransactions_SystemCall_10_0_18363 jmp NtFreezeTransactions_SystemCall_Unknown NtFreezeTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c8h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c6h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c6h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00c9h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00c9h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00dbh jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ddh jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e0h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e1h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e3h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e6h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e7h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e8h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00e9h jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00eah jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00eah jmp NtFreezeTransactions_Epilogue NtFreezeTransactions_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFreezeTransactions_Epilogue: mov r10, rcx syscall ret NtFreezeTransactions ENDP NtFsControlFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtFsControlFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtFsControlFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtFsControlFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtFsControlFile_Check_10_0_XXXX jmp NtFsControlFile_SystemCall_Unknown NtFsControlFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtFsControlFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtFsControlFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtFsControlFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtFsControlFile_SystemCall_6_3_XXXX jmp NtFsControlFile_SystemCall_Unknown NtFsControlFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtFsControlFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtFsControlFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtFsControlFile_SystemCall_6_0_6002 jmp NtFsControlFile_SystemCall_Unknown NtFsControlFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtFsControlFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtFsControlFile_SystemCall_6_1_7601 jmp NtFsControlFile_SystemCall_Unknown NtFsControlFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtFsControlFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtFsControlFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtFsControlFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtFsControlFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtFsControlFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtFsControlFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtFsControlFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtFsControlFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtFsControlFile_SystemCall_10_0_18363 jmp NtFsControlFile_SystemCall_Unknown NtFsControlFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0036h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0037h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0038h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0039h jmp NtFsControlFile_Epilogue NtFsControlFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtFsControlFile_Epilogue: mov r10, rcx syscall ret NtFsControlFile ENDP NtGetCachedSigningLevel PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetCachedSigningLevel_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetCachedSigningLevel_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetCachedSigningLevel_Check_10_0_XXXX jmp NtGetCachedSigningLevel_SystemCall_Unknown NtGetCachedSigningLevel_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtGetCachedSigningLevel_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetCachedSigningLevel_SystemCall_6_3_XXXX jmp NtGetCachedSigningLevel_SystemCall_Unknown NtGetCachedSigningLevel_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetCachedSigningLevel_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetCachedSigningLevel_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetCachedSigningLevel_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetCachedSigningLevel_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetCachedSigningLevel_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetCachedSigningLevel_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetCachedSigningLevel_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetCachedSigningLevel_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetCachedSigningLevel_SystemCall_10_0_18363 jmp NtGetCachedSigningLevel_SystemCall_Unknown NtGetCachedSigningLevel_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00dch jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00deh jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e1h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e2h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e4h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e7h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e8h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00e9h jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00eah jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ebh jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ebh jmp NtGetCachedSigningLevel_Epilogue NtGetCachedSigningLevel_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetCachedSigningLevel_Epilogue: mov r10, rcx syscall ret NtGetCachedSigningLevel ENDP NtGetCompleteWnfStateSubscription PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetCompleteWnfStateSubscription_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetCompleteWnfStateSubscription_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetCompleteWnfStateSubscription_Check_10_0_XXXX jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown NtGetCompleteWnfStateSubscription_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown NtGetCompleteWnfStateSubscription_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363 jmp NtGetCompleteWnfStateSubscription_SystemCall_Unknown NtGetCompleteWnfStateSubscription_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00dfh jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e2h jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e3h jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e5h jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e8h jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00e9h jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00eah jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ebh jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ech jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ech jmp NtGetCompleteWnfStateSubscription_Epilogue NtGetCompleteWnfStateSubscription_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetCompleteWnfStateSubscription_Epilogue: mov r10, rcx syscall ret NtGetCompleteWnfStateSubscription ENDP NtGetContextThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetContextThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtGetContextThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtGetContextThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetContextThread_Check_10_0_XXXX jmp NtGetContextThread_SystemCall_Unknown NtGetContextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetContextThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetContextThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetContextThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetContextThread_SystemCall_6_3_XXXX jmp NtGetContextThread_SystemCall_Unknown NtGetContextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetContextThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetContextThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetContextThread_SystemCall_6_0_6002 jmp NtGetContextThread_SystemCall_Unknown NtGetContextThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetContextThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetContextThread_SystemCall_6_1_7601 jmp NtGetContextThread_SystemCall_Unknown NtGetContextThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetContextThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetContextThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetContextThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetContextThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetContextThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetContextThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetContextThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetContextThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetContextThread_SystemCall_10_0_18363 jmp NtGetContextThread_SystemCall_Unknown NtGetContextThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009dh jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00c9h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c7h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c7h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00cah jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00cah jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ddh jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e0h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e3h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e4h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e6h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00e9h jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00eah jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ebh jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ech jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00edh jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00edh jmp NtGetContextThread_Epilogue NtGetContextThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetContextThread_Epilogue: mov r10, rcx syscall ret NtGetContextThread ENDP NtGetCurrentProcessorNumber PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetCurrentProcessorNumber_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtGetCurrentProcessorNumber_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetCurrentProcessorNumber_Check_10_0_XXXX jmp NtGetCurrentProcessorNumber_SystemCall_Unknown NtGetCurrentProcessorNumber_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetCurrentProcessorNumber_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetCurrentProcessorNumber_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX jmp NtGetCurrentProcessorNumber_SystemCall_Unknown NtGetCurrentProcessorNumber_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetCurrentProcessorNumber_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetCurrentProcessorNumber_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetCurrentProcessorNumber_SystemCall_6_0_6002 jmp NtGetCurrentProcessorNumber_SystemCall_Unknown NtGetCurrentProcessorNumber_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetCurrentProcessorNumber_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetCurrentProcessorNumber_SystemCall_6_1_7601 jmp NtGetCurrentProcessorNumber_SystemCall_Unknown NtGetCurrentProcessorNumber_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetCurrentProcessorNumber_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetCurrentProcessorNumber_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetCurrentProcessorNumber_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetCurrentProcessorNumber_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetCurrentProcessorNumber_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetCurrentProcessorNumber_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetCurrentProcessorNumber_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetCurrentProcessorNumber_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetCurrentProcessorNumber_SystemCall_10_0_18363 jmp NtGetCurrentProcessorNumber_SystemCall_Unknown NtGetCurrentProcessorNumber_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009eh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00cah jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c8h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c8h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00cbh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00cbh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00deh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e1h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e4h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e5h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e7h jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00eah jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ebh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ech jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00edh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00eeh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00eeh jmp NtGetCurrentProcessorNumber_Epilogue NtGetCurrentProcessorNumber_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetCurrentProcessorNumber_Epilogue: mov r10, rcx syscall ret NtGetCurrentProcessorNumber ENDP NtGetCurrentProcessorNumberEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetCurrentProcessorNumberEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtGetCurrentProcessorNumberEx_Check_10_0_XXXX jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown NtGetCurrentProcessorNumberEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363 jmp NtGetCurrentProcessorNumberEx_SystemCall_Unknown NtGetCurrentProcessorNumberEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e5h jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e6h jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e8h jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ebh jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ech jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00edh jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00eeh jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00efh jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00efh jmp NtGetCurrentProcessorNumberEx_Epilogue NtGetCurrentProcessorNumberEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetCurrentProcessorNumberEx_Epilogue: mov r10, rcx syscall ret NtGetCurrentProcessorNumberEx ENDP NtGetDevicePowerState PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetDevicePowerState_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtGetDevicePowerState_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtGetDevicePowerState_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetDevicePowerState_Check_10_0_XXXX jmp NtGetDevicePowerState_SystemCall_Unknown NtGetDevicePowerState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetDevicePowerState_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetDevicePowerState_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetDevicePowerState_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetDevicePowerState_SystemCall_6_3_XXXX jmp NtGetDevicePowerState_SystemCall_Unknown NtGetDevicePowerState_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetDevicePowerState_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetDevicePowerState_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetDevicePowerState_SystemCall_6_0_6002 jmp NtGetDevicePowerState_SystemCall_Unknown NtGetDevicePowerState_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetDevicePowerState_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetDevicePowerState_SystemCall_6_1_7601 jmp NtGetDevicePowerState_SystemCall_Unknown NtGetDevicePowerState_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetDevicePowerState_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetDevicePowerState_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetDevicePowerState_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetDevicePowerState_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetDevicePowerState_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetDevicePowerState_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetDevicePowerState_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetDevicePowerState_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetDevicePowerState_SystemCall_10_0_18363 jmp NtGetDevicePowerState_SystemCall_Unknown NtGetDevicePowerState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 009fh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00cbh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00c9h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00c9h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00cch jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00cch jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00dfh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e2h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e6h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e7h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00e9h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ech jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00edh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00eeh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00efh jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f0h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f0h jmp NtGetDevicePowerState_Epilogue NtGetDevicePowerState_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetDevicePowerState_Epilogue: mov r10, rcx syscall ret NtGetDevicePowerState ENDP NtGetMUIRegistryInfo PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetMUIRegistryInfo_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetMUIRegistryInfo_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetMUIRegistryInfo_Check_10_0_XXXX jmp NtGetMUIRegistryInfo_SystemCall_Unknown NtGetMUIRegistryInfo_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetMUIRegistryInfo_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetMUIRegistryInfo_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetMUIRegistryInfo_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetMUIRegistryInfo_SystemCall_6_3_XXXX jmp NtGetMUIRegistryInfo_SystemCall_Unknown NtGetMUIRegistryInfo_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetMUIRegistryInfo_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetMUIRegistryInfo_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetMUIRegistryInfo_SystemCall_6_0_6002 jmp NtGetMUIRegistryInfo_SystemCall_Unknown NtGetMUIRegistryInfo_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetMUIRegistryInfo_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetMUIRegistryInfo_SystemCall_6_1_7601 jmp NtGetMUIRegistryInfo_SystemCall_Unknown NtGetMUIRegistryInfo_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetMUIRegistryInfo_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetMUIRegistryInfo_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetMUIRegistryInfo_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetMUIRegistryInfo_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetMUIRegistryInfo_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetMUIRegistryInfo_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetMUIRegistryInfo_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetMUIRegistryInfo_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetMUIRegistryInfo_SystemCall_10_0_18363 jmp NtGetMUIRegistryInfo_SystemCall_Unknown NtGetMUIRegistryInfo_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00cch jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00cah jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00cah jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00cdh jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00cdh jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e0h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e3h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e7h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e8h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00eah jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00edh jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00eeh jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00efh jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f0h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f1h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f1h jmp NtGetMUIRegistryInfo_Epilogue NtGetMUIRegistryInfo_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetMUIRegistryInfo_Epilogue: mov r10, rcx syscall ret NtGetMUIRegistryInfo ENDP NtGetNextProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetNextProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetNextProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetNextProcess_Check_10_0_XXXX jmp NtGetNextProcess_SystemCall_Unknown NtGetNextProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetNextProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetNextProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNextProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNextProcess_SystemCall_6_3_XXXX jmp NtGetNextProcess_SystemCall_Unknown NtGetNextProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetNextProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetNextProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetNextProcess_SystemCall_6_0_6002 jmp NtGetNextProcess_SystemCall_Unknown NtGetNextProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetNextProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetNextProcess_SystemCall_6_1_7601 jmp NtGetNextProcess_SystemCall_Unknown NtGetNextProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetNextProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetNextProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetNextProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetNextProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetNextProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetNextProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetNextProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetNextProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetNextProcess_SystemCall_10_0_18363 jmp NtGetNextProcess_SystemCall_Unknown NtGetNextProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00cdh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00cbh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00cbh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ceh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ceh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e1h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e4h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e8h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00e9h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ebh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00eeh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00efh jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f0h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f1h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f2h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f2h jmp NtGetNextProcess_Epilogue NtGetNextProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetNextProcess_Epilogue: mov r10, rcx syscall ret NtGetNextProcess ENDP NtGetNextThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetNextThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetNextThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetNextThread_Check_10_0_XXXX jmp NtGetNextThread_SystemCall_Unknown NtGetNextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetNextThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetNextThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNextThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNextThread_SystemCall_6_3_XXXX jmp NtGetNextThread_SystemCall_Unknown NtGetNextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetNextThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetNextThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetNextThread_SystemCall_6_0_6002 jmp NtGetNextThread_SystemCall_Unknown NtGetNextThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetNextThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetNextThread_SystemCall_6_1_7601 jmp NtGetNextThread_SystemCall_Unknown NtGetNextThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetNextThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetNextThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetNextThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetNextThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetNextThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetNextThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetNextThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetNextThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetNextThread_SystemCall_10_0_18363 jmp NtGetNextThread_SystemCall_Unknown NtGetNextThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ceh jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00cch jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00cch jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00cfh jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00cfh jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e2h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e5h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00e9h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00eah jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ech jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00efh jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f0h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f1h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f2h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f3h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f3h jmp NtGetNextThread_Epilogue NtGetNextThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetNextThread_Epilogue: mov r10, rcx syscall ret NtGetNextThread ENDP NtGetNlsSectionPtr PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetNlsSectionPtr_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetNlsSectionPtr_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetNlsSectionPtr_Check_10_0_XXXX jmp NtGetNlsSectionPtr_SystemCall_Unknown NtGetNlsSectionPtr_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetNlsSectionPtr_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetNlsSectionPtr_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNlsSectionPtr_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNlsSectionPtr_SystemCall_6_3_XXXX jmp NtGetNlsSectionPtr_SystemCall_Unknown NtGetNlsSectionPtr_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetNlsSectionPtr_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetNlsSectionPtr_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetNlsSectionPtr_SystemCall_6_0_6002 jmp NtGetNlsSectionPtr_SystemCall_Unknown NtGetNlsSectionPtr_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetNlsSectionPtr_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetNlsSectionPtr_SystemCall_6_1_7601 jmp NtGetNlsSectionPtr_SystemCall_Unknown NtGetNlsSectionPtr_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetNlsSectionPtr_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetNlsSectionPtr_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetNlsSectionPtr_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetNlsSectionPtr_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetNlsSectionPtr_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetNlsSectionPtr_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetNlsSectionPtr_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetNlsSectionPtr_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetNlsSectionPtr_SystemCall_10_0_18363 jmp NtGetNlsSectionPtr_SystemCall_Unknown NtGetNlsSectionPtr_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00cfh jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00cdh jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00cdh jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d0h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d0h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e3h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e6h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00eah jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ebh jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00edh jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f0h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f1h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f2h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f3h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f4h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f4h jmp NtGetNlsSectionPtr_Epilogue NtGetNlsSectionPtr_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetNlsSectionPtr_Epilogue: mov r10, rcx syscall ret NtGetNlsSectionPtr ENDP NtGetNotificationResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetNotificationResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtGetNotificationResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetNotificationResourceManager_Check_10_0_XXXX jmp NtGetNotificationResourceManager_SystemCall_Unknown NtGetNotificationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetNotificationResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetNotificationResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNotificationResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetNotificationResourceManager_SystemCall_6_3_XXXX jmp NtGetNotificationResourceManager_SystemCall_Unknown NtGetNotificationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetNotificationResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetNotificationResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetNotificationResourceManager_SystemCall_6_0_6002 jmp NtGetNotificationResourceManager_SystemCall_Unknown NtGetNotificationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetNotificationResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetNotificationResourceManager_SystemCall_6_1_7601 jmp NtGetNotificationResourceManager_SystemCall_Unknown NtGetNotificationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetNotificationResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetNotificationResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetNotificationResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetNotificationResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetNotificationResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetNotificationResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetNotificationResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetNotificationResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetNotificationResourceManager_SystemCall_10_0_18363 jmp NtGetNotificationResourceManager_SystemCall_Unknown NtGetNotificationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d0h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ceh jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ceh jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d1h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d1h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e4h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e7h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ebh jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ech jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00eeh jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f1h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f2h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f3h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f4h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f5h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f5h jmp NtGetNotificationResourceManager_Epilogue NtGetNotificationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetNotificationResourceManager_Epilogue: mov r10, rcx syscall ret NtGetNotificationResourceManager ENDP NtGetPlugPlayEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetPlugPlayEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtGetPlugPlayEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtGetPlugPlayEvent_Check_6_X_XXXX jmp NtGetPlugPlayEvent_SystemCall_Unknown NtGetPlugPlayEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetPlugPlayEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetPlugPlayEvent_Check_6_1_XXXX jmp NtGetPlugPlayEvent_SystemCall_Unknown NtGetPlugPlayEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetPlugPlayEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetPlugPlayEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetPlugPlayEvent_SystemCall_6_0_6002 jmp NtGetPlugPlayEvent_SystemCall_Unknown NtGetPlugPlayEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetPlugPlayEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetPlugPlayEvent_SystemCall_6_1_7601 jmp NtGetPlugPlayEvent_SystemCall_Unknown NtGetPlugPlayEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a0h jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d1h jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00cfh jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00cfh jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d2h jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d2h jmp NtGetPlugPlayEvent_Epilogue NtGetPlugPlayEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetPlugPlayEvent_Epilogue: mov r10, rcx syscall ret NtGetPlugPlayEvent ENDP NtGetWriteWatch PROC mov rax, gs:[60h] ; Load PEB into RAX. NtGetWriteWatch_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtGetWriteWatch_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtGetWriteWatch_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtGetWriteWatch_Check_10_0_XXXX jmp NtGetWriteWatch_SystemCall_Unknown NtGetWriteWatch_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtGetWriteWatch_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtGetWriteWatch_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtGetWriteWatch_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtGetWriteWatch_SystemCall_6_3_XXXX jmp NtGetWriteWatch_SystemCall_Unknown NtGetWriteWatch_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtGetWriteWatch_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtGetWriteWatch_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtGetWriteWatch_SystemCall_6_0_6002 jmp NtGetWriteWatch_SystemCall_Unknown NtGetWriteWatch_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtGetWriteWatch_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtGetWriteWatch_SystemCall_6_1_7601 jmp NtGetWriteWatch_SystemCall_Unknown NtGetWriteWatch_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtGetWriteWatch_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtGetWriteWatch_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtGetWriteWatch_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtGetWriteWatch_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtGetWriteWatch_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtGetWriteWatch_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtGetWriteWatch_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtGetWriteWatch_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtGetWriteWatch_SystemCall_10_0_18363 jmp NtGetWriteWatch_SystemCall_Unknown NtGetWriteWatch_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a1h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d2h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d0h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d0h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d3h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d3h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e5h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e8h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ech jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00edh jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00efh jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f2h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f3h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f4h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f5h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f6h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f6h jmp NtGetWriteWatch_Epilogue NtGetWriteWatch_SystemCall_Unknown: ; Unknown/unsupported version. ret NtGetWriteWatch_Epilogue: mov r10, rcx syscall ret NtGetWriteWatch ENDP NtImpersonateAnonymousToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtImpersonateAnonymousToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtImpersonateAnonymousToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtImpersonateAnonymousToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtImpersonateAnonymousToken_Check_10_0_XXXX jmp NtImpersonateAnonymousToken_SystemCall_Unknown NtImpersonateAnonymousToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtImpersonateAnonymousToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtImpersonateAnonymousToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateAnonymousToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateAnonymousToken_SystemCall_6_3_XXXX jmp NtImpersonateAnonymousToken_SystemCall_Unknown NtImpersonateAnonymousToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtImpersonateAnonymousToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtImpersonateAnonymousToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtImpersonateAnonymousToken_SystemCall_6_0_6002 jmp NtImpersonateAnonymousToken_SystemCall_Unknown NtImpersonateAnonymousToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtImpersonateAnonymousToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtImpersonateAnonymousToken_SystemCall_6_1_7601 jmp NtImpersonateAnonymousToken_SystemCall_Unknown NtImpersonateAnonymousToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtImpersonateAnonymousToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtImpersonateAnonymousToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtImpersonateAnonymousToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtImpersonateAnonymousToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtImpersonateAnonymousToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtImpersonateAnonymousToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtImpersonateAnonymousToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtImpersonateAnonymousToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtImpersonateAnonymousToken_SystemCall_10_0_18363 jmp NtImpersonateAnonymousToken_SystemCall_Unknown NtImpersonateAnonymousToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a2h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d3h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d1h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d1h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d4h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d4h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e6h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00e9h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00edh jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00eeh jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f0h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f3h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f4h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f5h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f6h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f7h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f7h jmp NtImpersonateAnonymousToken_Epilogue NtImpersonateAnonymousToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtImpersonateAnonymousToken_Epilogue: mov r10, rcx syscall ret NtImpersonateAnonymousToken ENDP NtImpersonateClientOfPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtImpersonateClientOfPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtImpersonateClientOfPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtImpersonateClientOfPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtImpersonateClientOfPort_Check_10_0_XXXX jmp NtImpersonateClientOfPort_SystemCall_Unknown NtImpersonateClientOfPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtImpersonateClientOfPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtImpersonateClientOfPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateClientOfPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateClientOfPort_SystemCall_6_3_XXXX jmp NtImpersonateClientOfPort_SystemCall_Unknown NtImpersonateClientOfPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtImpersonateClientOfPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtImpersonateClientOfPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtImpersonateClientOfPort_SystemCall_6_0_6002 jmp NtImpersonateClientOfPort_SystemCall_Unknown NtImpersonateClientOfPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtImpersonateClientOfPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtImpersonateClientOfPort_SystemCall_6_1_7601 jmp NtImpersonateClientOfPort_SystemCall_Unknown NtImpersonateClientOfPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtImpersonateClientOfPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtImpersonateClientOfPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtImpersonateClientOfPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtImpersonateClientOfPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtImpersonateClientOfPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtImpersonateClientOfPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtImpersonateClientOfPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtImpersonateClientOfPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtImpersonateClientOfPort_SystemCall_10_0_18363 jmp NtImpersonateClientOfPort_SystemCall_Unknown NtImpersonateClientOfPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001ch jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001dh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001eh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001fh jmp NtImpersonateClientOfPort_Epilogue NtImpersonateClientOfPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtImpersonateClientOfPort_Epilogue: mov r10, rcx syscall ret NtImpersonateClientOfPort ENDP NtImpersonateThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtImpersonateThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtImpersonateThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtImpersonateThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtImpersonateThread_Check_10_0_XXXX jmp NtImpersonateThread_SystemCall_Unknown NtImpersonateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtImpersonateThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtImpersonateThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtImpersonateThread_SystemCall_6_3_XXXX jmp NtImpersonateThread_SystemCall_Unknown NtImpersonateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtImpersonateThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtImpersonateThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtImpersonateThread_SystemCall_6_0_6002 jmp NtImpersonateThread_SystemCall_Unknown NtImpersonateThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtImpersonateThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtImpersonateThread_SystemCall_6_1_7601 jmp NtImpersonateThread_SystemCall_Unknown NtImpersonateThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtImpersonateThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtImpersonateThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtImpersonateThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtImpersonateThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtImpersonateThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtImpersonateThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtImpersonateThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtImpersonateThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtImpersonateThread_SystemCall_10_0_18363 jmp NtImpersonateThread_SystemCall_Unknown NtImpersonateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a3h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d4h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d2h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d2h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d5h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d5h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e7h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00eah jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00eeh jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00efh jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f1h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f4h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f5h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f6h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f7h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f8h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f8h jmp NtImpersonateThread_Epilogue NtImpersonateThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtImpersonateThread_Epilogue: mov r10, rcx syscall ret NtImpersonateThread ENDP NtInitializeEnclave PROC mov rax, gs:[60h] ; Load PEB into RAX. NtInitializeEnclave_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtInitializeEnclave_Check_10_0_XXXX jmp NtInitializeEnclave_SystemCall_Unknown NtInitializeEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10586 je NtInitializeEnclave_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtInitializeEnclave_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtInitializeEnclave_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtInitializeEnclave_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtInitializeEnclave_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtInitializeEnclave_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtInitializeEnclave_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtInitializeEnclave_SystemCall_10_0_18363 jmp NtInitializeEnclave_SystemCall_Unknown NtInitializeEnclave_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f0h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f2h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f5h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f6h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f7h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f8h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00f9h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00f9h jmp NtInitializeEnclave_Epilogue NtInitializeEnclave_SystemCall_Unknown: ; Unknown/unsupported version. ret NtInitializeEnclave_Epilogue: mov r10, rcx syscall ret NtInitializeEnclave ENDP NtInitializeNlsFiles PROC mov rax, gs:[60h] ; Load PEB into RAX. NtInitializeNlsFiles_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtInitializeNlsFiles_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtInitializeNlsFiles_Check_10_0_XXXX jmp NtInitializeNlsFiles_SystemCall_Unknown NtInitializeNlsFiles_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtInitializeNlsFiles_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtInitializeNlsFiles_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtInitializeNlsFiles_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtInitializeNlsFiles_SystemCall_6_3_XXXX jmp NtInitializeNlsFiles_SystemCall_Unknown NtInitializeNlsFiles_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtInitializeNlsFiles_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtInitializeNlsFiles_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtInitializeNlsFiles_SystemCall_6_0_6002 jmp NtInitializeNlsFiles_SystemCall_Unknown NtInitializeNlsFiles_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtInitializeNlsFiles_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtInitializeNlsFiles_SystemCall_6_1_7601 jmp NtInitializeNlsFiles_SystemCall_Unknown NtInitializeNlsFiles_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtInitializeNlsFiles_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtInitializeNlsFiles_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtInitializeNlsFiles_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtInitializeNlsFiles_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtInitializeNlsFiles_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtInitializeNlsFiles_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtInitializeNlsFiles_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtInitializeNlsFiles_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtInitializeNlsFiles_SystemCall_10_0_18363 jmp NtInitializeNlsFiles_SystemCall_Unknown NtInitializeNlsFiles_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d5h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d3h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d3h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d6h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d6h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e8h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ebh jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00efh jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f1h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f3h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f6h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f7h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f8h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00f9h jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00fah jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00fah jmp NtInitializeNlsFiles_Epilogue NtInitializeNlsFiles_SystemCall_Unknown: ; Unknown/unsupported version. ret NtInitializeNlsFiles_Epilogue: mov r10, rcx syscall ret NtInitializeNlsFiles ENDP NtInitializeRegistry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtInitializeRegistry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtInitializeRegistry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtInitializeRegistry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtInitializeRegistry_Check_10_0_XXXX jmp NtInitializeRegistry_SystemCall_Unknown NtInitializeRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtInitializeRegistry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtInitializeRegistry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtInitializeRegistry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtInitializeRegistry_SystemCall_6_3_XXXX jmp NtInitializeRegistry_SystemCall_Unknown NtInitializeRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtInitializeRegistry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtInitializeRegistry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtInitializeRegistry_SystemCall_6_0_6002 jmp NtInitializeRegistry_SystemCall_Unknown NtInitializeRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtInitializeRegistry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtInitializeRegistry_SystemCall_6_1_7601 jmp NtInitializeRegistry_SystemCall_Unknown NtInitializeRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtInitializeRegistry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtInitializeRegistry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtInitializeRegistry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtInitializeRegistry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtInitializeRegistry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtInitializeRegistry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtInitializeRegistry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtInitializeRegistry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtInitializeRegistry_SystemCall_10_0_18363 jmp NtInitializeRegistry_SystemCall_Unknown NtInitializeRegistry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a4h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d6h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d4h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d4h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d7h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d7h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00e9h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ech jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f0h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f2h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f4h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f7h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f8h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00f9h jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00fah jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00fbh jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00fbh jmp NtInitializeRegistry_Epilogue NtInitializeRegistry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtInitializeRegistry_Epilogue: mov r10, rcx syscall ret NtInitializeRegistry ENDP NtInitiatePowerAction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtInitiatePowerAction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtInitiatePowerAction_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtInitiatePowerAction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtInitiatePowerAction_Check_10_0_XXXX jmp NtInitiatePowerAction_SystemCall_Unknown NtInitiatePowerAction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtInitiatePowerAction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtInitiatePowerAction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtInitiatePowerAction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtInitiatePowerAction_SystemCall_6_3_XXXX jmp NtInitiatePowerAction_SystemCall_Unknown NtInitiatePowerAction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtInitiatePowerAction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtInitiatePowerAction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtInitiatePowerAction_SystemCall_6_0_6002 jmp NtInitiatePowerAction_SystemCall_Unknown NtInitiatePowerAction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtInitiatePowerAction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtInitiatePowerAction_SystemCall_6_1_7601 jmp NtInitiatePowerAction_SystemCall_Unknown NtInitiatePowerAction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtInitiatePowerAction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtInitiatePowerAction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtInitiatePowerAction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtInitiatePowerAction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtInitiatePowerAction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtInitiatePowerAction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtInitiatePowerAction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtInitiatePowerAction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtInitiatePowerAction_SystemCall_10_0_18363 jmp NtInitiatePowerAction_SystemCall_Unknown NtInitiatePowerAction_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a5h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d7h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d5h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d5h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d8h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d8h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00eah jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00edh jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f1h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f3h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f5h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f8h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00f9h jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00fah jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00fbh jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00fch jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00fch jmp NtInitiatePowerAction_Epilogue NtInitiatePowerAction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtInitiatePowerAction_Epilogue: mov r10, rcx syscall ret NtInitiatePowerAction ENDP NtIsProcessInJob PROC mov rax, gs:[60h] ; Load PEB into RAX. NtIsProcessInJob_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtIsProcessInJob_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtIsProcessInJob_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtIsProcessInJob_Check_10_0_XXXX jmp NtIsProcessInJob_SystemCall_Unknown NtIsProcessInJob_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtIsProcessInJob_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtIsProcessInJob_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtIsProcessInJob_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtIsProcessInJob_SystemCall_6_3_XXXX jmp NtIsProcessInJob_SystemCall_Unknown NtIsProcessInJob_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtIsProcessInJob_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtIsProcessInJob_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtIsProcessInJob_SystemCall_6_0_6002 jmp NtIsProcessInJob_SystemCall_Unknown NtIsProcessInJob_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtIsProcessInJob_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtIsProcessInJob_SystemCall_6_1_7601 jmp NtIsProcessInJob_SystemCall_Unknown NtIsProcessInJob_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtIsProcessInJob_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtIsProcessInJob_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtIsProcessInJob_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtIsProcessInJob_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtIsProcessInJob_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtIsProcessInJob_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtIsProcessInJob_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtIsProcessInJob_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtIsProcessInJob_SystemCall_10_0_18363 jmp NtIsProcessInJob_SystemCall_Unknown NtIsProcessInJob_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004ch jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004dh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004eh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 004fh jmp NtIsProcessInJob_Epilogue NtIsProcessInJob_SystemCall_Unknown: ; Unknown/unsupported version. ret NtIsProcessInJob_Epilogue: mov r10, rcx syscall ret NtIsProcessInJob ENDP NtIsSystemResumeAutomatic PROC mov rax, gs:[60h] ; Load PEB into RAX. NtIsSystemResumeAutomatic_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtIsSystemResumeAutomatic_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtIsSystemResumeAutomatic_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtIsSystemResumeAutomatic_Check_10_0_XXXX jmp NtIsSystemResumeAutomatic_SystemCall_Unknown NtIsSystemResumeAutomatic_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtIsSystemResumeAutomatic_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtIsSystemResumeAutomatic_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtIsSystemResumeAutomatic_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtIsSystemResumeAutomatic_SystemCall_6_3_XXXX jmp NtIsSystemResumeAutomatic_SystemCall_Unknown NtIsSystemResumeAutomatic_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtIsSystemResumeAutomatic_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtIsSystemResumeAutomatic_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtIsSystemResumeAutomatic_SystemCall_6_0_6002 jmp NtIsSystemResumeAutomatic_SystemCall_Unknown NtIsSystemResumeAutomatic_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtIsSystemResumeAutomatic_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtIsSystemResumeAutomatic_SystemCall_6_1_7601 jmp NtIsSystemResumeAutomatic_SystemCall_Unknown NtIsSystemResumeAutomatic_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtIsSystemResumeAutomatic_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtIsSystemResumeAutomatic_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtIsSystemResumeAutomatic_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtIsSystemResumeAutomatic_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtIsSystemResumeAutomatic_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtIsSystemResumeAutomatic_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtIsSystemResumeAutomatic_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtIsSystemResumeAutomatic_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtIsSystemResumeAutomatic_SystemCall_10_0_18363 jmp NtIsSystemResumeAutomatic_SystemCall_Unknown NtIsSystemResumeAutomatic_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a6h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d8h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d6h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d6h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00d9h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00d9h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ebh jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00eeh jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f2h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f4h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f6h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00f9h jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00fah jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00fbh jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00fch jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00fdh jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00fdh jmp NtIsSystemResumeAutomatic_Epilogue NtIsSystemResumeAutomatic_SystemCall_Unknown: ; Unknown/unsupported version. ret NtIsSystemResumeAutomatic_Epilogue: mov r10, rcx syscall ret NtIsSystemResumeAutomatic ENDP NtIsUILanguageComitted PROC mov rax, gs:[60h] ; Load PEB into RAX. NtIsUILanguageComitted_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtIsUILanguageComitted_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtIsUILanguageComitted_Check_10_0_XXXX jmp NtIsUILanguageComitted_SystemCall_Unknown NtIsUILanguageComitted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtIsUILanguageComitted_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtIsUILanguageComitted_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtIsUILanguageComitted_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtIsUILanguageComitted_SystemCall_6_3_XXXX jmp NtIsUILanguageComitted_SystemCall_Unknown NtIsUILanguageComitted_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtIsUILanguageComitted_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtIsUILanguageComitted_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtIsUILanguageComitted_SystemCall_6_0_6002 jmp NtIsUILanguageComitted_SystemCall_Unknown NtIsUILanguageComitted_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtIsUILanguageComitted_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtIsUILanguageComitted_SystemCall_6_1_7601 jmp NtIsUILanguageComitted_SystemCall_Unknown NtIsUILanguageComitted_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtIsUILanguageComitted_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtIsUILanguageComitted_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtIsUILanguageComitted_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtIsUILanguageComitted_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtIsUILanguageComitted_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtIsUILanguageComitted_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtIsUILanguageComitted_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtIsUILanguageComitted_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtIsUILanguageComitted_SystemCall_10_0_18363 jmp NtIsUILanguageComitted_SystemCall_Unknown NtIsUILanguageComitted_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00d9h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d7h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d7h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00dah jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00dah jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ech jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00efh jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f3h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f5h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f7h jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00fah jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00fbh jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00fch jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00fdh jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00feh jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00feh jmp NtIsUILanguageComitted_Epilogue NtIsUILanguageComitted_SystemCall_Unknown: ; Unknown/unsupported version. ret NtIsUILanguageComitted_Epilogue: mov r10, rcx syscall ret NtIsUILanguageComitted ENDP NtListTransactions PROC mov rax, gs:[60h] ; Load PEB into RAX. NtListTransactions_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtListTransactions_Check_6_X_XXXX jmp NtListTransactions_SystemCall_Unknown NtListTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtListTransactions_Check_6_0_XXXX jmp NtListTransactions_SystemCall_Unknown NtListTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtListTransactions_SystemCall_6_0_6000 jmp NtListTransactions_SystemCall_Unknown NtListTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00dah jmp NtListTransactions_Epilogue NtListTransactions_SystemCall_Unknown: ; Unknown/unsupported version. ret NtListTransactions_Epilogue: mov r10, rcx syscall ret NtListTransactions ENDP NtListenPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtListenPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtListenPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtListenPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtListenPort_Check_10_0_XXXX jmp NtListenPort_SystemCall_Unknown NtListenPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtListenPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtListenPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtListenPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtListenPort_SystemCall_6_3_XXXX jmp NtListenPort_SystemCall_Unknown NtListenPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtListenPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtListenPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtListenPort_SystemCall_6_0_6002 jmp NtListenPort_SystemCall_Unknown NtListenPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtListenPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtListenPort_SystemCall_6_1_7601 jmp NtListenPort_SystemCall_Unknown NtListenPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtListenPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtListenPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtListenPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtListenPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtListenPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtListenPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtListenPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtListenPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtListenPort_SystemCall_10_0_18363 jmp NtListenPort_SystemCall_Unknown NtListenPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a7h jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00dbh jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d8h jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d8h jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00dbh jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00dbh jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00edh jmp NtListenPort_Epilogue NtListenPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f0h jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f4h jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f6h jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f8h jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00fbh jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00fch jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00fdh jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00feh jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 00ffh jmp NtListenPort_Epilogue NtListenPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 00ffh jmp NtListenPort_Epilogue NtListenPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtListenPort_Epilogue: mov r10, rcx syscall ret NtListenPort ENDP NtLoadDriver PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadDriver_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLoadDriver_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLoadDriver_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLoadDriver_Check_10_0_XXXX jmp NtLoadDriver_SystemCall_Unknown NtLoadDriver_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLoadDriver_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLoadDriver_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadDriver_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadDriver_SystemCall_6_3_XXXX jmp NtLoadDriver_SystemCall_Unknown NtLoadDriver_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLoadDriver_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLoadDriver_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLoadDriver_SystemCall_6_0_6002 jmp NtLoadDriver_SystemCall_Unknown NtLoadDriver_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLoadDriver_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLoadDriver_SystemCall_6_1_7601 jmp NtLoadDriver_SystemCall_Unknown NtLoadDriver_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLoadDriver_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLoadDriver_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLoadDriver_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLoadDriver_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadDriver_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadDriver_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLoadDriver_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLoadDriver_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLoadDriver_SystemCall_10_0_18363 jmp NtLoadDriver_SystemCall_Unknown NtLoadDriver_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a8h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00dch jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00d9h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00d9h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00dch jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00dch jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00eeh jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f1h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f5h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f7h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00f9h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00fch jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00fdh jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00feh jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 00ffh jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0100h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0100h jmp NtLoadDriver_Epilogue NtLoadDriver_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadDriver_Epilogue: mov r10, rcx syscall ret NtLoadDriver ENDP NtLoadEnclaveData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadEnclaveData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtLoadEnclaveData_Check_10_0_XXXX jmp NtLoadEnclaveData_SystemCall_Unknown NtLoadEnclaveData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10586 je NtLoadEnclaveData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLoadEnclaveData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLoadEnclaveData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadEnclaveData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadEnclaveData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLoadEnclaveData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLoadEnclaveData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLoadEnclaveData_SystemCall_10_0_18363 jmp NtLoadEnclaveData_SystemCall_Unknown NtLoadEnclaveData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f8h jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00fah jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00fdh jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00feh jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 00ffh jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0100h jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0101h jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0101h jmp NtLoadEnclaveData_Epilogue NtLoadEnclaveData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadEnclaveData_Epilogue: mov r10, rcx syscall ret NtLoadEnclaveData ENDP NtLoadHotPatch PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadHotPatch_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtLoadHotPatch_Check_10_0_XXXX jmp NtLoadHotPatch_SystemCall_Unknown NtLoadHotPatch_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtLoadHotPatch_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadHotPatch_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadHotPatch_SystemCall_10_0_17134 jmp NtLoadHotPatch_SystemCall_Unknown NtLoadHotPatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00feh jmp NtLoadHotPatch_Epilogue NtLoadHotPatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 00ffh jmp NtLoadHotPatch_Epilogue NtLoadHotPatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0100h jmp NtLoadHotPatch_Epilogue NtLoadHotPatch_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadHotPatch_Epilogue: mov r10, rcx syscall ret NtLoadHotPatch ENDP NtLoadKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLoadKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLoadKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLoadKey_Check_10_0_XXXX jmp NtLoadKey_SystemCall_Unknown NtLoadKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLoadKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLoadKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKey_SystemCall_6_3_XXXX jmp NtLoadKey_SystemCall_Unknown NtLoadKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLoadKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLoadKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLoadKey_SystemCall_6_0_6002 jmp NtLoadKey_SystemCall_Unknown NtLoadKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLoadKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLoadKey_SystemCall_6_1_7601 jmp NtLoadKey_SystemCall_Unknown NtLoadKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLoadKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLoadKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLoadKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLoadKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLoadKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLoadKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLoadKey_SystemCall_10_0_18363 jmp NtLoadKey_SystemCall_Unknown NtLoadKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00a9h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ddh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00dah jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00dah jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ddh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ddh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00efh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f2h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f6h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00f9h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00fbh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 00ffh jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0100h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0101h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0101h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0102h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0102h jmp NtLoadKey_Epilogue NtLoadKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadKey_Epilogue: mov r10, rcx syscall ret NtLoadKey ENDP NtLoadKey2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadKey2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLoadKey2_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLoadKey2_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLoadKey2_Check_10_0_XXXX jmp NtLoadKey2_SystemCall_Unknown NtLoadKey2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLoadKey2_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLoadKey2_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKey2_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKey2_SystemCall_6_3_XXXX jmp NtLoadKey2_SystemCall_Unknown NtLoadKey2_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLoadKey2_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLoadKey2_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLoadKey2_SystemCall_6_0_6002 jmp NtLoadKey2_SystemCall_Unknown NtLoadKey2_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLoadKey2_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLoadKey2_SystemCall_6_1_7601 jmp NtLoadKey2_SystemCall_Unknown NtLoadKey2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLoadKey2_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLoadKey2_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLoadKey2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLoadKey2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadKey2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadKey2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLoadKey2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLoadKey2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLoadKey2_SystemCall_10_0_18363 jmp NtLoadKey2_SystemCall_Unknown NtLoadKey2_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00aah jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00deh jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00dbh jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00dbh jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00deh jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00deh jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f0h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f3h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f7h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00fah jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00fch jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0100h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0101h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0102h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0102h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0103h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0103h jmp NtLoadKey2_Epilogue NtLoadKey2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadKey2_Epilogue: mov r10, rcx syscall ret NtLoadKey2 ENDP NtLoadKeyEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLoadKeyEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLoadKeyEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLoadKeyEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLoadKeyEx_Check_10_0_XXXX jmp NtLoadKeyEx_SystemCall_Unknown NtLoadKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLoadKeyEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLoadKeyEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKeyEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLoadKeyEx_SystemCall_6_3_XXXX jmp NtLoadKeyEx_SystemCall_Unknown NtLoadKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLoadKeyEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLoadKeyEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLoadKeyEx_SystemCall_6_0_6002 jmp NtLoadKeyEx_SystemCall_Unknown NtLoadKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLoadKeyEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLoadKeyEx_SystemCall_6_1_7601 jmp NtLoadKeyEx_SystemCall_Unknown NtLoadKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLoadKeyEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLoadKeyEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLoadKeyEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLoadKeyEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLoadKeyEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLoadKeyEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLoadKeyEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLoadKeyEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLoadKeyEx_SystemCall_10_0_18363 jmp NtLoadKeyEx_SystemCall_Unknown NtLoadKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00abh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00dfh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00dch jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00dch jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00dfh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00dfh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f1h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f4h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f8h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00fbh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00fdh jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0101h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0102h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0103h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0103h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0104h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0104h jmp NtLoadKeyEx_Epilogue NtLoadKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLoadKeyEx_Epilogue: mov r10, rcx syscall ret NtLoadKeyEx ENDP NtLockFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLockFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLockFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLockFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLockFile_Check_10_0_XXXX jmp NtLockFile_SystemCall_Unknown NtLockFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLockFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLockFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLockFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLockFile_SystemCall_6_3_XXXX jmp NtLockFile_SystemCall_Unknown NtLockFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLockFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLockFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLockFile_SystemCall_6_0_6002 jmp NtLockFile_SystemCall_Unknown NtLockFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLockFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLockFile_SystemCall_6_1_7601 jmp NtLockFile_SystemCall_Unknown NtLockFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLockFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLockFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLockFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLockFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLockFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLockFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLockFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLockFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLockFile_SystemCall_10_0_18363 jmp NtLockFile_SystemCall_Unknown NtLockFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ach jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e0h jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ddh jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ddh jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e0h jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e0h jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f2h jmp NtLockFile_Epilogue NtLockFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f5h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00f9h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00fch jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00feh jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0102h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0103h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0104h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0104h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0105h jmp NtLockFile_Epilogue NtLockFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0105h jmp NtLockFile_Epilogue NtLockFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLockFile_Epilogue: mov r10, rcx syscall ret NtLockFile ENDP NtLockProductActivationKeys PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLockProductActivationKeys_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLockProductActivationKeys_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLockProductActivationKeys_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLockProductActivationKeys_Check_10_0_XXXX jmp NtLockProductActivationKeys_SystemCall_Unknown NtLockProductActivationKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLockProductActivationKeys_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLockProductActivationKeys_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLockProductActivationKeys_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLockProductActivationKeys_SystemCall_6_3_XXXX jmp NtLockProductActivationKeys_SystemCall_Unknown NtLockProductActivationKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLockProductActivationKeys_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLockProductActivationKeys_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLockProductActivationKeys_SystemCall_6_0_6002 jmp NtLockProductActivationKeys_SystemCall_Unknown NtLockProductActivationKeys_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLockProductActivationKeys_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLockProductActivationKeys_SystemCall_6_1_7601 jmp NtLockProductActivationKeys_SystemCall_Unknown NtLockProductActivationKeys_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLockProductActivationKeys_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLockProductActivationKeys_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLockProductActivationKeys_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLockProductActivationKeys_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLockProductActivationKeys_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLockProductActivationKeys_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLockProductActivationKeys_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLockProductActivationKeys_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLockProductActivationKeys_SystemCall_10_0_18363 jmp NtLockProductActivationKeys_SystemCall_Unknown NtLockProductActivationKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00adh jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e1h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00deh jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00deh jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e1h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e1h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f3h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f6h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00fah jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00fdh jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 00ffh jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0103h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0104h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0105h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0105h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0106h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0106h jmp NtLockProductActivationKeys_Epilogue NtLockProductActivationKeys_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLockProductActivationKeys_Epilogue: mov r10, rcx syscall ret NtLockProductActivationKeys ENDP NtLockRegistryKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLockRegistryKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLockRegistryKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLockRegistryKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLockRegistryKey_Check_10_0_XXXX jmp NtLockRegistryKey_SystemCall_Unknown NtLockRegistryKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLockRegistryKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLockRegistryKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLockRegistryKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLockRegistryKey_SystemCall_6_3_XXXX jmp NtLockRegistryKey_SystemCall_Unknown NtLockRegistryKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLockRegistryKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLockRegistryKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLockRegistryKey_SystemCall_6_0_6002 jmp NtLockRegistryKey_SystemCall_Unknown NtLockRegistryKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLockRegistryKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLockRegistryKey_SystemCall_6_1_7601 jmp NtLockRegistryKey_SystemCall_Unknown NtLockRegistryKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLockRegistryKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLockRegistryKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLockRegistryKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLockRegistryKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLockRegistryKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLockRegistryKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLockRegistryKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLockRegistryKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLockRegistryKey_SystemCall_10_0_18363 jmp NtLockRegistryKey_SystemCall_Unknown NtLockRegistryKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00aeh jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e2h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00dfh jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00dfh jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e2h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e2h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f4h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f7h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00fbh jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00feh jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0100h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0104h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0105h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0106h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0106h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0107h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0107h jmp NtLockRegistryKey_Epilogue NtLockRegistryKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLockRegistryKey_Epilogue: mov r10, rcx syscall ret NtLockRegistryKey ENDP NtLockVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtLockVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtLockVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtLockVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtLockVirtualMemory_Check_10_0_XXXX jmp NtLockVirtualMemory_SystemCall_Unknown NtLockVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtLockVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtLockVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtLockVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtLockVirtualMemory_SystemCall_6_3_XXXX jmp NtLockVirtualMemory_SystemCall_Unknown NtLockVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtLockVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtLockVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtLockVirtualMemory_SystemCall_6_0_6002 jmp NtLockVirtualMemory_SystemCall_Unknown NtLockVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtLockVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtLockVirtualMemory_SystemCall_6_1_7601 jmp NtLockVirtualMemory_SystemCall_Unknown NtLockVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtLockVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtLockVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtLockVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtLockVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtLockVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtLockVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtLockVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtLockVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtLockVirtualMemory_SystemCall_10_0_18363 jmp NtLockVirtualMemory_SystemCall_Unknown NtLockVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00afh jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e3h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e0h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e0h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e3h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e3h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f5h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f8h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00fch jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 00ffh jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0101h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0105h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0106h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0107h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0107h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0108h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0108h jmp NtLockVirtualMemory_Epilogue NtLockVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtLockVirtualMemory_Epilogue: mov r10, rcx syscall ret NtLockVirtualMemory ENDP NtMakePermanentObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMakePermanentObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtMakePermanentObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtMakePermanentObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMakePermanentObject_Check_10_0_XXXX jmp NtMakePermanentObject_SystemCall_Unknown NtMakePermanentObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMakePermanentObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMakePermanentObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMakePermanentObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMakePermanentObject_SystemCall_6_3_XXXX jmp NtMakePermanentObject_SystemCall_Unknown NtMakePermanentObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMakePermanentObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtMakePermanentObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtMakePermanentObject_SystemCall_6_0_6002 jmp NtMakePermanentObject_SystemCall_Unknown NtMakePermanentObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtMakePermanentObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtMakePermanentObject_SystemCall_6_1_7601 jmp NtMakePermanentObject_SystemCall_Unknown NtMakePermanentObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMakePermanentObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMakePermanentObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMakePermanentObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMakePermanentObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMakePermanentObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMakePermanentObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMakePermanentObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMakePermanentObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMakePermanentObject_SystemCall_10_0_18363 jmp NtMakePermanentObject_SystemCall_Unknown NtMakePermanentObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b0h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e4h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e1h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e1h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e4h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e4h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f6h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00f9h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00fdh jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0100h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0102h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0106h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0107h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0108h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0108h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0109h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0109h jmp NtMakePermanentObject_Epilogue NtMakePermanentObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMakePermanentObject_Epilogue: mov r10, rcx syscall ret NtMakePermanentObject ENDP NtMakeTemporaryObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMakeTemporaryObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtMakeTemporaryObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtMakeTemporaryObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMakeTemporaryObject_Check_10_0_XXXX jmp NtMakeTemporaryObject_SystemCall_Unknown NtMakeTemporaryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMakeTemporaryObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMakeTemporaryObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMakeTemporaryObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMakeTemporaryObject_SystemCall_6_3_XXXX jmp NtMakeTemporaryObject_SystemCall_Unknown NtMakeTemporaryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMakeTemporaryObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtMakeTemporaryObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtMakeTemporaryObject_SystemCall_6_0_6002 jmp NtMakeTemporaryObject_SystemCall_Unknown NtMakeTemporaryObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtMakeTemporaryObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtMakeTemporaryObject_SystemCall_6_1_7601 jmp NtMakeTemporaryObject_SystemCall_Unknown NtMakeTemporaryObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMakeTemporaryObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMakeTemporaryObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMakeTemporaryObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMakeTemporaryObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMakeTemporaryObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMakeTemporaryObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMakeTemporaryObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMakeTemporaryObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMakeTemporaryObject_SystemCall_10_0_18363 jmp NtMakeTemporaryObject_SystemCall_Unknown NtMakeTemporaryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b1h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e5h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e2h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e2h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e5h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e5h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f7h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00fah jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00feh jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0101h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0103h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0107h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0108h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0109h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0109h jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010ah jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010ah jmp NtMakeTemporaryObject_Epilogue NtMakeTemporaryObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMakeTemporaryObject_Epilogue: mov r10, rcx syscall ret NtMakeTemporaryObject ENDP NtManageHotPatch PROC mov rax, gs:[60h] ; Load PEB into RAX. NtManageHotPatch_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtManageHotPatch_Check_10_0_XXXX jmp NtManageHotPatch_SystemCall_Unknown NtManageHotPatch_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 17763 je NtManageHotPatch_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtManageHotPatch_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtManageHotPatch_SystemCall_10_0_18363 jmp NtManageHotPatch_SystemCall_Unknown NtManageHotPatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010ah jmp NtManageHotPatch_Epilogue NtManageHotPatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010bh jmp NtManageHotPatch_Epilogue NtManageHotPatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010bh jmp NtManageHotPatch_Epilogue NtManageHotPatch_SystemCall_Unknown: ; Unknown/unsupported version. ret NtManageHotPatch_Epilogue: mov r10, rcx syscall ret NtManageHotPatch ENDP NtManagePartition PROC mov rax, gs:[60h] ; Load PEB into RAX. NtManagePartition_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtManagePartition_Check_10_0_XXXX jmp NtManagePartition_SystemCall_Unknown NtManagePartition_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtManagePartition_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtManagePartition_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtManagePartition_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtManagePartition_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtManagePartition_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtManagePartition_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtManagePartition_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtManagePartition_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtManagePartition_SystemCall_10_0_18363 jmp NtManagePartition_SystemCall_Unknown NtManagePartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 00ffh jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0102h jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0104h jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0108h jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0109h jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010ah jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010bh jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010ch jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010ch jmp NtManagePartition_Epilogue NtManagePartition_SystemCall_Unknown: ; Unknown/unsupported version. ret NtManagePartition_Epilogue: mov r10, rcx syscall ret NtManagePartition ENDP NtMapCMFModule PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMapCMFModule_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtMapCMFModule_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMapCMFModule_Check_10_0_XXXX jmp NtMapCMFModule_SystemCall_Unknown NtMapCMFModule_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMapCMFModule_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMapCMFModule_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMapCMFModule_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMapCMFModule_SystemCall_6_3_XXXX jmp NtMapCMFModule_SystemCall_Unknown NtMapCMFModule_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMapCMFModule_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtMapCMFModule_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtMapCMFModule_SystemCall_6_0_6002 jmp NtMapCMFModule_SystemCall_Unknown NtMapCMFModule_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtMapCMFModule_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtMapCMFModule_SystemCall_6_1_7601 jmp NtMapCMFModule_SystemCall_Unknown NtMapCMFModule_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMapCMFModule_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMapCMFModule_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMapCMFModule_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMapCMFModule_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMapCMFModule_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMapCMFModule_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMapCMFModule_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMapCMFModule_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMapCMFModule_SystemCall_10_0_18363 jmp NtMapCMFModule_SystemCall_Unknown NtMapCMFModule_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e6h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e3h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e3h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e6h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e6h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f8h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00fbh jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0100h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0103h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0105h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0109h jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010ah jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010bh jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010ch jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010dh jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010dh jmp NtMapCMFModule_Epilogue NtMapCMFModule_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMapCMFModule_Epilogue: mov r10, rcx syscall ret NtMapCMFModule ENDP NtMapUserPhysicalPages PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMapUserPhysicalPages_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtMapUserPhysicalPages_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtMapUserPhysicalPages_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMapUserPhysicalPages_Check_10_0_XXXX jmp NtMapUserPhysicalPages_SystemCall_Unknown NtMapUserPhysicalPages_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMapUserPhysicalPages_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMapUserPhysicalPages_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMapUserPhysicalPages_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMapUserPhysicalPages_SystemCall_6_3_XXXX jmp NtMapUserPhysicalPages_SystemCall_Unknown NtMapUserPhysicalPages_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMapUserPhysicalPages_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtMapUserPhysicalPages_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtMapUserPhysicalPages_SystemCall_6_0_6002 jmp NtMapUserPhysicalPages_SystemCall_Unknown NtMapUserPhysicalPages_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtMapUserPhysicalPages_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtMapUserPhysicalPages_SystemCall_6_1_7601 jmp NtMapUserPhysicalPages_SystemCall_Unknown NtMapUserPhysicalPages_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMapUserPhysicalPages_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMapUserPhysicalPages_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMapUserPhysicalPages_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMapUserPhysicalPages_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMapUserPhysicalPages_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMapUserPhysicalPages_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMapUserPhysicalPages_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMapUserPhysicalPages_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMapUserPhysicalPages_SystemCall_10_0_18363 jmp NtMapUserPhysicalPages_SystemCall_Unknown NtMapUserPhysicalPages_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b2h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e7h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e4h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e4h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e7h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e7h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00f9h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00fch jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0101h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0104h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0106h jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010ah jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010bh jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010ch jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010dh jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010eh jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010eh jmp NtMapUserPhysicalPages_Epilogue NtMapUserPhysicalPages_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMapUserPhysicalPages_Epilogue: mov r10, rcx syscall ret NtMapUserPhysicalPages ENDP NtMapUserPhysicalPagesScatter PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMapUserPhysicalPagesScatter_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtMapUserPhysicalPagesScatter_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtMapUserPhysicalPagesScatter_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMapUserPhysicalPagesScatter_Check_10_0_XXXX jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown NtMapUserPhysicalPagesScatter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMapUserPhysicalPagesScatter_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMapUserPhysicalPagesScatter_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMapUserPhysicalPagesScatter_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMapUserPhysicalPagesScatter_SystemCall_6_3_XXXX jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown NtMapUserPhysicalPagesScatter_Check_6_0_XXXX: ; Check build number for Windows Vista. jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown NtMapUserPhysicalPagesScatter_Check_6_1_XXXX: ; Check build number for Windows 7. jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown NtMapUserPhysicalPagesScatter_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMapUserPhysicalPagesScatter_SystemCall_10_0_18363 jmp NtMapUserPhysicalPagesScatter_SystemCall_Unknown NtMapUserPhysicalPagesScatter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0000h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0001h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0002h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0003h jmp NtMapUserPhysicalPagesScatter_Epilogue NtMapUserPhysicalPagesScatter_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMapUserPhysicalPagesScatter_Epilogue: mov r10, rcx syscall ret NtMapUserPhysicalPagesScatter ENDP NtMapViewOfSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMapViewOfSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtMapViewOfSection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtMapViewOfSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtMapViewOfSection_Check_10_0_XXXX jmp NtMapViewOfSection_SystemCall_Unknown NtMapViewOfSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMapViewOfSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtMapViewOfSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtMapViewOfSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtMapViewOfSection_SystemCall_6_3_XXXX jmp NtMapViewOfSection_SystemCall_Unknown NtMapViewOfSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMapViewOfSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtMapViewOfSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtMapViewOfSection_SystemCall_6_0_6002 jmp NtMapViewOfSection_SystemCall_Unknown NtMapViewOfSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtMapViewOfSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtMapViewOfSection_SystemCall_6_1_7601 jmp NtMapViewOfSection_SystemCall_Unknown NtMapViewOfSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtMapViewOfSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtMapViewOfSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtMapViewOfSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtMapViewOfSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtMapViewOfSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtMapViewOfSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMapViewOfSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMapViewOfSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMapViewOfSection_SystemCall_10_0_18363 jmp NtMapViewOfSection_SystemCall_Unknown NtMapViewOfSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0025h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0026h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0027h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0028h jmp NtMapViewOfSection_Epilogue NtMapViewOfSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMapViewOfSection_Epilogue: mov r10, rcx syscall ret NtMapViewOfSection ENDP NtMapViewOfSectionEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMapViewOfSectionEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtMapViewOfSectionEx_Check_10_0_XXXX jmp NtMapViewOfSectionEx_SystemCall_Unknown NtMapViewOfSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 17134 je NtMapViewOfSectionEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtMapViewOfSectionEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtMapViewOfSectionEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtMapViewOfSectionEx_SystemCall_10_0_18363 jmp NtMapViewOfSectionEx_SystemCall_Unknown NtMapViewOfSectionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010dh jmp NtMapViewOfSectionEx_Epilogue NtMapViewOfSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010eh jmp NtMapViewOfSectionEx_Epilogue NtMapViewOfSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 010fh jmp NtMapViewOfSectionEx_Epilogue NtMapViewOfSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 010fh jmp NtMapViewOfSectionEx_Epilogue NtMapViewOfSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMapViewOfSectionEx_Epilogue: mov r10, rcx syscall ret NtMapViewOfSectionEx ENDP NtMarshallTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtMarshallTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtMarshallTransaction_Check_6_X_XXXX jmp NtMarshallTransaction_SystemCall_Unknown NtMarshallTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtMarshallTransaction_Check_6_0_XXXX jmp NtMarshallTransaction_SystemCall_Unknown NtMarshallTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtMarshallTransaction_SystemCall_6_0_6000 jmp NtMarshallTransaction_SystemCall_Unknown NtMarshallTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e8h jmp NtMarshallTransaction_Epilogue NtMarshallTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtMarshallTransaction_Epilogue: mov r10, rcx syscall ret NtMarshallTransaction ENDP NtModifyBootEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtModifyBootEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtModifyBootEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtModifyBootEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtModifyBootEntry_Check_10_0_XXXX jmp NtModifyBootEntry_SystemCall_Unknown NtModifyBootEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtModifyBootEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtModifyBootEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtModifyBootEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtModifyBootEntry_SystemCall_6_3_XXXX jmp NtModifyBootEntry_SystemCall_Unknown NtModifyBootEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtModifyBootEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtModifyBootEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtModifyBootEntry_SystemCall_6_0_6002 jmp NtModifyBootEntry_SystemCall_Unknown NtModifyBootEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtModifyBootEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtModifyBootEntry_SystemCall_6_1_7601 jmp NtModifyBootEntry_SystemCall_Unknown NtModifyBootEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtModifyBootEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtModifyBootEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtModifyBootEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtModifyBootEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtModifyBootEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtModifyBootEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtModifyBootEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtModifyBootEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtModifyBootEntry_SystemCall_10_0_18363 jmp NtModifyBootEntry_SystemCall_Unknown NtModifyBootEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b3h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00e9h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e5h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e5h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e8h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e8h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00fah jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00fdh jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0102h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0105h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0107h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010bh jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010ch jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010eh jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 010fh jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0110h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0110h jmp NtModifyBootEntry_Epilogue NtModifyBootEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtModifyBootEntry_Epilogue: mov r10, rcx syscall ret NtModifyBootEntry ENDP NtModifyDriverEntry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtModifyDriverEntry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtModifyDriverEntry_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtModifyDriverEntry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtModifyDriverEntry_Check_10_0_XXXX jmp NtModifyDriverEntry_SystemCall_Unknown NtModifyDriverEntry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtModifyDriverEntry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtModifyDriverEntry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtModifyDriverEntry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtModifyDriverEntry_SystemCall_6_3_XXXX jmp NtModifyDriverEntry_SystemCall_Unknown NtModifyDriverEntry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtModifyDriverEntry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtModifyDriverEntry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtModifyDriverEntry_SystemCall_6_0_6002 jmp NtModifyDriverEntry_SystemCall_Unknown NtModifyDriverEntry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtModifyDriverEntry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtModifyDriverEntry_SystemCall_6_1_7601 jmp NtModifyDriverEntry_SystemCall_Unknown NtModifyDriverEntry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtModifyDriverEntry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtModifyDriverEntry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtModifyDriverEntry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtModifyDriverEntry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtModifyDriverEntry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtModifyDriverEntry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtModifyDriverEntry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtModifyDriverEntry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtModifyDriverEntry_SystemCall_10_0_18363 jmp NtModifyDriverEntry_SystemCall_Unknown NtModifyDriverEntry_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b4h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00eah jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e6h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e6h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00e9h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00e9h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00fbh jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00feh jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0103h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0106h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0108h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010ch jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010dh jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 010fh jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0110h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0111h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0111h jmp NtModifyDriverEntry_Epilogue NtModifyDriverEntry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtModifyDriverEntry_Epilogue: mov r10, rcx syscall ret NtModifyDriverEntry ENDP NtNotifyChangeDirectoryFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtNotifyChangeDirectoryFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtNotifyChangeDirectoryFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtNotifyChangeDirectoryFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtNotifyChangeDirectoryFile_Check_10_0_XXXX jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown NtNotifyChangeDirectoryFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtNotifyChangeDirectoryFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtNotifyChangeDirectoryFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeDirectoryFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeDirectoryFile_SystemCall_6_3_XXXX jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown NtNotifyChangeDirectoryFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtNotifyChangeDirectoryFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtNotifyChangeDirectoryFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtNotifyChangeDirectoryFile_SystemCall_6_0_6002 jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown NtNotifyChangeDirectoryFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtNotifyChangeDirectoryFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtNotifyChangeDirectoryFile_SystemCall_6_1_7601 jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown NtNotifyChangeDirectoryFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtNotifyChangeDirectoryFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtNotifyChangeDirectoryFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtNotifyChangeDirectoryFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtNotifyChangeDirectoryFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtNotifyChangeDirectoryFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtNotifyChangeDirectoryFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtNotifyChangeDirectoryFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtNotifyChangeDirectoryFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtNotifyChangeDirectoryFile_SystemCall_10_0_18363 jmp NtNotifyChangeDirectoryFile_SystemCall_Unknown NtNotifyChangeDirectoryFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b5h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ebh jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e7h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e7h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00eah jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00eah jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00fch jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 00ffh jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0104h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0107h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0109h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010dh jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010eh jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0110h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0111h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0112h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0112h jmp NtNotifyChangeDirectoryFile_Epilogue NtNotifyChangeDirectoryFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtNotifyChangeDirectoryFile_Epilogue: mov r10, rcx syscall ret NtNotifyChangeDirectoryFile ENDP NtNotifyChangeDirectoryFileEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtNotifyChangeDirectoryFileEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtNotifyChangeDirectoryFileEx_Check_10_0_XXXX jmp NtNotifyChangeDirectoryFileEx_SystemCall_Unknown NtNotifyChangeDirectoryFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 16299 je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18363 jmp NtNotifyChangeDirectoryFileEx_SystemCall_Unknown NtNotifyChangeDirectoryFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 010fh jmp NtNotifyChangeDirectoryFileEx_Epilogue NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0111h jmp NtNotifyChangeDirectoryFileEx_Epilogue NtNotifyChangeDirectoryFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0112h jmp NtNotifyChangeDirectoryFileEx_Epilogue NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0113h jmp NtNotifyChangeDirectoryFileEx_Epilogue NtNotifyChangeDirectoryFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0113h jmp NtNotifyChangeDirectoryFileEx_Epilogue NtNotifyChangeDirectoryFileEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtNotifyChangeDirectoryFileEx_Epilogue: mov r10, rcx syscall ret NtNotifyChangeDirectoryFileEx ENDP NtNotifyChangeKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtNotifyChangeKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtNotifyChangeKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtNotifyChangeKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtNotifyChangeKey_Check_10_0_XXXX jmp NtNotifyChangeKey_SystemCall_Unknown NtNotifyChangeKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtNotifyChangeKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtNotifyChangeKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeKey_SystemCall_6_3_XXXX jmp NtNotifyChangeKey_SystemCall_Unknown NtNotifyChangeKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtNotifyChangeKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtNotifyChangeKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtNotifyChangeKey_SystemCall_6_0_6002 jmp NtNotifyChangeKey_SystemCall_Unknown NtNotifyChangeKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtNotifyChangeKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtNotifyChangeKey_SystemCall_6_1_7601 jmp NtNotifyChangeKey_SystemCall_Unknown NtNotifyChangeKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtNotifyChangeKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtNotifyChangeKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtNotifyChangeKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtNotifyChangeKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtNotifyChangeKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtNotifyChangeKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtNotifyChangeKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtNotifyChangeKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtNotifyChangeKey_SystemCall_10_0_18363 jmp NtNotifyChangeKey_SystemCall_Unknown NtNotifyChangeKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b6h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ech jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e8h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e8h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ebh jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ebh jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00fdh jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0100h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0105h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0108h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010ah jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010eh jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0110h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0112h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0113h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0114h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0114h jmp NtNotifyChangeKey_Epilogue NtNotifyChangeKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtNotifyChangeKey_Epilogue: mov r10, rcx syscall ret NtNotifyChangeKey ENDP NtNotifyChangeMultipleKeys PROC mov rax, gs:[60h] ; Load PEB into RAX. NtNotifyChangeMultipleKeys_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtNotifyChangeMultipleKeys_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtNotifyChangeMultipleKeys_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtNotifyChangeMultipleKeys_Check_10_0_XXXX jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown NtNotifyChangeMultipleKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtNotifyChangeMultipleKeys_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtNotifyChangeMultipleKeys_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeMultipleKeys_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeMultipleKeys_SystemCall_6_3_XXXX jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown NtNotifyChangeMultipleKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtNotifyChangeMultipleKeys_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtNotifyChangeMultipleKeys_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtNotifyChangeMultipleKeys_SystemCall_6_0_6002 jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown NtNotifyChangeMultipleKeys_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtNotifyChangeMultipleKeys_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtNotifyChangeMultipleKeys_SystemCall_6_1_7601 jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown NtNotifyChangeMultipleKeys_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtNotifyChangeMultipleKeys_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtNotifyChangeMultipleKeys_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtNotifyChangeMultipleKeys_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtNotifyChangeMultipleKeys_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtNotifyChangeMultipleKeys_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtNotifyChangeMultipleKeys_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtNotifyChangeMultipleKeys_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtNotifyChangeMultipleKeys_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtNotifyChangeMultipleKeys_SystemCall_10_0_18363 jmp NtNotifyChangeMultipleKeys_SystemCall_Unknown NtNotifyChangeMultipleKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b7h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00edh jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00e9h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00e9h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ech jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ech jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00feh jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0101h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0106h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0109h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010bh jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 010fh jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0111h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0113h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0114h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0115h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0115h jmp NtNotifyChangeMultipleKeys_Epilogue NtNotifyChangeMultipleKeys_SystemCall_Unknown: ; Unknown/unsupported version. ret NtNotifyChangeMultipleKeys_Epilogue: mov r10, rcx syscall ret NtNotifyChangeMultipleKeys ENDP NtNotifyChangeSession PROC mov rax, gs:[60h] ; Load PEB into RAX. NtNotifyChangeSession_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtNotifyChangeSession_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtNotifyChangeSession_Check_10_0_XXXX jmp NtNotifyChangeSession_SystemCall_Unknown NtNotifyChangeSession_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtNotifyChangeSession_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeSession_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtNotifyChangeSession_SystemCall_6_3_XXXX jmp NtNotifyChangeSession_SystemCall_Unknown NtNotifyChangeSession_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtNotifyChangeSession_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtNotifyChangeSession_SystemCall_6_1_7601 jmp NtNotifyChangeSession_SystemCall_Unknown NtNotifyChangeSession_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtNotifyChangeSession_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtNotifyChangeSession_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtNotifyChangeSession_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtNotifyChangeSession_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtNotifyChangeSession_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtNotifyChangeSession_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtNotifyChangeSession_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtNotifyChangeSession_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtNotifyChangeSession_SystemCall_10_0_18363 jmp NtNotifyChangeSession_SystemCall_Unknown NtNotifyChangeSession_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00edh jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00edh jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 00ffh jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0102h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0107h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010ah jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010ch jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0110h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0112h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0114h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0115h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0116h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0116h jmp NtNotifyChangeSession_Epilogue NtNotifyChangeSession_SystemCall_Unknown: ; Unknown/unsupported version. ret NtNotifyChangeSession_Epilogue: mov r10, rcx syscall ret NtNotifyChangeSession ENDP NtOpenDirectoryObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenDirectoryObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenDirectoryObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenDirectoryObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenDirectoryObject_Check_10_0_XXXX jmp NtOpenDirectoryObject_SystemCall_Unknown NtOpenDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenDirectoryObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenDirectoryObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenDirectoryObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenDirectoryObject_SystemCall_6_3_XXXX jmp NtOpenDirectoryObject_SystemCall_Unknown NtOpenDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenDirectoryObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenDirectoryObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenDirectoryObject_SystemCall_6_0_6002 jmp NtOpenDirectoryObject_SystemCall_Unknown NtOpenDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenDirectoryObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenDirectoryObject_SystemCall_6_1_7601 jmp NtOpenDirectoryObject_SystemCall_Unknown NtOpenDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenDirectoryObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenDirectoryObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenDirectoryObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenDirectoryObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenDirectoryObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenDirectoryObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenDirectoryObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenDirectoryObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenDirectoryObject_SystemCall_10_0_18363 jmp NtOpenDirectoryObject_SystemCall_Unknown NtOpenDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0055h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0056h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0057h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0058h jmp NtOpenDirectoryObject_Epilogue NtOpenDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenDirectoryObject_Epilogue: mov r10, rcx syscall ret NtOpenDirectoryObject ENDP NtOpenEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenEnlistment_Check_10_0_XXXX jmp NtOpenEnlistment_SystemCall_Unknown NtOpenEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEnlistment_SystemCall_6_3_XXXX jmp NtOpenEnlistment_SystemCall_Unknown NtOpenEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenEnlistment_SystemCall_6_0_6002 jmp NtOpenEnlistment_SystemCall_Unknown NtOpenEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenEnlistment_SystemCall_6_1_7601 jmp NtOpenEnlistment_SystemCall_Unknown NtOpenEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenEnlistment_SystemCall_10_0_18363 jmp NtOpenEnlistment_SystemCall_Unknown NtOpenEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00eeh jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00eah jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00eah jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00eeh jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00eeh jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0100h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0103h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0108h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010bh jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010dh jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0111h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0113h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0115h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0116h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0117h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0117h jmp NtOpenEnlistment_Epilogue NtOpenEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenEnlistment_Epilogue: mov r10, rcx syscall ret NtOpenEnlistment ENDP NtOpenEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenEvent_Check_10_0_XXXX jmp NtOpenEvent_SystemCall_Unknown NtOpenEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEvent_SystemCall_6_3_XXXX jmp NtOpenEvent_SystemCall_Unknown NtOpenEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenEvent_SystemCall_6_0_6002 jmp NtOpenEvent_SystemCall_Unknown NtOpenEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenEvent_SystemCall_6_1_7601 jmp NtOpenEvent_SystemCall_Unknown NtOpenEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenEvent_SystemCall_10_0_18363 jmp NtOpenEvent_SystemCall_Unknown NtOpenEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003dh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003eh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003fh jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0040h jmp NtOpenEvent_Epilogue NtOpenEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenEvent_Epilogue: mov r10, rcx syscall ret NtOpenEvent ENDP NtOpenEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenEventPair_Check_10_0_XXXX jmp NtOpenEventPair_SystemCall_Unknown NtOpenEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenEventPair_SystemCall_6_3_XXXX jmp NtOpenEventPair_SystemCall_Unknown NtOpenEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenEventPair_SystemCall_6_0_6002 jmp NtOpenEventPair_SystemCall_Unknown NtOpenEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenEventPair_SystemCall_6_1_7601 jmp NtOpenEventPair_SystemCall_Unknown NtOpenEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenEventPair_SystemCall_10_0_18363 jmp NtOpenEventPair_SystemCall_Unknown NtOpenEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b8h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00efh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ebh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ebh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00efh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00efh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0101h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0104h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0109h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010ch jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010eh jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0112h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0114h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0116h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0117h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0118h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0118h jmp NtOpenEventPair_Epilogue NtOpenEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenEventPair_Epilogue: mov r10, rcx syscall ret NtOpenEventPair ENDP NtOpenFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenFile_Check_10_0_XXXX jmp NtOpenFile_SystemCall_Unknown NtOpenFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenFile_SystemCall_6_3_XXXX jmp NtOpenFile_SystemCall_Unknown NtOpenFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenFile_SystemCall_6_0_6002 jmp NtOpenFile_SystemCall_Unknown NtOpenFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenFile_SystemCall_6_1_7601 jmp NtOpenFile_SystemCall_Unknown NtOpenFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenFile_SystemCall_10_0_18363 jmp NtOpenFile_SystemCall_Unknown NtOpenFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0030h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0031h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0032h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0033h jmp NtOpenFile_Epilogue NtOpenFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenFile_Epilogue: mov r10, rcx syscall ret NtOpenFile ENDP NtOpenIoCompletion PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenIoCompletion_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenIoCompletion_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenIoCompletion_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenIoCompletion_Check_10_0_XXXX jmp NtOpenIoCompletion_SystemCall_Unknown NtOpenIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenIoCompletion_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenIoCompletion_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenIoCompletion_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenIoCompletion_SystemCall_6_3_XXXX jmp NtOpenIoCompletion_SystemCall_Unknown NtOpenIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenIoCompletion_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenIoCompletion_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenIoCompletion_SystemCall_6_0_6002 jmp NtOpenIoCompletion_SystemCall_Unknown NtOpenIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenIoCompletion_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenIoCompletion_SystemCall_6_1_7601 jmp NtOpenIoCompletion_SystemCall_Unknown NtOpenIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenIoCompletion_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenIoCompletion_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenIoCompletion_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenIoCompletion_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenIoCompletion_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenIoCompletion_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenIoCompletion_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenIoCompletion_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenIoCompletion_SystemCall_10_0_18363 jmp NtOpenIoCompletion_SystemCall_Unknown NtOpenIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00b9h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f0h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ech jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ech jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f0h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f0h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0102h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0105h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010ah jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010dh jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 010fh jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0113h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0115h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0117h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0118h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0119h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0119h jmp NtOpenIoCompletion_Epilogue NtOpenIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenIoCompletion_Epilogue: mov r10, rcx syscall ret NtOpenIoCompletion ENDP NtOpenJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenJobObject_Check_10_0_XXXX jmp NtOpenJobObject_SystemCall_Unknown NtOpenJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenJobObject_SystemCall_6_3_XXXX jmp NtOpenJobObject_SystemCall_Unknown NtOpenJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenJobObject_SystemCall_6_0_6002 jmp NtOpenJobObject_SystemCall_Unknown NtOpenJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenJobObject_SystemCall_6_1_7601 jmp NtOpenJobObject_SystemCall_Unknown NtOpenJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenJobObject_SystemCall_10_0_18363 jmp NtOpenJobObject_SystemCall_Unknown NtOpenJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00bah jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f1h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00edh jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00edh jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f1h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f1h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0103h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0106h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010bh jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010eh jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0110h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0114h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0116h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0118h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0119h jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011ah jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011ah jmp NtOpenJobObject_Epilogue NtOpenJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenJobObject_Epilogue: mov r10, rcx syscall ret NtOpenJobObject ENDP NtOpenKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenKey_Check_10_0_XXXX jmp NtOpenKey_SystemCall_Unknown NtOpenKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKey_SystemCall_6_3_XXXX jmp NtOpenKey_SystemCall_Unknown NtOpenKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenKey_SystemCall_6_0_6002 jmp NtOpenKey_SystemCall_Unknown NtOpenKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenKey_SystemCall_6_1_7601 jmp NtOpenKey_SystemCall_Unknown NtOpenKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenKey_SystemCall_10_0_18363 jmp NtOpenKey_SystemCall_Unknown NtOpenKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000fh jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0010h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0011h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0012h jmp NtOpenKey_Epilogue NtOpenKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenKey_Epilogue: mov r10, rcx syscall ret NtOpenKey ENDP NtOpenKeyEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenKeyEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenKeyEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenKeyEx_Check_10_0_XXXX jmp NtOpenKeyEx_SystemCall_Unknown NtOpenKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtOpenKeyEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyEx_SystemCall_6_3_XXXX jmp NtOpenKeyEx_SystemCall_Unknown NtOpenKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenKeyEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenKeyEx_SystemCall_6_1_7601 jmp NtOpenKeyEx_SystemCall_Unknown NtOpenKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenKeyEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenKeyEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenKeyEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenKeyEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenKeyEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenKeyEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenKeyEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenKeyEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenKeyEx_SystemCall_10_0_18363 jmp NtOpenKeyEx_SystemCall_Unknown NtOpenKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f2h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f2h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0104h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0107h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010ch jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 010fh jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0111h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0115h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0117h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0119h jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011ah jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011bh jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011bh jmp NtOpenKeyEx_Epilogue NtOpenKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenKeyEx_Epilogue: mov r10, rcx syscall ret NtOpenKeyEx ENDP NtOpenKeyTransacted PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenKeyTransacted_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenKeyTransacted_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenKeyTransacted_Check_10_0_XXXX jmp NtOpenKeyTransacted_SystemCall_Unknown NtOpenKeyTransacted_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenKeyTransacted_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenKeyTransacted_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyTransacted_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyTransacted_SystemCall_6_3_XXXX jmp NtOpenKeyTransacted_SystemCall_Unknown NtOpenKeyTransacted_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenKeyTransacted_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenKeyTransacted_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenKeyTransacted_SystemCall_6_0_6002 jmp NtOpenKeyTransacted_SystemCall_Unknown NtOpenKeyTransacted_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenKeyTransacted_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenKeyTransacted_SystemCall_6_1_7601 jmp NtOpenKeyTransacted_SystemCall_Unknown NtOpenKeyTransacted_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenKeyTransacted_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenKeyTransacted_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenKeyTransacted_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenKeyTransacted_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenKeyTransacted_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenKeyTransacted_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenKeyTransacted_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenKeyTransacted_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenKeyTransacted_SystemCall_10_0_18363 jmp NtOpenKeyTransacted_SystemCall_Unknown NtOpenKeyTransacted_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f2h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00eeh jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00eeh jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f3h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f3h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0105h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0108h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010dh jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0110h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0112h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0116h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0118h jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011ah jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011bh jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011ch jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011ch jmp NtOpenKeyTransacted_Epilogue NtOpenKeyTransacted_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenKeyTransacted_Epilogue: mov r10, rcx syscall ret NtOpenKeyTransacted ENDP NtOpenKeyTransactedEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenKeyTransactedEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenKeyTransactedEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenKeyTransactedEx_Check_10_0_XXXX jmp NtOpenKeyTransactedEx_SystemCall_Unknown NtOpenKeyTransactedEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtOpenKeyTransactedEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyTransactedEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyTransactedEx_SystemCall_6_3_XXXX jmp NtOpenKeyTransactedEx_SystemCall_Unknown NtOpenKeyTransactedEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenKeyTransactedEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenKeyTransactedEx_SystemCall_6_1_7601 jmp NtOpenKeyTransactedEx_SystemCall_Unknown NtOpenKeyTransactedEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenKeyTransactedEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenKeyTransactedEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenKeyTransactedEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenKeyTransactedEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenKeyTransactedEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenKeyTransactedEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenKeyTransactedEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenKeyTransactedEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenKeyTransactedEx_SystemCall_10_0_18363 jmp NtOpenKeyTransactedEx_SystemCall_Unknown NtOpenKeyTransactedEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f4h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f4h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0106h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0109h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010eh jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0111h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0113h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0117h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0119h jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011bh jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011ch jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011dh jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011dh jmp NtOpenKeyTransactedEx_Epilogue NtOpenKeyTransactedEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenKeyTransactedEx_Epilogue: mov r10, rcx syscall ret NtOpenKeyTransactedEx ENDP NtOpenKeyedEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenKeyedEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenKeyedEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenKeyedEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenKeyedEvent_Check_10_0_XXXX jmp NtOpenKeyedEvent_SystemCall_Unknown NtOpenKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenKeyedEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenKeyedEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyedEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenKeyedEvent_SystemCall_6_3_XXXX jmp NtOpenKeyedEvent_SystemCall_Unknown NtOpenKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenKeyedEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenKeyedEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenKeyedEvent_SystemCall_6_0_6002 jmp NtOpenKeyedEvent_SystemCall_Unknown NtOpenKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenKeyedEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenKeyedEvent_SystemCall_6_1_7601 jmp NtOpenKeyedEvent_SystemCall_Unknown NtOpenKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenKeyedEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenKeyedEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenKeyedEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenKeyedEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenKeyedEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenKeyedEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenKeyedEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenKeyedEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenKeyedEvent_SystemCall_10_0_18363 jmp NtOpenKeyedEvent_SystemCall_Unknown NtOpenKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00bbh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f3h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00efh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00efh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f5h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f5h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0107h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010ah jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 010fh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0112h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0114h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0118h jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011ah jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011ch jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011dh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011eh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011eh jmp NtOpenKeyedEvent_Epilogue NtOpenKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenKeyedEvent_Epilogue: mov r10, rcx syscall ret NtOpenKeyedEvent ENDP NtOpenMutant PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenMutant_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenMutant_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenMutant_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenMutant_Check_10_0_XXXX jmp NtOpenMutant_SystemCall_Unknown NtOpenMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenMutant_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenMutant_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenMutant_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenMutant_SystemCall_6_3_XXXX jmp NtOpenMutant_SystemCall_Unknown NtOpenMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenMutant_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenMutant_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenMutant_SystemCall_6_0_6002 jmp NtOpenMutant_SystemCall_Unknown NtOpenMutant_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenMutant_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenMutant_SystemCall_6_1_7601 jmp NtOpenMutant_SystemCall_Unknown NtOpenMutant_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenMutant_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenMutant_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenMutant_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenMutant_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenMutant_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenMutant_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenMutant_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenMutant_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenMutant_SystemCall_10_0_18363 jmp NtOpenMutant_SystemCall_Unknown NtOpenMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00bch jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f4h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f0h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f0h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f6h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f6h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0108h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010bh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0110h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0113h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0115h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0119h jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011bh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011dh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011eh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 011fh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 011fh jmp NtOpenMutant_Epilogue NtOpenMutant_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenMutant_Epilogue: mov r10, rcx syscall ret NtOpenMutant ENDP NtOpenObjectAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenObjectAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenObjectAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenObjectAuditAlarm_Check_10_0_XXXX jmp NtOpenObjectAuditAlarm_SystemCall_Unknown NtOpenObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenObjectAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenObjectAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenObjectAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenObjectAuditAlarm_SystemCall_6_3_XXXX jmp NtOpenObjectAuditAlarm_SystemCall_Unknown NtOpenObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenObjectAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenObjectAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenObjectAuditAlarm_SystemCall_6_0_6002 jmp NtOpenObjectAuditAlarm_SystemCall_Unknown NtOpenObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenObjectAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenObjectAuditAlarm_SystemCall_6_1_7601 jmp NtOpenObjectAuditAlarm_SystemCall_Unknown NtOpenObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenObjectAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenObjectAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenObjectAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenObjectAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenObjectAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenObjectAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenObjectAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenObjectAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenObjectAuditAlarm_SystemCall_10_0_18363 jmp NtOpenObjectAuditAlarm_SystemCall_Unknown NtOpenObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00bdh jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f5h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f1h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f1h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f7h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f7h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0109h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010ch jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0111h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0114h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0116h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011ah jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011ch jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011eh jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 011fh jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0120h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0120h jmp NtOpenObjectAuditAlarm_Epilogue NtOpenObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenObjectAuditAlarm_Epilogue: mov r10, rcx syscall ret NtOpenObjectAuditAlarm ENDP NtOpenPartition PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenPartition_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtOpenPartition_Check_10_0_XXXX jmp NtOpenPartition_SystemCall_Unknown NtOpenPartition_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenPartition_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenPartition_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenPartition_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenPartition_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenPartition_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenPartition_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenPartition_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenPartition_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenPartition_SystemCall_10_0_18363 jmp NtOpenPartition_SystemCall_Unknown NtOpenPartition_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0112h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0115h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0117h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011bh jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011dh jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 011fh jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0120h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0121h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0121h jmp NtOpenPartition_Epilogue NtOpenPartition_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenPartition_Epilogue: mov r10, rcx syscall ret NtOpenPartition ENDP NtOpenPrivateNamespace PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenPrivateNamespace_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenPrivateNamespace_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenPrivateNamespace_Check_10_0_XXXX jmp NtOpenPrivateNamespace_SystemCall_Unknown NtOpenPrivateNamespace_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenPrivateNamespace_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenPrivateNamespace_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenPrivateNamespace_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenPrivateNamespace_SystemCall_6_3_XXXX jmp NtOpenPrivateNamespace_SystemCall_Unknown NtOpenPrivateNamespace_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenPrivateNamespace_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenPrivateNamespace_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenPrivateNamespace_SystemCall_6_0_6002 jmp NtOpenPrivateNamespace_SystemCall_Unknown NtOpenPrivateNamespace_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenPrivateNamespace_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenPrivateNamespace_SystemCall_6_1_7601 jmp NtOpenPrivateNamespace_SystemCall_Unknown NtOpenPrivateNamespace_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenPrivateNamespace_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenPrivateNamespace_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenPrivateNamespace_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenPrivateNamespace_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenPrivateNamespace_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenPrivateNamespace_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenPrivateNamespace_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenPrivateNamespace_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenPrivateNamespace_SystemCall_10_0_18363 jmp NtOpenPrivateNamespace_SystemCall_Unknown NtOpenPrivateNamespace_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f6h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f2h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f2h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f8h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f8h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010ah jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010dh jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0113h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0116h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0118h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011ch jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011eh jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0120h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0121h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0122h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0122h jmp NtOpenPrivateNamespace_Epilogue NtOpenPrivateNamespace_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenPrivateNamespace_Epilogue: mov r10, rcx syscall ret NtOpenPrivateNamespace ENDP NtOpenProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenProcess_Check_10_0_XXXX jmp NtOpenProcess_SystemCall_Unknown NtOpenProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcess_SystemCall_6_3_XXXX jmp NtOpenProcess_SystemCall_Unknown NtOpenProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenProcess_SystemCall_6_0_6002 jmp NtOpenProcess_SystemCall_Unknown NtOpenProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenProcess_SystemCall_6_1_7601 jmp NtOpenProcess_SystemCall_Unknown NtOpenProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenProcess_SystemCall_10_0_18363 jmp NtOpenProcess_SystemCall_Unknown NtOpenProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0023h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0024h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0025h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0026h jmp NtOpenProcess_Epilogue NtOpenProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenProcess_Epilogue: mov r10, rcx syscall ret NtOpenProcess ENDP NtOpenProcessToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenProcessToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenProcessToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenProcessToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenProcessToken_Check_10_0_XXXX jmp NtOpenProcessToken_SystemCall_Unknown NtOpenProcessToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenProcessToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenProcessToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcessToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcessToken_SystemCall_6_3_XXXX jmp NtOpenProcessToken_SystemCall_Unknown NtOpenProcessToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenProcessToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenProcessToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenProcessToken_SystemCall_6_0_6002 jmp NtOpenProcessToken_SystemCall_Unknown NtOpenProcessToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenProcessToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenProcessToken_SystemCall_6_1_7601 jmp NtOpenProcessToken_SystemCall_Unknown NtOpenProcessToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenProcessToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenProcessToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenProcessToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenProcessToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenProcessToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenProcessToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenProcessToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenProcessToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenProcessToken_SystemCall_10_0_18363 jmp NtOpenProcessToken_SystemCall_Unknown NtOpenProcessToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00beh jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f7h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f3h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f3h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00f9h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00f9h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010bh jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010eh jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0114h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0117h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0119h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011dh jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 011fh jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0121h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0122h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0123h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0123h jmp NtOpenProcessToken_Epilogue NtOpenProcessToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenProcessToken_Epilogue: mov r10, rcx syscall ret NtOpenProcessToken ENDP NtOpenProcessTokenEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenProcessTokenEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenProcessTokenEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenProcessTokenEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenProcessTokenEx_Check_10_0_XXXX jmp NtOpenProcessTokenEx_SystemCall_Unknown NtOpenProcessTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenProcessTokenEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenProcessTokenEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcessTokenEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenProcessTokenEx_SystemCall_6_3_XXXX jmp NtOpenProcessTokenEx_SystemCall_Unknown NtOpenProcessTokenEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenProcessTokenEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenProcessTokenEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenProcessTokenEx_SystemCall_6_0_6002 jmp NtOpenProcessTokenEx_SystemCall_Unknown NtOpenProcessTokenEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenProcessTokenEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenProcessTokenEx_SystemCall_6_1_7601 jmp NtOpenProcessTokenEx_SystemCall_Unknown NtOpenProcessTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenProcessTokenEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenProcessTokenEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenProcessTokenEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenProcessTokenEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenProcessTokenEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenProcessTokenEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenProcessTokenEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenProcessTokenEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenProcessTokenEx_SystemCall_10_0_18363 jmp NtOpenProcessTokenEx_SystemCall_Unknown NtOpenProcessTokenEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002dh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002eh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002fh jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0030h jmp NtOpenProcessTokenEx_Epilogue NtOpenProcessTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenProcessTokenEx_Epilogue: mov r10, rcx syscall ret NtOpenProcessTokenEx ENDP NtOpenRegistryTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenRegistryTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtOpenRegistryTransaction_Check_10_0_XXXX jmp NtOpenRegistryTransaction_SystemCall_Unknown NtOpenRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtOpenRegistryTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenRegistryTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenRegistryTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenRegistryTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenRegistryTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenRegistryTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenRegistryTransaction_SystemCall_10_0_18363 jmp NtOpenRegistryTransaction_SystemCall_Unknown NtOpenRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011ah jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011eh jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0120h jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0122h jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0123h jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0124h jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0124h jmp NtOpenRegistryTransaction_Epilogue NtOpenRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenRegistryTransaction_Epilogue: mov r10, rcx syscall ret NtOpenRegistryTransaction ENDP NtOpenResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenResourceManager_Check_10_0_XXXX jmp NtOpenResourceManager_SystemCall_Unknown NtOpenResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenResourceManager_SystemCall_6_3_XXXX jmp NtOpenResourceManager_SystemCall_Unknown NtOpenResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenResourceManager_SystemCall_6_0_6002 jmp NtOpenResourceManager_SystemCall_Unknown NtOpenResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenResourceManager_SystemCall_6_1_7601 jmp NtOpenResourceManager_SystemCall_Unknown NtOpenResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenResourceManager_SystemCall_10_0_18363 jmp NtOpenResourceManager_SystemCall_Unknown NtOpenResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f8h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f4h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f4h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00fah jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00fah jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010ch jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 010fh jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0115h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0118h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011bh jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 011fh jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0121h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0123h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0124h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0125h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0125h jmp NtOpenResourceManager_Epilogue NtOpenResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenResourceManager_Epilogue: mov r10, rcx syscall ret NtOpenResourceManager ENDP NtOpenSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenSection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenSection_Check_10_0_XXXX jmp NtOpenSection_SystemCall_Unknown NtOpenSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSection_SystemCall_6_3_XXXX jmp NtOpenSection_SystemCall_Unknown NtOpenSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenSection_SystemCall_6_0_6002 jmp NtOpenSection_SystemCall_Unknown NtOpenSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenSection_SystemCall_6_1_7601 jmp NtOpenSection_SystemCall_Unknown NtOpenSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenSection_SystemCall_10_0_18363 jmp NtOpenSection_SystemCall_Unknown NtOpenSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0034h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0035h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0036h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0037h jmp NtOpenSection_Epilogue NtOpenSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenSection_Epilogue: mov r10, rcx syscall ret NtOpenSection ENDP NtOpenSemaphore PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenSemaphore_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenSemaphore_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenSemaphore_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenSemaphore_Check_10_0_XXXX jmp NtOpenSemaphore_SystemCall_Unknown NtOpenSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenSemaphore_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenSemaphore_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSemaphore_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSemaphore_SystemCall_6_3_XXXX jmp NtOpenSemaphore_SystemCall_Unknown NtOpenSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenSemaphore_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenSemaphore_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenSemaphore_SystemCall_6_0_6002 jmp NtOpenSemaphore_SystemCall_Unknown NtOpenSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenSemaphore_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenSemaphore_SystemCall_6_1_7601 jmp NtOpenSemaphore_SystemCall_Unknown NtOpenSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenSemaphore_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenSemaphore_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenSemaphore_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenSemaphore_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenSemaphore_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenSemaphore_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenSemaphore_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenSemaphore_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenSemaphore_SystemCall_10_0_18363 jmp NtOpenSemaphore_SystemCall_Unknown NtOpenSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00bfh jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00f9h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f5h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f5h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00fbh jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00fbh jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010dh jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0110h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0116h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0119h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011ch jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0120h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0122h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0124h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0125h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0126h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0126h jmp NtOpenSemaphore_Epilogue NtOpenSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenSemaphore_Epilogue: mov r10, rcx syscall ret NtOpenSemaphore ENDP NtOpenSession PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenSession_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenSession_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenSession_Check_10_0_XXXX jmp NtOpenSession_SystemCall_Unknown NtOpenSession_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenSession_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenSession_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSession_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSession_SystemCall_6_3_XXXX jmp NtOpenSession_SystemCall_Unknown NtOpenSession_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenSession_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenSession_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenSession_SystemCall_6_0_6002 jmp NtOpenSession_SystemCall_Unknown NtOpenSession_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenSession_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenSession_SystemCall_6_1_7601 jmp NtOpenSession_SystemCall_Unknown NtOpenSession_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenSession_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenSession_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenSession_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenSession_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenSession_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenSession_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenSession_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenSession_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenSession_SystemCall_10_0_18363 jmp NtOpenSession_SystemCall_Unknown NtOpenSession_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00fah jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f6h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f6h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00fch jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00fch jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010eh jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0111h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0117h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011ah jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011dh jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0121h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0123h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0125h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0126h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0127h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0127h jmp NtOpenSession_Epilogue NtOpenSession_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenSession_Epilogue: mov r10, rcx syscall ret NtOpenSession ENDP NtOpenSymbolicLinkObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenSymbolicLinkObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenSymbolicLinkObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenSymbolicLinkObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenSymbolicLinkObject_Check_10_0_XXXX jmp NtOpenSymbolicLinkObject_SystemCall_Unknown NtOpenSymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenSymbolicLinkObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenSymbolicLinkObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSymbolicLinkObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenSymbolicLinkObject_SystemCall_6_3_XXXX jmp NtOpenSymbolicLinkObject_SystemCall_Unknown NtOpenSymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenSymbolicLinkObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenSymbolicLinkObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenSymbolicLinkObject_SystemCall_6_0_6002 jmp NtOpenSymbolicLinkObject_SystemCall_Unknown NtOpenSymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenSymbolicLinkObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenSymbolicLinkObject_SystemCall_6_1_7601 jmp NtOpenSymbolicLinkObject_SystemCall_Unknown NtOpenSymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenSymbolicLinkObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenSymbolicLinkObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenSymbolicLinkObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenSymbolicLinkObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenSymbolicLinkObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenSymbolicLinkObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenSymbolicLinkObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenSymbolicLinkObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenSymbolicLinkObject_SystemCall_10_0_18363 jmp NtOpenSymbolicLinkObject_SystemCall_Unknown NtOpenSymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c0h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00fbh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f7h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f7h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00fdh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00fdh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 010fh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0112h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0118h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011bh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011eh jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0122h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0124h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0126h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0127h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0128h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0128h jmp NtOpenSymbolicLinkObject_Epilogue NtOpenSymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenSymbolicLinkObject_Epilogue: mov r10, rcx syscall ret NtOpenSymbolicLinkObject ENDP NtOpenThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenThread_Check_10_0_XXXX jmp NtOpenThread_SystemCall_Unknown NtOpenThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThread_SystemCall_6_3_XXXX jmp NtOpenThread_SystemCall_Unknown NtOpenThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenThread_SystemCall_6_0_6002 jmp NtOpenThread_SystemCall_Unknown NtOpenThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenThread_SystemCall_6_1_7601 jmp NtOpenThread_SystemCall_Unknown NtOpenThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenThread_SystemCall_10_0_18363 jmp NtOpenThread_SystemCall_Unknown NtOpenThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c1h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00fch jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f8h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f8h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00feh jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00feh jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0110h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0113h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0119h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011ch jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 011fh jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0123h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0125h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0127h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0128h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0129h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0129h jmp NtOpenThread_Epilogue NtOpenThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenThread_Epilogue: mov r10, rcx syscall ret NtOpenThread ENDP NtOpenThreadToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenThreadToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenThreadToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenThreadToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenThreadToken_Check_10_0_XXXX jmp NtOpenThreadToken_SystemCall_Unknown NtOpenThreadToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenThreadToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenThreadToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThreadToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThreadToken_SystemCall_6_3_XXXX jmp NtOpenThreadToken_SystemCall_Unknown NtOpenThreadToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenThreadToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenThreadToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenThreadToken_SystemCall_6_0_6002 jmp NtOpenThreadToken_SystemCall_Unknown NtOpenThreadToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenThreadToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenThreadToken_SystemCall_6_1_7601 jmp NtOpenThreadToken_SystemCall_Unknown NtOpenThreadToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenThreadToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenThreadToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenThreadToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenThreadToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenThreadToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenThreadToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenThreadToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenThreadToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenThreadToken_SystemCall_10_0_18363 jmp NtOpenThreadToken_SystemCall_Unknown NtOpenThreadToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0021h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0022h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0023h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0024h jmp NtOpenThreadToken_Epilogue NtOpenThreadToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenThreadToken_Epilogue: mov r10, rcx syscall ret NtOpenThreadToken ENDP NtOpenThreadTokenEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenThreadTokenEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenThreadTokenEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenThreadTokenEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenThreadTokenEx_Check_10_0_XXXX jmp NtOpenThreadTokenEx_SystemCall_Unknown NtOpenThreadTokenEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenThreadTokenEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenThreadTokenEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThreadTokenEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenThreadTokenEx_SystemCall_6_3_XXXX jmp NtOpenThreadTokenEx_SystemCall_Unknown NtOpenThreadTokenEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenThreadTokenEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenThreadTokenEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenThreadTokenEx_SystemCall_6_0_6002 jmp NtOpenThreadTokenEx_SystemCall_Unknown NtOpenThreadTokenEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenThreadTokenEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenThreadTokenEx_SystemCall_6_1_7601 jmp NtOpenThreadTokenEx_SystemCall_Unknown NtOpenThreadTokenEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenThreadTokenEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenThreadTokenEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenThreadTokenEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenThreadTokenEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenThreadTokenEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenThreadTokenEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenThreadTokenEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenThreadTokenEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenThreadTokenEx_SystemCall_10_0_18363 jmp NtOpenThreadTokenEx_SystemCall_Unknown NtOpenThreadTokenEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002ch jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002dh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002eh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002fh jmp NtOpenThreadTokenEx_Epilogue NtOpenThreadTokenEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenThreadTokenEx_Epilogue: mov r10, rcx syscall ret NtOpenThreadTokenEx ENDP NtOpenTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtOpenTimer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtOpenTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenTimer_Check_10_0_XXXX jmp NtOpenTimer_SystemCall_Unknown NtOpenTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenTimer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenTimer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTimer_SystemCall_6_3_XXXX jmp NtOpenTimer_SystemCall_Unknown NtOpenTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenTimer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenTimer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenTimer_SystemCall_6_0_6002 jmp NtOpenTimer_SystemCall_Unknown NtOpenTimer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenTimer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenTimer_SystemCall_6_1_7601 jmp NtOpenTimer_SystemCall_Unknown NtOpenTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenTimer_SystemCall_10_0_18363 jmp NtOpenTimer_SystemCall_Unknown NtOpenTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c2h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00fdh jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00f9h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00f9h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 00ffh jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 00ffh jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0111h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0114h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011ah jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011dh jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0120h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0124h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0126h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0128h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0129h jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012ah jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012ah jmp NtOpenTimer_Epilogue NtOpenTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenTimer_Epilogue: mov r10, rcx syscall ret NtOpenTimer ENDP NtOpenTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenTransaction_Check_10_0_XXXX jmp NtOpenTransaction_SystemCall_Unknown NtOpenTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTransaction_SystemCall_6_3_XXXX jmp NtOpenTransaction_SystemCall_Unknown NtOpenTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenTransaction_SystemCall_6_0_6002 jmp NtOpenTransaction_SystemCall_Unknown NtOpenTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenTransaction_SystemCall_6_1_7601 jmp NtOpenTransaction_SystemCall_Unknown NtOpenTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenTransaction_SystemCall_10_0_18363 jmp NtOpenTransaction_SystemCall_Unknown NtOpenTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00feh jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00fah jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00fah jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0100h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0100h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0112h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0115h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011bh jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011eh jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0121h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0125h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0127h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0129h jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012ah jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012bh jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012bh jmp NtOpenTransaction_Epilogue NtOpenTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenTransaction_Epilogue: mov r10, rcx syscall ret NtOpenTransaction ENDP NtOpenTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtOpenTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtOpenTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtOpenTransactionManager_Check_10_0_XXXX jmp NtOpenTransactionManager_SystemCall_Unknown NtOpenTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtOpenTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtOpenTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtOpenTransactionManager_SystemCall_6_3_XXXX jmp NtOpenTransactionManager_SystemCall_Unknown NtOpenTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtOpenTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtOpenTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtOpenTransactionManager_SystemCall_6_0_6002 jmp NtOpenTransactionManager_SystemCall_Unknown NtOpenTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtOpenTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtOpenTransactionManager_SystemCall_6_1_7601 jmp NtOpenTransactionManager_SystemCall_Unknown NtOpenTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtOpenTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtOpenTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtOpenTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtOpenTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtOpenTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtOpenTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtOpenTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtOpenTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtOpenTransactionManager_SystemCall_10_0_18363 jmp NtOpenTransactionManager_SystemCall_Unknown NtOpenTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 00ffh jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00fbh jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00fbh jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0101h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0101h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0113h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0116h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011ch jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 011fh jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0122h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0126h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0128h jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012ah jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012bh jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012ch jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012ch jmp NtOpenTransactionManager_Epilogue NtOpenTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtOpenTransactionManager_Epilogue: mov r10, rcx syscall ret NtOpenTransactionManager ENDP NtPlugPlayControl PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPlugPlayControl_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPlugPlayControl_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPlugPlayControl_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPlugPlayControl_Check_10_0_XXXX jmp NtPlugPlayControl_SystemCall_Unknown NtPlugPlayControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPlugPlayControl_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPlugPlayControl_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPlugPlayControl_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPlugPlayControl_SystemCall_6_3_XXXX jmp NtPlugPlayControl_SystemCall_Unknown NtPlugPlayControl_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPlugPlayControl_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPlugPlayControl_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPlugPlayControl_SystemCall_6_0_6002 jmp NtPlugPlayControl_SystemCall_Unknown NtPlugPlayControl_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPlugPlayControl_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPlugPlayControl_SystemCall_6_1_7601 jmp NtPlugPlayControl_SystemCall_Unknown NtPlugPlayControl_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPlugPlayControl_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPlugPlayControl_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPlugPlayControl_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPlugPlayControl_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPlugPlayControl_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPlugPlayControl_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPlugPlayControl_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPlugPlayControl_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPlugPlayControl_SystemCall_10_0_18363 jmp NtPlugPlayControl_SystemCall_Unknown NtPlugPlayControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c3h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0100h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00fch jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00fch jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0102h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0102h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0114h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0117h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011dh jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0120h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0123h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0127h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0129h jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012bh jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012ch jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012dh jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012dh jmp NtPlugPlayControl_Epilogue NtPlugPlayControl_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPlugPlayControl_Epilogue: mov r10, rcx syscall ret NtPlugPlayControl ENDP NtPowerInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPowerInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPowerInformation_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPowerInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPowerInformation_Check_10_0_XXXX jmp NtPowerInformation_SystemCall_Unknown NtPowerInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPowerInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPowerInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPowerInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPowerInformation_SystemCall_6_3_XXXX jmp NtPowerInformation_SystemCall_Unknown NtPowerInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPowerInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPowerInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPowerInformation_SystemCall_6_0_6002 jmp NtPowerInformation_SystemCall_Unknown NtPowerInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPowerInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPowerInformation_SystemCall_6_1_7601 jmp NtPowerInformation_SystemCall_Unknown NtPowerInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPowerInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPowerInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPowerInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPowerInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPowerInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPowerInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPowerInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPowerInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPowerInformation_SystemCall_10_0_18363 jmp NtPowerInformation_SystemCall_Unknown NtPowerInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005ch jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005dh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005eh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005fh jmp NtPowerInformation_Epilogue NtPowerInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPowerInformation_Epilogue: mov r10, rcx syscall ret NtPowerInformation ENDP NtPrePrepareComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrePrepareComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPrePrepareComplete_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrePrepareComplete_Check_10_0_XXXX jmp NtPrePrepareComplete_SystemCall_Unknown NtPrePrepareComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrePrepareComplete_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrePrepareComplete_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrePrepareComplete_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrePrepareComplete_SystemCall_6_3_XXXX jmp NtPrePrepareComplete_SystemCall_Unknown NtPrePrepareComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrePrepareComplete_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrePrepareComplete_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrePrepareComplete_SystemCall_6_0_6002 jmp NtPrePrepareComplete_SystemCall_Unknown NtPrePrepareComplete_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrePrepareComplete_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrePrepareComplete_SystemCall_6_1_7601 jmp NtPrePrepareComplete_SystemCall_Unknown NtPrePrepareComplete_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrePrepareComplete_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrePrepareComplete_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrePrepareComplete_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrePrepareComplete_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrePrepareComplete_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrePrepareComplete_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrePrepareComplete_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrePrepareComplete_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrePrepareComplete_SystemCall_10_0_18363 jmp NtPrePrepareComplete_SystemCall_Unknown NtPrePrepareComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0101h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00fdh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00fdh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0103h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0103h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0115h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0118h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011eh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0121h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0124h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0128h jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012ah jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012ch jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012dh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012eh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012eh jmp NtPrePrepareComplete_Epilogue NtPrePrepareComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrePrepareComplete_Epilogue: mov r10, rcx syscall ret NtPrePrepareComplete ENDP NtPrePrepareEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrePrepareEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPrePrepareEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrePrepareEnlistment_Check_10_0_XXXX jmp NtPrePrepareEnlistment_SystemCall_Unknown NtPrePrepareEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrePrepareEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrePrepareEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrePrepareEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrePrepareEnlistment_SystemCall_6_3_XXXX jmp NtPrePrepareEnlistment_SystemCall_Unknown NtPrePrepareEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrePrepareEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrePrepareEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrePrepareEnlistment_SystemCall_6_0_6002 jmp NtPrePrepareEnlistment_SystemCall_Unknown NtPrePrepareEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrePrepareEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrePrepareEnlistment_SystemCall_6_1_7601 jmp NtPrePrepareEnlistment_SystemCall_Unknown NtPrePrepareEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrePrepareEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrePrepareEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrePrepareEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrePrepareEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrePrepareEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrePrepareEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrePrepareEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrePrepareEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrePrepareEnlistment_SystemCall_10_0_18363 jmp NtPrePrepareEnlistment_SystemCall_Unknown NtPrePrepareEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0102h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00feh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00feh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0104h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0104h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0116h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0119h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 011fh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0122h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0125h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0129h jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012bh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012dh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012eh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 012fh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 012fh jmp NtPrePrepareEnlistment_Epilogue NtPrePrepareEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrePrepareEnlistment_Epilogue: mov r10, rcx syscall ret NtPrePrepareEnlistment ENDP NtPrepareComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrepareComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPrepareComplete_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrepareComplete_Check_10_0_XXXX jmp NtPrepareComplete_SystemCall_Unknown NtPrepareComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrepareComplete_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrepareComplete_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrepareComplete_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrepareComplete_SystemCall_6_3_XXXX jmp NtPrepareComplete_SystemCall_Unknown NtPrepareComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrepareComplete_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrepareComplete_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrepareComplete_SystemCall_6_0_6002 jmp NtPrepareComplete_SystemCall_Unknown NtPrepareComplete_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrepareComplete_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrepareComplete_SystemCall_6_1_7601 jmp NtPrepareComplete_SystemCall_Unknown NtPrepareComplete_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrepareComplete_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrepareComplete_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrepareComplete_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrepareComplete_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrepareComplete_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrepareComplete_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrepareComplete_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrepareComplete_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrepareComplete_SystemCall_10_0_18363 jmp NtPrepareComplete_SystemCall_Unknown NtPrepareComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0103h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 00ffh jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 00ffh jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0105h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0105h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0117h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011ah jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0120h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0123h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0126h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012ah jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012ch jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012eh jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 012fh jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0130h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0130h jmp NtPrepareComplete_Epilogue NtPrepareComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrepareComplete_Epilogue: mov r10, rcx syscall ret NtPrepareComplete ENDP NtPrepareEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrepareEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPrepareEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrepareEnlistment_Check_10_0_XXXX jmp NtPrepareEnlistment_SystemCall_Unknown NtPrepareEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrepareEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrepareEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrepareEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrepareEnlistment_SystemCall_6_3_XXXX jmp NtPrepareEnlistment_SystemCall_Unknown NtPrepareEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrepareEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrepareEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrepareEnlistment_SystemCall_6_0_6002 jmp NtPrepareEnlistment_SystemCall_Unknown NtPrepareEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrepareEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrepareEnlistment_SystemCall_6_1_7601 jmp NtPrepareEnlistment_SystemCall_Unknown NtPrepareEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrepareEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrepareEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrepareEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrepareEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrepareEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrepareEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrepareEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrepareEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrepareEnlistment_SystemCall_10_0_18363 jmp NtPrepareEnlistment_SystemCall_Unknown NtPrepareEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0104h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0100h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0100h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0106h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0106h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0118h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011bh jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0121h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0124h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0127h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012bh jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012dh jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 012fh jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0130h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0131h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0131h jmp NtPrepareEnlistment_Epilogue NtPrepareEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrepareEnlistment_Epilogue: mov r10, rcx syscall ret NtPrepareEnlistment ENDP NtPrivilegeCheck PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrivilegeCheck_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPrivilegeCheck_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPrivilegeCheck_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrivilegeCheck_Check_10_0_XXXX jmp NtPrivilegeCheck_SystemCall_Unknown NtPrivilegeCheck_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrivilegeCheck_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrivilegeCheck_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegeCheck_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegeCheck_SystemCall_6_3_XXXX jmp NtPrivilegeCheck_SystemCall_Unknown NtPrivilegeCheck_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrivilegeCheck_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrivilegeCheck_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrivilegeCheck_SystemCall_6_0_6002 jmp NtPrivilegeCheck_SystemCall_Unknown NtPrivilegeCheck_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrivilegeCheck_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrivilegeCheck_SystemCall_6_1_7601 jmp NtPrivilegeCheck_SystemCall_Unknown NtPrivilegeCheck_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrivilegeCheck_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrivilegeCheck_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrivilegeCheck_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrivilegeCheck_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrivilegeCheck_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrivilegeCheck_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrivilegeCheck_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrivilegeCheck_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrivilegeCheck_SystemCall_10_0_18363 jmp NtPrivilegeCheck_SystemCall_Unknown NtPrivilegeCheck_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c4h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0105h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0101h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0101h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0107h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0107h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0119h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011ch jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0122h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0125h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0128h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012ch jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012eh jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0130h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0131h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0132h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0132h jmp NtPrivilegeCheck_Epilogue NtPrivilegeCheck_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrivilegeCheck_Epilogue: mov r10, rcx syscall ret NtPrivilegeCheck ENDP NtPrivilegeObjectAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrivilegeObjectAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPrivilegeObjectAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPrivilegeObjectAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrivilegeObjectAuditAlarm_Check_10_0_XXXX jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown NtPrivilegeObjectAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrivilegeObjectAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrivilegeObjectAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegeObjectAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegeObjectAuditAlarm_SystemCall_6_3_XXXX jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown NtPrivilegeObjectAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6002 jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown NtPrivilegeObjectAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7601 jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown NtPrivilegeObjectAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18363 jmp NtPrivilegeObjectAuditAlarm_SystemCall_Unknown NtPrivilegeObjectAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c5h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0106h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0102h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0102h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0108h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0108h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011ah jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011dh jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0123h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0126h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0129h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012dh jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 012fh jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0131h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0132h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0133h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0133h jmp NtPrivilegeObjectAuditAlarm_Epilogue NtPrivilegeObjectAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrivilegeObjectAuditAlarm_Epilogue: mov r10, rcx syscall ret NtPrivilegeObjectAuditAlarm ENDP NtPrivilegedServiceAuditAlarm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPrivilegedServiceAuditAlarm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPrivilegedServiceAuditAlarm_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPrivilegedServiceAuditAlarm_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPrivilegedServiceAuditAlarm_Check_10_0_XXXX jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown NtPrivilegedServiceAuditAlarm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPrivilegedServiceAuditAlarm_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPrivilegedServiceAuditAlarm_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegedServiceAuditAlarm_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPrivilegedServiceAuditAlarm_SystemCall_6_3_XXXX jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown NtPrivilegedServiceAuditAlarm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6002 jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown NtPrivilegedServiceAuditAlarm_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7601 jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown NtPrivilegedServiceAuditAlarm_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18363 jmp NtPrivilegedServiceAuditAlarm_SystemCall_Unknown NtPrivilegedServiceAuditAlarm_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c6h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0107h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0103h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0103h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0109h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0109h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011bh jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011eh jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0124h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0127h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012ah jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012eh jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0130h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0132h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0133h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0134h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0134h jmp NtPrivilegedServiceAuditAlarm_Epilogue NtPrivilegedServiceAuditAlarm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPrivilegedServiceAuditAlarm_Epilogue: mov r10, rcx syscall ret NtPrivilegedServiceAuditAlarm ENDP NtPropagationComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPropagationComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPropagationComplete_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPropagationComplete_Check_10_0_XXXX jmp NtPropagationComplete_SystemCall_Unknown NtPropagationComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPropagationComplete_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPropagationComplete_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPropagationComplete_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPropagationComplete_SystemCall_6_3_XXXX jmp NtPropagationComplete_SystemCall_Unknown NtPropagationComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPropagationComplete_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPropagationComplete_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPropagationComplete_SystemCall_6_0_6002 jmp NtPropagationComplete_SystemCall_Unknown NtPropagationComplete_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPropagationComplete_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPropagationComplete_SystemCall_6_1_7601 jmp NtPropagationComplete_SystemCall_Unknown NtPropagationComplete_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPropagationComplete_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPropagationComplete_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPropagationComplete_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPropagationComplete_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPropagationComplete_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPropagationComplete_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPropagationComplete_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPropagationComplete_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPropagationComplete_SystemCall_10_0_18363 jmp NtPropagationComplete_SystemCall_Unknown NtPropagationComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0108h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0104h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0104h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010ah jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010ah jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011ch jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 011fh jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0125h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0128h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012bh jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 012fh jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0131h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0133h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0134h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0135h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0135h jmp NtPropagationComplete_Epilogue NtPropagationComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPropagationComplete_Epilogue: mov r10, rcx syscall ret NtPropagationComplete ENDP NtPropagationFailed PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPropagationFailed_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPropagationFailed_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPropagationFailed_Check_10_0_XXXX jmp NtPropagationFailed_SystemCall_Unknown NtPropagationFailed_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPropagationFailed_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPropagationFailed_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPropagationFailed_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPropagationFailed_SystemCall_6_3_XXXX jmp NtPropagationFailed_SystemCall_Unknown NtPropagationFailed_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPropagationFailed_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPropagationFailed_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPropagationFailed_SystemCall_6_0_6002 jmp NtPropagationFailed_SystemCall_Unknown NtPropagationFailed_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPropagationFailed_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPropagationFailed_SystemCall_6_1_7601 jmp NtPropagationFailed_SystemCall_Unknown NtPropagationFailed_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPropagationFailed_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPropagationFailed_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPropagationFailed_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPropagationFailed_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPropagationFailed_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPropagationFailed_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPropagationFailed_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPropagationFailed_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPropagationFailed_SystemCall_10_0_18363 jmp NtPropagationFailed_SystemCall_Unknown NtPropagationFailed_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0109h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0105h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0105h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010bh jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010bh jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011dh jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0120h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0126h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0129h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012ch jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0130h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0132h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0134h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0135h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0136h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0136h jmp NtPropagationFailed_Epilogue NtPropagationFailed_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPropagationFailed_Epilogue: mov r10, rcx syscall ret NtPropagationFailed ENDP NtProtectVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtProtectVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtProtectVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtProtectVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtProtectVirtualMemory_Check_10_0_XXXX jmp NtProtectVirtualMemory_SystemCall_Unknown NtProtectVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtProtectVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtProtectVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtProtectVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtProtectVirtualMemory_SystemCall_6_3_XXXX jmp NtProtectVirtualMemory_SystemCall_Unknown NtProtectVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtProtectVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtProtectVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtProtectVirtualMemory_SystemCall_6_0_6002 jmp NtProtectVirtualMemory_SystemCall_Unknown NtProtectVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtProtectVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtProtectVirtualMemory_SystemCall_6_1_7601 jmp NtProtectVirtualMemory_SystemCall_Unknown NtProtectVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtProtectVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtProtectVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtProtectVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtProtectVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtProtectVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtProtectVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtProtectVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtProtectVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtProtectVirtualMemory_SystemCall_10_0_18363 jmp NtProtectVirtualMemory_SystemCall_Unknown NtProtectVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004dh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004eh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 004fh jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0050h jmp NtProtectVirtualMemory_Epilogue NtProtectVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtProtectVirtualMemory_Epilogue: mov r10, rcx syscall ret NtProtectVirtualMemory ENDP NtPullTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPullTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtPullTransaction_Check_6_X_XXXX jmp NtPullTransaction_SystemCall_Unknown NtPullTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPullTransaction_Check_6_0_XXXX jmp NtPullTransaction_SystemCall_Unknown NtPullTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPullTransaction_SystemCall_6_0_6000 jmp NtPullTransaction_SystemCall_Unknown NtPullTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010ah jmp NtPullTransaction_Epilogue NtPullTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPullTransaction_Epilogue: mov r10, rcx syscall ret NtPullTransaction ENDP NtPulseEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtPulseEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtPulseEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtPulseEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtPulseEvent_Check_10_0_XXXX jmp NtPulseEvent_SystemCall_Unknown NtPulseEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtPulseEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtPulseEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtPulseEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtPulseEvent_SystemCall_6_3_XXXX jmp NtPulseEvent_SystemCall_Unknown NtPulseEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtPulseEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtPulseEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtPulseEvent_SystemCall_6_0_6002 jmp NtPulseEvent_SystemCall_Unknown NtPulseEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtPulseEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtPulseEvent_SystemCall_6_1_7601 jmp NtPulseEvent_SystemCall_Unknown NtPulseEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtPulseEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtPulseEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtPulseEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtPulseEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtPulseEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtPulseEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtPulseEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtPulseEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtPulseEvent_SystemCall_10_0_18363 jmp NtPulseEvent_SystemCall_Unknown NtPulseEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c7h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010bh jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0106h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0106h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010ch jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010ch jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011eh jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0121h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0127h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012ah jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012dh jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0131h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0133h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0135h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0136h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0137h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0137h jmp NtPulseEvent_Epilogue NtPulseEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtPulseEvent_Epilogue: mov r10, rcx syscall ret NtPulseEvent ENDP NtQueryAttributesFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryAttributesFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryAttributesFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryAttributesFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryAttributesFile_Check_10_0_XXXX jmp NtQueryAttributesFile_SystemCall_Unknown NtQueryAttributesFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryAttributesFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryAttributesFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryAttributesFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryAttributesFile_SystemCall_6_3_XXXX jmp NtQueryAttributesFile_SystemCall_Unknown NtQueryAttributesFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryAttributesFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryAttributesFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryAttributesFile_SystemCall_6_0_6002 jmp NtQueryAttributesFile_SystemCall_Unknown NtQueryAttributesFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryAttributesFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryAttributesFile_SystemCall_6_1_7601 jmp NtQueryAttributesFile_SystemCall_Unknown NtQueryAttributesFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryAttributesFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryAttributesFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryAttributesFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryAttributesFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryAttributesFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryAttributesFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryAttributesFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryAttributesFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryAttributesFile_SystemCall_10_0_18363 jmp NtQueryAttributesFile_SystemCall_Unknown NtQueryAttributesFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003ah jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003bh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003ch jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003dh jmp NtQueryAttributesFile_Epilogue NtQueryAttributesFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryAttributesFile_Epilogue: mov r10, rcx syscall ret NtQueryAttributesFile ENDP NtQueryAuxiliaryCounterFrequency PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryAuxiliaryCounterFrequency_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtQueryAuxiliaryCounterFrequency_Check_10_0_XXXX jmp NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown NtQueryAuxiliaryCounterFrequency_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18363 jmp NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0132h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0134h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0136h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0137h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0138h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0138h jmp NtQueryAuxiliaryCounterFrequency_Epilogue NtQueryAuxiliaryCounterFrequency_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryAuxiliaryCounterFrequency_Epilogue: mov r10, rcx syscall ret NtQueryAuxiliaryCounterFrequency ENDP NtQueryBootEntryOrder PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryBootEntryOrder_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryBootEntryOrder_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryBootEntryOrder_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryBootEntryOrder_Check_10_0_XXXX jmp NtQueryBootEntryOrder_SystemCall_Unknown NtQueryBootEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryBootEntryOrder_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryBootEntryOrder_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryBootEntryOrder_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryBootEntryOrder_SystemCall_6_3_XXXX jmp NtQueryBootEntryOrder_SystemCall_Unknown NtQueryBootEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryBootEntryOrder_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryBootEntryOrder_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryBootEntryOrder_SystemCall_6_0_6002 jmp NtQueryBootEntryOrder_SystemCall_Unknown NtQueryBootEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryBootEntryOrder_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryBootEntryOrder_SystemCall_6_1_7601 jmp NtQueryBootEntryOrder_SystemCall_Unknown NtQueryBootEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryBootEntryOrder_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryBootEntryOrder_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryBootEntryOrder_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryBootEntryOrder_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryBootEntryOrder_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryBootEntryOrder_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryBootEntryOrder_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryBootEntryOrder_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryBootEntryOrder_SystemCall_10_0_18363 jmp NtQueryBootEntryOrder_SystemCall_Unknown NtQueryBootEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c8h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010ch jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0107h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0107h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010dh jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010dh jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 011fh jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0122h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0128h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012bh jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012eh jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0133h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0135h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0137h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0138h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0139h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0139h jmp NtQueryBootEntryOrder_Epilogue NtQueryBootEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryBootEntryOrder_Epilogue: mov r10, rcx syscall ret NtQueryBootEntryOrder ENDP NtQueryBootOptions PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryBootOptions_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryBootOptions_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryBootOptions_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryBootOptions_Check_10_0_XXXX jmp NtQueryBootOptions_SystemCall_Unknown NtQueryBootOptions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryBootOptions_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryBootOptions_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryBootOptions_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryBootOptions_SystemCall_6_3_XXXX jmp NtQueryBootOptions_SystemCall_Unknown NtQueryBootOptions_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryBootOptions_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryBootOptions_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryBootOptions_SystemCall_6_0_6002 jmp NtQueryBootOptions_SystemCall_Unknown NtQueryBootOptions_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryBootOptions_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryBootOptions_SystemCall_6_1_7601 jmp NtQueryBootOptions_SystemCall_Unknown NtQueryBootOptions_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryBootOptions_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryBootOptions_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryBootOptions_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryBootOptions_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryBootOptions_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryBootOptions_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryBootOptions_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryBootOptions_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryBootOptions_SystemCall_10_0_18363 jmp NtQueryBootOptions_SystemCall_Unknown NtQueryBootOptions_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00c9h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010dh jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0108h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0108h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010eh jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010eh jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0120h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0123h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0129h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012ch jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 012fh jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0134h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0136h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0138h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0139h jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013ah jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013ah jmp NtQueryBootOptions_Epilogue NtQueryBootOptions_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryBootOptions_Epilogue: mov r10, rcx syscall ret NtQueryBootOptions ENDP NtQueryDebugFilterState PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDebugFilterState_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDebugFilterState_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDebugFilterState_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDebugFilterState_Check_10_0_XXXX jmp NtQueryDebugFilterState_SystemCall_Unknown NtQueryDebugFilterState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDebugFilterState_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDebugFilterState_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDebugFilterState_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDebugFilterState_SystemCall_6_3_XXXX jmp NtQueryDebugFilterState_SystemCall_Unknown NtQueryDebugFilterState_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDebugFilterState_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDebugFilterState_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDebugFilterState_SystemCall_6_0_6002 jmp NtQueryDebugFilterState_SystemCall_Unknown NtQueryDebugFilterState_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDebugFilterState_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDebugFilterState_SystemCall_6_1_7601 jmp NtQueryDebugFilterState_SystemCall_Unknown NtQueryDebugFilterState_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDebugFilterState_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDebugFilterState_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDebugFilterState_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDebugFilterState_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDebugFilterState_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDebugFilterState_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDebugFilterState_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDebugFilterState_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDebugFilterState_SystemCall_10_0_18363 jmp NtQueryDebugFilterState_SystemCall_Unknown NtQueryDebugFilterState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00cah jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010eh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0109h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0109h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 010fh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 010fh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0121h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0124h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012ah jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012dh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0130h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0135h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0137h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0139h jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013ah jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013bh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013bh jmp NtQueryDebugFilterState_Epilogue NtQueryDebugFilterState_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDebugFilterState_Epilogue: mov r10, rcx syscall ret NtQueryDebugFilterState ENDP NtQueryDefaultLocale PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDefaultLocale_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDefaultLocale_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDefaultLocale_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDefaultLocale_Check_10_0_XXXX jmp NtQueryDefaultLocale_SystemCall_Unknown NtQueryDefaultLocale_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDefaultLocale_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDefaultLocale_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDefaultLocale_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDefaultLocale_SystemCall_6_3_XXXX jmp NtQueryDefaultLocale_SystemCall_Unknown NtQueryDefaultLocale_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDefaultLocale_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDefaultLocale_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDefaultLocale_SystemCall_6_0_6002 jmp NtQueryDefaultLocale_SystemCall_Unknown NtQueryDefaultLocale_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDefaultLocale_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDefaultLocale_SystemCall_6_1_7601 jmp NtQueryDefaultLocale_SystemCall_Unknown NtQueryDefaultLocale_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDefaultLocale_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDefaultLocale_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDefaultLocale_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDefaultLocale_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDefaultLocale_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDefaultLocale_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDefaultLocale_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDefaultLocale_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDefaultLocale_SystemCall_10_0_18363 jmp NtQueryDefaultLocale_SystemCall_Unknown NtQueryDefaultLocale_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0012h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0013h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0014h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0015h jmp NtQueryDefaultLocale_Epilogue NtQueryDefaultLocale_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDefaultLocale_Epilogue: mov r10, rcx syscall ret NtQueryDefaultLocale ENDP NtQueryDefaultUILanguage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDefaultUILanguage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDefaultUILanguage_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDefaultUILanguage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDefaultUILanguage_Check_10_0_XXXX jmp NtQueryDefaultUILanguage_SystemCall_Unknown NtQueryDefaultUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDefaultUILanguage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDefaultUILanguage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDefaultUILanguage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDefaultUILanguage_SystemCall_6_3_XXXX jmp NtQueryDefaultUILanguage_SystemCall_Unknown NtQueryDefaultUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDefaultUILanguage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDefaultUILanguage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDefaultUILanguage_SystemCall_6_0_6002 jmp NtQueryDefaultUILanguage_SystemCall_Unknown NtQueryDefaultUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDefaultUILanguage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDefaultUILanguage_SystemCall_6_1_7601 jmp NtQueryDefaultUILanguage_SystemCall_Unknown NtQueryDefaultUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDefaultUILanguage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDefaultUILanguage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDefaultUILanguage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDefaultUILanguage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDefaultUILanguage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDefaultUILanguage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDefaultUILanguage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDefaultUILanguage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDefaultUILanguage_SystemCall_10_0_18363 jmp NtQueryDefaultUILanguage_SystemCall_Unknown NtQueryDefaultUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0041h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0042h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0043h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0044h jmp NtQueryDefaultUILanguage_Epilogue NtQueryDefaultUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDefaultUILanguage_Epilogue: mov r10, rcx syscall ret NtQueryDefaultUILanguage ENDP NtQueryDirectoryFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDirectoryFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDirectoryFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDirectoryFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDirectoryFile_Check_10_0_XXXX jmp NtQueryDirectoryFile_SystemCall_Unknown NtQueryDirectoryFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDirectoryFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDirectoryFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDirectoryFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDirectoryFile_SystemCall_6_3_XXXX jmp NtQueryDirectoryFile_SystemCall_Unknown NtQueryDirectoryFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDirectoryFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDirectoryFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDirectoryFile_SystemCall_6_0_6002 jmp NtQueryDirectoryFile_SystemCall_Unknown NtQueryDirectoryFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDirectoryFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDirectoryFile_SystemCall_6_1_7601 jmp NtQueryDirectoryFile_SystemCall_Unknown NtQueryDirectoryFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDirectoryFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDirectoryFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDirectoryFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDirectoryFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDirectoryFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDirectoryFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDirectoryFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDirectoryFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDirectoryFile_SystemCall_10_0_18363 jmp NtQueryDirectoryFile_SystemCall_Unknown NtQueryDirectoryFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0032h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0033h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0034h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0035h jmp NtQueryDirectoryFile_Epilogue NtQueryDirectoryFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDirectoryFile_Epilogue: mov r10, rcx syscall ret NtQueryDirectoryFile ENDP NtQueryDirectoryFileEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDirectoryFileEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtQueryDirectoryFileEx_Check_10_0_XXXX jmp NtQueryDirectoryFileEx_SystemCall_Unknown NtQueryDirectoryFileEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 16299 je NtQueryDirectoryFileEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDirectoryFileEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDirectoryFileEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDirectoryFileEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDirectoryFileEx_SystemCall_10_0_18363 jmp NtQueryDirectoryFileEx_SystemCall_Unknown NtQueryDirectoryFileEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0138h jmp NtQueryDirectoryFileEx_Epilogue NtQueryDirectoryFileEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013ah jmp NtQueryDirectoryFileEx_Epilogue NtQueryDirectoryFileEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013bh jmp NtQueryDirectoryFileEx_Epilogue NtQueryDirectoryFileEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013ch jmp NtQueryDirectoryFileEx_Epilogue NtQueryDirectoryFileEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013ch jmp NtQueryDirectoryFileEx_Epilogue NtQueryDirectoryFileEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDirectoryFileEx_Epilogue: mov r10, rcx syscall ret NtQueryDirectoryFileEx ENDP NtQueryDirectoryObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDirectoryObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDirectoryObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDirectoryObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDirectoryObject_Check_10_0_XXXX jmp NtQueryDirectoryObject_SystemCall_Unknown NtQueryDirectoryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDirectoryObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDirectoryObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDirectoryObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDirectoryObject_SystemCall_6_3_XXXX jmp NtQueryDirectoryObject_SystemCall_Unknown NtQueryDirectoryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDirectoryObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDirectoryObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDirectoryObject_SystemCall_6_0_6002 jmp NtQueryDirectoryObject_SystemCall_Unknown NtQueryDirectoryObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDirectoryObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDirectoryObject_SystemCall_6_1_7601 jmp NtQueryDirectoryObject_SystemCall_Unknown NtQueryDirectoryObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDirectoryObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDirectoryObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDirectoryObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDirectoryObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDirectoryObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDirectoryObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDirectoryObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDirectoryObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDirectoryObject_SystemCall_10_0_18363 jmp NtQueryDirectoryObject_SystemCall_Unknown NtQueryDirectoryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00cbh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 010fh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010ah jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010ah jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0110h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0110h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0122h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0125h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012bh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012eh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0131h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0136h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0139h jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013bh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013ch jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013dh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013dh jmp NtQueryDirectoryObject_Epilogue NtQueryDirectoryObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDirectoryObject_Epilogue: mov r10, rcx syscall ret NtQueryDirectoryObject ENDP NtQueryDriverEntryOrder PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryDriverEntryOrder_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryDriverEntryOrder_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryDriverEntryOrder_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryDriverEntryOrder_Check_10_0_XXXX jmp NtQueryDriverEntryOrder_SystemCall_Unknown NtQueryDriverEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryDriverEntryOrder_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryDriverEntryOrder_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDriverEntryOrder_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryDriverEntryOrder_SystemCall_6_3_XXXX jmp NtQueryDriverEntryOrder_SystemCall_Unknown NtQueryDriverEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryDriverEntryOrder_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryDriverEntryOrder_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryDriverEntryOrder_SystemCall_6_0_6002 jmp NtQueryDriverEntryOrder_SystemCall_Unknown NtQueryDriverEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryDriverEntryOrder_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryDriverEntryOrder_SystemCall_6_1_7601 jmp NtQueryDriverEntryOrder_SystemCall_Unknown NtQueryDriverEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryDriverEntryOrder_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryDriverEntryOrder_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryDriverEntryOrder_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryDriverEntryOrder_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryDriverEntryOrder_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryDriverEntryOrder_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryDriverEntryOrder_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryDriverEntryOrder_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryDriverEntryOrder_SystemCall_10_0_18363 jmp NtQueryDriverEntryOrder_SystemCall_Unknown NtQueryDriverEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00cch jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0110h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010bh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010bh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0111h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0111h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0123h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0126h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012ch jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 012fh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0132h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0137h jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013ah jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013ch jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013dh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013eh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013eh jmp NtQueryDriverEntryOrder_Epilogue NtQueryDriverEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryDriverEntryOrder_Epilogue: mov r10, rcx syscall ret NtQueryDriverEntryOrder ENDP NtQueryEaFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryEaFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryEaFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryEaFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryEaFile_Check_10_0_XXXX jmp NtQueryEaFile_SystemCall_Unknown NtQueryEaFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryEaFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryEaFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryEaFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryEaFile_SystemCall_6_3_XXXX jmp NtQueryEaFile_SystemCall_Unknown NtQueryEaFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryEaFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryEaFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryEaFile_SystemCall_6_0_6002 jmp NtQueryEaFile_SystemCall_Unknown NtQueryEaFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryEaFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryEaFile_SystemCall_6_1_7601 jmp NtQueryEaFile_SystemCall_Unknown NtQueryEaFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryEaFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryEaFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryEaFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryEaFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryEaFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryEaFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryEaFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryEaFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryEaFile_SystemCall_10_0_18363 jmp NtQueryEaFile_SystemCall_Unknown NtQueryEaFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00cdh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0111h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010ch jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010ch jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0112h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0112h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0124h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0127h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012dh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0130h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0133h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0138h jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013bh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013dh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013eh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 013fh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 013fh jmp NtQueryEaFile_Epilogue NtQueryEaFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryEaFile_Epilogue: mov r10, rcx syscall ret NtQueryEaFile ENDP NtQueryEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryEvent_Check_10_0_XXXX jmp NtQueryEvent_SystemCall_Unknown NtQueryEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryEvent_SystemCall_6_3_XXXX jmp NtQueryEvent_SystemCall_Unknown NtQueryEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryEvent_SystemCall_6_0_6002 jmp NtQueryEvent_SystemCall_Unknown NtQueryEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryEvent_SystemCall_6_1_7601 jmp NtQueryEvent_SystemCall_Unknown NtQueryEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryEvent_SystemCall_10_0_18363 jmp NtQueryEvent_SystemCall_Unknown NtQueryEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0053h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0054h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0055h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0056h jmp NtQueryEvent_Epilogue NtQueryEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryEvent_Epilogue: mov r10, rcx syscall ret NtQueryEvent ENDP NtQueryFullAttributesFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryFullAttributesFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryFullAttributesFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryFullAttributesFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryFullAttributesFile_Check_10_0_XXXX jmp NtQueryFullAttributesFile_SystemCall_Unknown NtQueryFullAttributesFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryFullAttributesFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryFullAttributesFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryFullAttributesFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryFullAttributesFile_SystemCall_6_3_XXXX jmp NtQueryFullAttributesFile_SystemCall_Unknown NtQueryFullAttributesFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryFullAttributesFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryFullAttributesFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryFullAttributesFile_SystemCall_6_0_6002 jmp NtQueryFullAttributesFile_SystemCall_Unknown NtQueryFullAttributesFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryFullAttributesFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryFullAttributesFile_SystemCall_6_1_7601 jmp NtQueryFullAttributesFile_SystemCall_Unknown NtQueryFullAttributesFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryFullAttributesFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryFullAttributesFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryFullAttributesFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryFullAttributesFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryFullAttributesFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryFullAttributesFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryFullAttributesFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryFullAttributesFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryFullAttributesFile_SystemCall_10_0_18363 jmp NtQueryFullAttributesFile_SystemCall_Unknown NtQueryFullAttributesFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ceh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0112h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010dh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010dh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0113h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0113h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0125h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0128h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012eh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0131h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0134h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0139h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013ch jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013eh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 013fh jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0140h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0140h jmp NtQueryFullAttributesFile_Epilogue NtQueryFullAttributesFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryFullAttributesFile_Epilogue: mov r10, rcx syscall ret NtQueryFullAttributesFile ENDP NtQueryInformationAtom PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationAtom_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationAtom_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationAtom_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationAtom_Check_10_0_XXXX jmp NtQueryInformationAtom_SystemCall_Unknown NtQueryInformationAtom_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationAtom_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationAtom_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationAtom_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationAtom_SystemCall_6_3_XXXX jmp NtQueryInformationAtom_SystemCall_Unknown NtQueryInformationAtom_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationAtom_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationAtom_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationAtom_SystemCall_6_0_6002 jmp NtQueryInformationAtom_SystemCall_Unknown NtQueryInformationAtom_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationAtom_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationAtom_SystemCall_6_1_7601 jmp NtQueryInformationAtom_SystemCall_Unknown NtQueryInformationAtom_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationAtom_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationAtom_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationAtom_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationAtom_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationAtom_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationAtom_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationAtom_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationAtom_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationAtom_SystemCall_10_0_18363 jmp NtQueryInformationAtom_SystemCall_Unknown NtQueryInformationAtom_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00cfh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0113h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010eh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010eh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0114h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0114h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0126h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0129h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 012fh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0132h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0135h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013ah jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013dh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 013fh jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0140h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0141h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0141h jmp NtQueryInformationAtom_Epilogue NtQueryInformationAtom_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationAtom_Epilogue: mov r10, rcx syscall ret NtQueryInformationAtom ENDP NtQueryInformationByName PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationByName_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtQueryInformationByName_Check_10_0_XXXX jmp NtQueryInformationByName_SystemCall_Unknown NtQueryInformationByName_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 15063 je NtQueryInformationByName_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationByName_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationByName_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationByName_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationByName_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationByName_SystemCall_10_0_18363 jmp NtQueryInformationByName_SystemCall_Unknown NtQueryInformationByName_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013bh jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013eh jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0140h jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0141h jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0142h jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0142h jmp NtQueryInformationByName_Epilogue NtQueryInformationByName_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationByName_Epilogue: mov r10, rcx syscall ret NtQueryInformationByName ENDP NtQueryInformationEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryInformationEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationEnlistment_Check_10_0_XXXX jmp NtQueryInformationEnlistment_SystemCall_Unknown NtQueryInformationEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationEnlistment_SystemCall_6_3_XXXX jmp NtQueryInformationEnlistment_SystemCall_Unknown NtQueryInformationEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationEnlistment_SystemCall_6_0_6002 jmp NtQueryInformationEnlistment_SystemCall_Unknown NtQueryInformationEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationEnlistment_SystemCall_6_1_7601 jmp NtQueryInformationEnlistment_SystemCall_Unknown NtQueryInformationEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationEnlistment_SystemCall_10_0_18363 jmp NtQueryInformationEnlistment_SystemCall_Unknown NtQueryInformationEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0114h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 010fh jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 010fh jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0115h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0115h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0127h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012ah jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0130h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0133h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0136h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013ch jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 013fh jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0141h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0142h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0143h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0143h jmp NtQueryInformationEnlistment_Epilogue NtQueryInformationEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationEnlistment_Epilogue: mov r10, rcx syscall ret NtQueryInformationEnlistment ENDP NtQueryInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationFile_Check_10_0_XXXX jmp NtQueryInformationFile_SystemCall_Unknown NtQueryInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationFile_SystemCall_6_3_XXXX jmp NtQueryInformationFile_SystemCall_Unknown NtQueryInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationFile_SystemCall_6_0_6002 jmp NtQueryInformationFile_SystemCall_Unknown NtQueryInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationFile_SystemCall_6_1_7601 jmp NtQueryInformationFile_SystemCall_Unknown NtQueryInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationFile_SystemCall_10_0_18363 jmp NtQueryInformationFile_SystemCall_Unknown NtQueryInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000eh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000fh jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0010h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0011h jmp NtQueryInformationFile_Epilogue NtQueryInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationFile_Epilogue: mov r10, rcx syscall ret NtQueryInformationFile ENDP NtQueryInformationJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationJobObject_Check_10_0_XXXX jmp NtQueryInformationJobObject_SystemCall_Unknown NtQueryInformationJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationJobObject_SystemCall_6_3_XXXX jmp NtQueryInformationJobObject_SystemCall_Unknown NtQueryInformationJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationJobObject_SystemCall_6_0_6002 jmp NtQueryInformationJobObject_SystemCall_Unknown NtQueryInformationJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationJobObject_SystemCall_6_1_7601 jmp NtQueryInformationJobObject_SystemCall_Unknown NtQueryInformationJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationJobObject_SystemCall_10_0_18363 jmp NtQueryInformationJobObject_SystemCall_Unknown NtQueryInformationJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d0h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0115h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0110h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0110h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0116h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0116h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0128h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012bh jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0131h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0134h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0137h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013dh jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0140h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0142h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0143h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0144h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0144h jmp NtQueryInformationJobObject_Epilogue NtQueryInformationJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationJobObject_Epilogue: mov r10, rcx syscall ret NtQueryInformationJobObject ENDP NtQueryInformationPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationPort_Check_10_0_XXXX jmp NtQueryInformationPort_SystemCall_Unknown NtQueryInformationPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationPort_SystemCall_6_3_XXXX jmp NtQueryInformationPort_SystemCall_Unknown NtQueryInformationPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationPort_SystemCall_6_0_6002 jmp NtQueryInformationPort_SystemCall_Unknown NtQueryInformationPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationPort_SystemCall_6_1_7601 jmp NtQueryInformationPort_SystemCall_Unknown NtQueryInformationPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationPort_SystemCall_10_0_18363 jmp NtQueryInformationPort_SystemCall_Unknown NtQueryInformationPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d1h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0116h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0111h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0111h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0117h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0117h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0129h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012ch jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0132h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0135h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0138h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013eh jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0141h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0143h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0144h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0145h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0145h jmp NtQueryInformationPort_Epilogue NtQueryInformationPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationPort_Epilogue: mov r10, rcx syscall ret NtQueryInformationPort ENDP NtQueryInformationProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationProcess_Check_10_0_XXXX jmp NtQueryInformationProcess_SystemCall_Unknown NtQueryInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationProcess_SystemCall_6_3_XXXX jmp NtQueryInformationProcess_SystemCall_Unknown NtQueryInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationProcess_SystemCall_6_0_6002 jmp NtQueryInformationProcess_SystemCall_Unknown NtQueryInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationProcess_SystemCall_6_1_7601 jmp NtQueryInformationProcess_SystemCall_Unknown NtQueryInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationProcess_SystemCall_10_0_18363 jmp NtQueryInformationProcess_SystemCall_Unknown NtQueryInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0016h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0017h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0018h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0019h jmp NtQueryInformationProcess_Epilogue NtQueryInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationProcess_Epilogue: mov r10, rcx syscall ret NtQueryInformationProcess ENDP NtQueryInformationResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryInformationResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationResourceManager_Check_10_0_XXXX jmp NtQueryInformationResourceManager_SystemCall_Unknown NtQueryInformationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationResourceManager_SystemCall_6_3_XXXX jmp NtQueryInformationResourceManager_SystemCall_Unknown NtQueryInformationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationResourceManager_SystemCall_6_0_6002 jmp NtQueryInformationResourceManager_SystemCall_Unknown NtQueryInformationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationResourceManager_SystemCall_6_1_7601 jmp NtQueryInformationResourceManager_SystemCall_Unknown NtQueryInformationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationResourceManager_SystemCall_10_0_18363 jmp NtQueryInformationResourceManager_SystemCall_Unknown NtQueryInformationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0117h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0112h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0112h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0118h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0118h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012ah jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012dh jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0133h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0136h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0139h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 013fh jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0142h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0144h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0145h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0146h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0146h jmp NtQueryInformationResourceManager_Epilogue NtQueryInformationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationResourceManager_Epilogue: mov r10, rcx syscall ret NtQueryInformationResourceManager ENDP NtQueryInformationThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationThread_Check_10_0_XXXX jmp NtQueryInformationThread_SystemCall_Unknown NtQueryInformationThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationThread_SystemCall_6_3_XXXX jmp NtQueryInformationThread_SystemCall_Unknown NtQueryInformationThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationThread_SystemCall_6_0_6002 jmp NtQueryInformationThread_SystemCall_Unknown NtQueryInformationThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationThread_SystemCall_6_1_7601 jmp NtQueryInformationThread_SystemCall_Unknown NtQueryInformationThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationThread_SystemCall_10_0_18363 jmp NtQueryInformationThread_SystemCall_Unknown NtQueryInformationThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0022h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0023h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0024h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0025h jmp NtQueryInformationThread_Epilogue NtQueryInformationThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationThread_Epilogue: mov r10, rcx syscall ret NtQueryInformationThread ENDP NtQueryInformationToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInformationToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInformationToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationToken_Check_10_0_XXXX jmp NtQueryInformationToken_SystemCall_Unknown NtQueryInformationToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationToken_SystemCall_6_3_XXXX jmp NtQueryInformationToken_SystemCall_Unknown NtQueryInformationToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationToken_SystemCall_6_0_6002 jmp NtQueryInformationToken_SystemCall_Unknown NtQueryInformationToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationToken_SystemCall_6_1_7601 jmp NtQueryInformationToken_SystemCall_Unknown NtQueryInformationToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationToken_SystemCall_10_0_18363 jmp NtQueryInformationToken_SystemCall_Unknown NtQueryInformationToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001eh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001fh jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0020h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0021h jmp NtQueryInformationToken_Epilogue NtQueryInformationToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationToken_Epilogue: mov r10, rcx syscall ret NtQueryInformationToken ENDP NtQueryInformationTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryInformationTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationTransaction_Check_10_0_XXXX jmp NtQueryInformationTransaction_SystemCall_Unknown NtQueryInformationTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationTransaction_SystemCall_6_3_XXXX jmp NtQueryInformationTransaction_SystemCall_Unknown NtQueryInformationTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationTransaction_SystemCall_6_0_6002 jmp NtQueryInformationTransaction_SystemCall_Unknown NtQueryInformationTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationTransaction_SystemCall_6_1_7601 jmp NtQueryInformationTransaction_SystemCall_Unknown NtQueryInformationTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationTransaction_SystemCall_10_0_18363 jmp NtQueryInformationTransaction_SystemCall_Unknown NtQueryInformationTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0118h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0113h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0113h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0119h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0119h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012bh jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012eh jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0134h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0137h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013ah jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0140h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0143h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0145h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0146h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0147h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0147h jmp NtQueryInformationTransaction_Epilogue NtQueryInformationTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationTransaction_Epilogue: mov r10, rcx syscall ret NtQueryInformationTransaction ENDP NtQueryInformationTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryInformationTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationTransactionManager_Check_10_0_XXXX jmp NtQueryInformationTransactionManager_SystemCall_Unknown NtQueryInformationTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationTransactionManager_SystemCall_6_3_XXXX jmp NtQueryInformationTransactionManager_SystemCall_Unknown NtQueryInformationTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationTransactionManager_SystemCall_6_0_6002 jmp NtQueryInformationTransactionManager_SystemCall_Unknown NtQueryInformationTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationTransactionManager_SystemCall_6_1_7601 jmp NtQueryInformationTransactionManager_SystemCall_Unknown NtQueryInformationTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationTransactionManager_SystemCall_10_0_18363 jmp NtQueryInformationTransactionManager_SystemCall_Unknown NtQueryInformationTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0119h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0114h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0114h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011ah jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011ah jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012ch jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 012fh jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0135h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0138h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013bh jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0141h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0144h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0146h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0147h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0148h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0148h jmp NtQueryInformationTransactionManager_Epilogue NtQueryInformationTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationTransactionManager_Epilogue: mov r10, rcx syscall ret NtQueryInformationTransactionManager ENDP NtQueryInformationWorkerFactory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInformationWorkerFactory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryInformationWorkerFactory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInformationWorkerFactory_Check_10_0_XXXX jmp NtQueryInformationWorkerFactory_SystemCall_Unknown NtQueryInformationWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInformationWorkerFactory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInformationWorkerFactory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationWorkerFactory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInformationWorkerFactory_SystemCall_6_3_XXXX jmp NtQueryInformationWorkerFactory_SystemCall_Unknown NtQueryInformationWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInformationWorkerFactory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInformationWorkerFactory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInformationWorkerFactory_SystemCall_6_0_6002 jmp NtQueryInformationWorkerFactory_SystemCall_Unknown NtQueryInformationWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInformationWorkerFactory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInformationWorkerFactory_SystemCall_6_1_7601 jmp NtQueryInformationWorkerFactory_SystemCall_Unknown NtQueryInformationWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInformationWorkerFactory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInformationWorkerFactory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInformationWorkerFactory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInformationWorkerFactory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInformationWorkerFactory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInformationWorkerFactory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInformationWorkerFactory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInformationWorkerFactory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInformationWorkerFactory_SystemCall_10_0_18363 jmp NtQueryInformationWorkerFactory_SystemCall_Unknown NtQueryInformationWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011ah jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0115h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0115h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011bh jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011bh jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012dh jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0130h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0136h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0139h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013ch jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0142h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0145h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0147h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0148h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0149h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0149h jmp NtQueryInformationWorkerFactory_Epilogue NtQueryInformationWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInformationWorkerFactory_Epilogue: mov r10, rcx syscall ret NtQueryInformationWorkerFactory ENDP NtQueryInstallUILanguage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryInstallUILanguage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryInstallUILanguage_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryInstallUILanguage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryInstallUILanguage_Check_10_0_XXXX jmp NtQueryInstallUILanguage_SystemCall_Unknown NtQueryInstallUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryInstallUILanguage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryInstallUILanguage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInstallUILanguage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryInstallUILanguage_SystemCall_6_3_XXXX jmp NtQueryInstallUILanguage_SystemCall_Unknown NtQueryInstallUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryInstallUILanguage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryInstallUILanguage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryInstallUILanguage_SystemCall_6_0_6002 jmp NtQueryInstallUILanguage_SystemCall_Unknown NtQueryInstallUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryInstallUILanguage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryInstallUILanguage_SystemCall_6_1_7601 jmp NtQueryInstallUILanguage_SystemCall_Unknown NtQueryInstallUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryInstallUILanguage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryInstallUILanguage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryInstallUILanguage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryInstallUILanguage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryInstallUILanguage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryInstallUILanguage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryInstallUILanguage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryInstallUILanguage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryInstallUILanguage_SystemCall_10_0_18363 jmp NtQueryInstallUILanguage_SystemCall_Unknown NtQueryInstallUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d2h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011bh jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0116h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0116h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011ch jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011ch jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012eh jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0131h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0137h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013ah jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013dh jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0143h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0146h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0148h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0149h jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014ah jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014ah jmp NtQueryInstallUILanguage_Epilogue NtQueryInstallUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryInstallUILanguage_Epilogue: mov r10, rcx syscall ret NtQueryInstallUILanguage ENDP NtQueryIntervalProfile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryIntervalProfile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryIntervalProfile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryIntervalProfile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryIntervalProfile_Check_10_0_XXXX jmp NtQueryIntervalProfile_SystemCall_Unknown NtQueryIntervalProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryIntervalProfile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryIntervalProfile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryIntervalProfile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryIntervalProfile_SystemCall_6_3_XXXX jmp NtQueryIntervalProfile_SystemCall_Unknown NtQueryIntervalProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryIntervalProfile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryIntervalProfile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryIntervalProfile_SystemCall_6_0_6002 jmp NtQueryIntervalProfile_SystemCall_Unknown NtQueryIntervalProfile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryIntervalProfile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryIntervalProfile_SystemCall_6_1_7601 jmp NtQueryIntervalProfile_SystemCall_Unknown NtQueryIntervalProfile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryIntervalProfile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryIntervalProfile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryIntervalProfile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryIntervalProfile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryIntervalProfile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryIntervalProfile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryIntervalProfile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryIntervalProfile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryIntervalProfile_SystemCall_10_0_18363 jmp NtQueryIntervalProfile_SystemCall_Unknown NtQueryIntervalProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d3h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011ch jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0117h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0117h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011dh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011dh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 012fh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0132h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0138h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013bh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013eh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0144h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0147h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0149h jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014ah jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014bh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014bh jmp NtQueryIntervalProfile_Epilogue NtQueryIntervalProfile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryIntervalProfile_Epilogue: mov r10, rcx syscall ret NtQueryIntervalProfile ENDP NtQueryIoCompletion PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryIoCompletion_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryIoCompletion_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryIoCompletion_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryIoCompletion_Check_10_0_XXXX jmp NtQueryIoCompletion_SystemCall_Unknown NtQueryIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryIoCompletion_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryIoCompletion_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryIoCompletion_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryIoCompletion_SystemCall_6_3_XXXX jmp NtQueryIoCompletion_SystemCall_Unknown NtQueryIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryIoCompletion_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryIoCompletion_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryIoCompletion_SystemCall_6_0_6002 jmp NtQueryIoCompletion_SystemCall_Unknown NtQueryIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryIoCompletion_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryIoCompletion_SystemCall_6_1_7601 jmp NtQueryIoCompletion_SystemCall_Unknown NtQueryIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryIoCompletion_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryIoCompletion_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryIoCompletion_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryIoCompletion_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryIoCompletion_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryIoCompletion_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryIoCompletion_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryIoCompletion_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryIoCompletion_SystemCall_10_0_18363 jmp NtQueryIoCompletion_SystemCall_Unknown NtQueryIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d4h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011dh jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0118h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0118h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011eh jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011eh jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0130h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0133h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0139h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013ch jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 013fh jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0145h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0148h jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014ah jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014bh jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014ch jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014ch jmp NtQueryIoCompletion_Epilogue NtQueryIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryIoCompletion_Epilogue: mov r10, rcx syscall ret NtQueryIoCompletion ENDP NtQueryKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryKey_Check_10_0_XXXX jmp NtQueryKey_SystemCall_Unknown NtQueryKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryKey_SystemCall_6_3_XXXX jmp NtQueryKey_SystemCall_Unknown NtQueryKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryKey_SystemCall_6_0_6002 jmp NtQueryKey_SystemCall_Unknown NtQueryKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryKey_SystemCall_6_1_7601 jmp NtQueryKey_SystemCall_Unknown NtQueryKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryKey_SystemCall_10_0_18363 jmp NtQueryKey_SystemCall_Unknown NtQueryKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0013h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0014h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0015h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0016h jmp NtQueryKey_Epilogue NtQueryKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryKey_Epilogue: mov r10, rcx syscall ret NtQueryKey ENDP NtQueryLicenseValue PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryLicenseValue_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryLicenseValue_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryLicenseValue_Check_10_0_XXXX jmp NtQueryLicenseValue_SystemCall_Unknown NtQueryLicenseValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryLicenseValue_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryLicenseValue_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryLicenseValue_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryLicenseValue_SystemCall_6_3_XXXX jmp NtQueryLicenseValue_SystemCall_Unknown NtQueryLicenseValue_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryLicenseValue_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryLicenseValue_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryLicenseValue_SystemCall_6_0_6002 jmp NtQueryLicenseValue_SystemCall_Unknown NtQueryLicenseValue_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryLicenseValue_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryLicenseValue_SystemCall_6_1_7601 jmp NtQueryLicenseValue_SystemCall_Unknown NtQueryLicenseValue_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryLicenseValue_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryLicenseValue_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryLicenseValue_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryLicenseValue_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryLicenseValue_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryLicenseValue_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryLicenseValue_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryLicenseValue_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryLicenseValue_SystemCall_10_0_18363 jmp NtQueryLicenseValue_SystemCall_Unknown NtQueryLicenseValue_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011eh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0119h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0119h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 011fh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 011fh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0131h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0134h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013ah jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013dh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0140h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0146h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0149h jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014bh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014ch jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014dh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014dh jmp NtQueryLicenseValue_Epilogue NtQueryLicenseValue_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryLicenseValue_Epilogue: mov r10, rcx syscall ret NtQueryLicenseValue ENDP NtQueryMultipleValueKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryMultipleValueKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryMultipleValueKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryMultipleValueKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryMultipleValueKey_Check_10_0_XXXX jmp NtQueryMultipleValueKey_SystemCall_Unknown NtQueryMultipleValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryMultipleValueKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryMultipleValueKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryMultipleValueKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryMultipleValueKey_SystemCall_6_3_XXXX jmp NtQueryMultipleValueKey_SystemCall_Unknown NtQueryMultipleValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryMultipleValueKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryMultipleValueKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryMultipleValueKey_SystemCall_6_0_6002 jmp NtQueryMultipleValueKey_SystemCall_Unknown NtQueryMultipleValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryMultipleValueKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryMultipleValueKey_SystemCall_6_1_7601 jmp NtQueryMultipleValueKey_SystemCall_Unknown NtQueryMultipleValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryMultipleValueKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryMultipleValueKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryMultipleValueKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryMultipleValueKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryMultipleValueKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryMultipleValueKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryMultipleValueKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryMultipleValueKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryMultipleValueKey_SystemCall_10_0_18363 jmp NtQueryMultipleValueKey_SystemCall_Unknown NtQueryMultipleValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d5h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 011fh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011ah jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011ah jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0120h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0120h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0132h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0135h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013bh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013eh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0141h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0147h jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014ah jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014ch jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014dh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014eh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014eh jmp NtQueryMultipleValueKey_Epilogue NtQueryMultipleValueKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryMultipleValueKey_Epilogue: mov r10, rcx syscall ret NtQueryMultipleValueKey ENDP NtQueryMutant PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryMutant_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryMutant_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryMutant_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryMutant_Check_10_0_XXXX jmp NtQueryMutant_SystemCall_Unknown NtQueryMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryMutant_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryMutant_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryMutant_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryMutant_SystemCall_6_3_XXXX jmp NtQueryMutant_SystemCall_Unknown NtQueryMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryMutant_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryMutant_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryMutant_SystemCall_6_0_6002 jmp NtQueryMutant_SystemCall_Unknown NtQueryMutant_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryMutant_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryMutant_SystemCall_6_1_7601 jmp NtQueryMutant_SystemCall_Unknown NtQueryMutant_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryMutant_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryMutant_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryMutant_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryMutant_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryMutant_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryMutant_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryMutant_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryMutant_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryMutant_SystemCall_10_0_18363 jmp NtQueryMutant_SystemCall_Unknown NtQueryMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d6h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0120h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011bh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011bh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0121h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0121h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0133h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0136h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013ch jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 013fh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0142h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0148h jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014bh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014dh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014eh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 014fh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 014fh jmp NtQueryMutant_Epilogue NtQueryMutant_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryMutant_Epilogue: mov r10, rcx syscall ret NtQueryMutant ENDP NtQueryObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryObject_Check_10_0_XXXX jmp NtQueryObject_SystemCall_Unknown NtQueryObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryObject_SystemCall_6_3_XXXX jmp NtQueryObject_SystemCall_Unknown NtQueryObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryObject_SystemCall_6_0_6002 jmp NtQueryObject_SystemCall_Unknown NtQueryObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryObject_SystemCall_6_1_7601 jmp NtQueryObject_SystemCall_Unknown NtQueryObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryObject_SystemCall_10_0_18363 jmp NtQueryObject_SystemCall_Unknown NtQueryObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000dh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000eh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000fh jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0010h jmp NtQueryObject_Epilogue NtQueryObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryObject_Epilogue: mov r10, rcx syscall ret NtQueryObject ENDP NtQueryOpenSubKeys PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryOpenSubKeys_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryOpenSubKeys_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryOpenSubKeys_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryOpenSubKeys_Check_10_0_XXXX jmp NtQueryOpenSubKeys_SystemCall_Unknown NtQueryOpenSubKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryOpenSubKeys_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryOpenSubKeys_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryOpenSubKeys_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryOpenSubKeys_SystemCall_6_3_XXXX jmp NtQueryOpenSubKeys_SystemCall_Unknown NtQueryOpenSubKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryOpenSubKeys_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryOpenSubKeys_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryOpenSubKeys_SystemCall_6_0_6002 jmp NtQueryOpenSubKeys_SystemCall_Unknown NtQueryOpenSubKeys_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryOpenSubKeys_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryOpenSubKeys_SystemCall_6_1_7601 jmp NtQueryOpenSubKeys_SystemCall_Unknown NtQueryOpenSubKeys_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryOpenSubKeys_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryOpenSubKeys_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryOpenSubKeys_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryOpenSubKeys_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryOpenSubKeys_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryOpenSubKeys_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryOpenSubKeys_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryOpenSubKeys_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryOpenSubKeys_SystemCall_10_0_18363 jmp NtQueryOpenSubKeys_SystemCall_Unknown NtQueryOpenSubKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d7h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0121h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011ch jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011ch jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0122h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0122h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0134h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0137h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013dh jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0140h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0143h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0149h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014ch jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014eh jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 014fh jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0150h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0150h jmp NtQueryOpenSubKeys_Epilogue NtQueryOpenSubKeys_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryOpenSubKeys_Epilogue: mov r10, rcx syscall ret NtQueryOpenSubKeys ENDP NtQueryOpenSubKeysEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryOpenSubKeysEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryOpenSubKeysEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryOpenSubKeysEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryOpenSubKeysEx_Check_10_0_XXXX jmp NtQueryOpenSubKeysEx_SystemCall_Unknown NtQueryOpenSubKeysEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryOpenSubKeysEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryOpenSubKeysEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryOpenSubKeysEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryOpenSubKeysEx_SystemCall_6_3_XXXX jmp NtQueryOpenSubKeysEx_SystemCall_Unknown NtQueryOpenSubKeysEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryOpenSubKeysEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryOpenSubKeysEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryOpenSubKeysEx_SystemCall_6_0_6002 jmp NtQueryOpenSubKeysEx_SystemCall_Unknown NtQueryOpenSubKeysEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryOpenSubKeysEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryOpenSubKeysEx_SystemCall_6_1_7601 jmp NtQueryOpenSubKeysEx_SystemCall_Unknown NtQueryOpenSubKeysEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryOpenSubKeysEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryOpenSubKeysEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryOpenSubKeysEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryOpenSubKeysEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryOpenSubKeysEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryOpenSubKeysEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryOpenSubKeysEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryOpenSubKeysEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryOpenSubKeysEx_SystemCall_10_0_18363 jmp NtQueryOpenSubKeysEx_SystemCall_Unknown NtQueryOpenSubKeysEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d8h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0122h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011dh jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011dh jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0123h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0123h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0135h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0138h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013eh jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0141h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0144h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014ah jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014dh jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 014fh jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0150h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0151h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0151h jmp NtQueryOpenSubKeysEx_Epilogue NtQueryOpenSubKeysEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryOpenSubKeysEx_Epilogue: mov r10, rcx syscall ret NtQueryOpenSubKeysEx ENDP NtQueryPerformanceCounter PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryPerformanceCounter_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryPerformanceCounter_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryPerformanceCounter_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryPerformanceCounter_Check_10_0_XXXX jmp NtQueryPerformanceCounter_SystemCall_Unknown NtQueryPerformanceCounter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryPerformanceCounter_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryPerformanceCounter_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryPerformanceCounter_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryPerformanceCounter_SystemCall_6_3_XXXX jmp NtQueryPerformanceCounter_SystemCall_Unknown NtQueryPerformanceCounter_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryPerformanceCounter_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryPerformanceCounter_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryPerformanceCounter_SystemCall_6_0_6002 jmp NtQueryPerformanceCounter_SystemCall_Unknown NtQueryPerformanceCounter_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryPerformanceCounter_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryPerformanceCounter_SystemCall_6_1_7601 jmp NtQueryPerformanceCounter_SystemCall_Unknown NtQueryPerformanceCounter_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryPerformanceCounter_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryPerformanceCounter_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryPerformanceCounter_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryPerformanceCounter_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryPerformanceCounter_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryPerformanceCounter_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryPerformanceCounter_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryPerformanceCounter_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryPerformanceCounter_SystemCall_10_0_18363 jmp NtQueryPerformanceCounter_SystemCall_Unknown NtQueryPerformanceCounter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002eh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002fh jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0030h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0031h jmp NtQueryPerformanceCounter_Epilogue NtQueryPerformanceCounter_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryPerformanceCounter_Epilogue: mov r10, rcx syscall ret NtQueryPerformanceCounter ENDP NtQueryPortInformationProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryPortInformationProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryPortInformationProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryPortInformationProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryPortInformationProcess_Check_10_0_XXXX jmp NtQueryPortInformationProcess_SystemCall_Unknown NtQueryPortInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryPortInformationProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryPortInformationProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryPortInformationProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryPortInformationProcess_SystemCall_6_3_XXXX jmp NtQueryPortInformationProcess_SystemCall_Unknown NtQueryPortInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryPortInformationProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryPortInformationProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryPortInformationProcess_SystemCall_6_0_6002 jmp NtQueryPortInformationProcess_SystemCall_Unknown NtQueryPortInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryPortInformationProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryPortInformationProcess_SystemCall_6_1_7601 jmp NtQueryPortInformationProcess_SystemCall_Unknown NtQueryPortInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryPortInformationProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryPortInformationProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryPortInformationProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryPortInformationProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryPortInformationProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryPortInformationProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryPortInformationProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryPortInformationProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryPortInformationProcess_SystemCall_10_0_18363 jmp NtQueryPortInformationProcess_SystemCall_Unknown NtQueryPortInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00d9h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0123h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011eh jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011eh jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0124h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0124h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0136h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0139h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 013fh jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0142h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0145h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014bh jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014eh jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0150h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0151h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0152h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0152h jmp NtQueryPortInformationProcess_Epilogue NtQueryPortInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryPortInformationProcess_Epilogue: mov r10, rcx syscall ret NtQueryPortInformationProcess ENDP NtQueryQuotaInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryQuotaInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryQuotaInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryQuotaInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryQuotaInformationFile_Check_10_0_XXXX jmp NtQueryQuotaInformationFile_SystemCall_Unknown NtQueryQuotaInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryQuotaInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryQuotaInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryQuotaInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryQuotaInformationFile_SystemCall_6_3_XXXX jmp NtQueryQuotaInformationFile_SystemCall_Unknown NtQueryQuotaInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryQuotaInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryQuotaInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryQuotaInformationFile_SystemCall_6_0_6002 jmp NtQueryQuotaInformationFile_SystemCall_Unknown NtQueryQuotaInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryQuotaInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryQuotaInformationFile_SystemCall_6_1_7601 jmp NtQueryQuotaInformationFile_SystemCall_Unknown NtQueryQuotaInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryQuotaInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryQuotaInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryQuotaInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryQuotaInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryQuotaInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryQuotaInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryQuotaInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryQuotaInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryQuotaInformationFile_SystemCall_10_0_18363 jmp NtQueryQuotaInformationFile_SystemCall_Unknown NtQueryQuotaInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00dah jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0124h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 011fh jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 011fh jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0125h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0125h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0137h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013ah jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0140h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0143h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0146h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014ch jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 014fh jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0151h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0152h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0153h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0153h jmp NtQueryQuotaInformationFile_Epilogue NtQueryQuotaInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryQuotaInformationFile_Epilogue: mov r10, rcx syscall ret NtQueryQuotaInformationFile ENDP NtQuerySection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySection_Check_10_0_XXXX jmp NtQuerySection_SystemCall_Unknown NtQuerySection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySection_SystemCall_6_3_XXXX jmp NtQuerySection_SystemCall_Unknown NtQuerySection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySection_SystemCall_6_0_6002 jmp NtQuerySection_SystemCall_Unknown NtQuerySection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySection_SystemCall_6_1_7601 jmp NtQuerySection_SystemCall_Unknown NtQuerySection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySection_SystemCall_10_0_18363 jmp NtQuerySection_SystemCall_Unknown NtQuerySection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004eh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 004fh jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0050h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0051h jmp NtQuerySection_Epilogue NtQuerySection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySection_Epilogue: mov r10, rcx syscall ret NtQuerySection ENDP NtQuerySecurityAttributesToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySecurityAttributesToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQuerySecurityAttributesToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySecurityAttributesToken_Check_10_0_XXXX jmp NtQuerySecurityAttributesToken_SystemCall_Unknown NtQuerySecurityAttributesToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtQuerySecurityAttributesToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySecurityAttributesToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySecurityAttributesToken_SystemCall_6_3_XXXX jmp NtQuerySecurityAttributesToken_SystemCall_Unknown NtQuerySecurityAttributesToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySecurityAttributesToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySecurityAttributesToken_SystemCall_6_1_7601 jmp NtQuerySecurityAttributesToken_SystemCall_Unknown NtQuerySecurityAttributesToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySecurityAttributesToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySecurityAttributesToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySecurityAttributesToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySecurityAttributesToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySecurityAttributesToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySecurityAttributesToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySecurityAttributesToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySecurityAttributesToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySecurityAttributesToken_SystemCall_10_0_18363 jmp NtQuerySecurityAttributesToken_SystemCall_Unknown NtQuerySecurityAttributesToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0126h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0126h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0138h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013bh jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0141h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0144h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0147h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014dh jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0150h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0152h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0153h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0154h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0154h jmp NtQuerySecurityAttributesToken_Epilogue NtQuerySecurityAttributesToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySecurityAttributesToken_Epilogue: mov r10, rcx syscall ret NtQuerySecurityAttributesToken ENDP NtQuerySecurityObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySecurityObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySecurityObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySecurityObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySecurityObject_Check_10_0_XXXX jmp NtQuerySecurityObject_SystemCall_Unknown NtQuerySecurityObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySecurityObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySecurityObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySecurityObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySecurityObject_SystemCall_6_3_XXXX jmp NtQuerySecurityObject_SystemCall_Unknown NtQuerySecurityObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySecurityObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySecurityObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySecurityObject_SystemCall_6_0_6002 jmp NtQuerySecurityObject_SystemCall_Unknown NtQuerySecurityObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySecurityObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySecurityObject_SystemCall_6_1_7601 jmp NtQuerySecurityObject_SystemCall_Unknown NtQuerySecurityObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySecurityObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySecurityObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySecurityObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySecurityObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySecurityObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySecurityObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySecurityObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySecurityObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySecurityObject_SystemCall_10_0_18363 jmp NtQuerySecurityObject_SystemCall_Unknown NtQuerySecurityObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00dbh jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0125h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0120h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0120h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0127h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0127h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0139h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013ch jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0142h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0145h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0148h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014eh jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0151h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0153h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0154h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0155h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0155h jmp NtQuerySecurityObject_Epilogue NtQuerySecurityObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySecurityObject_Epilogue: mov r10, rcx syscall ret NtQuerySecurityObject ENDP NtQuerySecurityPolicy PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySecurityPolicy_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtQuerySecurityPolicy_Check_10_0_XXXX jmp NtQuerySecurityPolicy_SystemCall_Unknown NtQuerySecurityPolicy_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtQuerySecurityPolicy_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySecurityPolicy_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySecurityPolicy_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySecurityPolicy_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySecurityPolicy_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySecurityPolicy_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySecurityPolicy_SystemCall_10_0_18363 jmp NtQuerySecurityPolicy_SystemCall_Unknown NtQuerySecurityPolicy_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0149h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 014fh jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0152h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0154h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0155h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0156h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0156h jmp NtQuerySecurityPolicy_Epilogue NtQuerySecurityPolicy_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySecurityPolicy_Epilogue: mov r10, rcx syscall ret NtQuerySecurityPolicy ENDP NtQuerySemaphore PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySemaphore_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySemaphore_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySemaphore_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySemaphore_Check_10_0_XXXX jmp NtQuerySemaphore_SystemCall_Unknown NtQuerySemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySemaphore_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySemaphore_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySemaphore_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySemaphore_SystemCall_6_3_XXXX jmp NtQuerySemaphore_SystemCall_Unknown NtQuerySemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySemaphore_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySemaphore_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySemaphore_SystemCall_6_0_6002 jmp NtQuerySemaphore_SystemCall_Unknown NtQuerySemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySemaphore_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySemaphore_SystemCall_6_1_7601 jmp NtQuerySemaphore_SystemCall_Unknown NtQuerySemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySemaphore_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySemaphore_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySemaphore_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySemaphore_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySemaphore_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySemaphore_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySemaphore_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySemaphore_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySemaphore_SystemCall_10_0_18363 jmp NtQuerySemaphore_SystemCall_Unknown NtQuerySemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00dch jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0126h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0121h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0121h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0128h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0128h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013ah jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013dh jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0143h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0146h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014ah jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0150h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0153h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0155h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0156h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0157h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0157h jmp NtQuerySemaphore_Epilogue NtQuerySemaphore_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySemaphore_Epilogue: mov r10, rcx syscall ret NtQuerySemaphore ENDP NtQuerySymbolicLinkObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySymbolicLinkObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySymbolicLinkObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySymbolicLinkObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySymbolicLinkObject_Check_10_0_XXXX jmp NtQuerySymbolicLinkObject_SystemCall_Unknown NtQuerySymbolicLinkObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySymbolicLinkObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySymbolicLinkObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySymbolicLinkObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySymbolicLinkObject_SystemCall_6_3_XXXX jmp NtQuerySymbolicLinkObject_SystemCall_Unknown NtQuerySymbolicLinkObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySymbolicLinkObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySymbolicLinkObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySymbolicLinkObject_SystemCall_6_0_6002 jmp NtQuerySymbolicLinkObject_SystemCall_Unknown NtQuerySymbolicLinkObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySymbolicLinkObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySymbolicLinkObject_SystemCall_6_1_7601 jmp NtQuerySymbolicLinkObject_SystemCall_Unknown NtQuerySymbolicLinkObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySymbolicLinkObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySymbolicLinkObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySymbolicLinkObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySymbolicLinkObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySymbolicLinkObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySymbolicLinkObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySymbolicLinkObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySymbolicLinkObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySymbolicLinkObject_SystemCall_10_0_18363 jmp NtQuerySymbolicLinkObject_SystemCall_Unknown NtQuerySymbolicLinkObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ddh jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0127h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0122h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0122h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0129h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0129h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013bh jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013eh jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0144h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0147h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014bh jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0151h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0154h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0156h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0157h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0158h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0158h jmp NtQuerySymbolicLinkObject_Epilogue NtQuerySymbolicLinkObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySymbolicLinkObject_Epilogue: mov r10, rcx syscall ret NtQuerySymbolicLinkObject ENDP NtQuerySystemEnvironmentValue PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySystemEnvironmentValue_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySystemEnvironmentValue_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySystemEnvironmentValue_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySystemEnvironmentValue_Check_10_0_XXXX jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown NtQuerySystemEnvironmentValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySystemEnvironmentValue_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySystemEnvironmentValue_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemEnvironmentValue_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemEnvironmentValue_SystemCall_6_3_XXXX jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown NtQuerySystemEnvironmentValue_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySystemEnvironmentValue_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySystemEnvironmentValue_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySystemEnvironmentValue_SystemCall_6_0_6002 jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown NtQuerySystemEnvironmentValue_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySystemEnvironmentValue_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySystemEnvironmentValue_SystemCall_6_1_7601 jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown NtQuerySystemEnvironmentValue_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySystemEnvironmentValue_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySystemEnvironmentValue_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySystemEnvironmentValue_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySystemEnvironmentValue_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySystemEnvironmentValue_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySystemEnvironmentValue_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySystemEnvironmentValue_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySystemEnvironmentValue_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySystemEnvironmentValue_SystemCall_10_0_18363 jmp NtQuerySystemEnvironmentValue_SystemCall_Unknown NtQuerySystemEnvironmentValue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00deh jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0128h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0123h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0123h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012ah jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012ah jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013ch jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 013fh jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0145h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0148h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014ch jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0152h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0155h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0157h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0158h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0159h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0159h jmp NtQuerySystemEnvironmentValue_Epilogue NtQuerySystemEnvironmentValue_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySystemEnvironmentValue_Epilogue: mov r10, rcx syscall ret NtQuerySystemEnvironmentValue ENDP NtQuerySystemEnvironmentValueEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySystemEnvironmentValueEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySystemEnvironmentValueEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySystemEnvironmentValueEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySystemEnvironmentValueEx_Check_10_0_XXXX jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown NtQuerySystemEnvironmentValueEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySystemEnvironmentValueEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySystemEnvironmentValueEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemEnvironmentValueEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemEnvironmentValueEx_SystemCall_6_3_XXXX jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown NtQuerySystemEnvironmentValueEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6002 jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown NtQuerySystemEnvironmentValueEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7601 jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown NtQuerySystemEnvironmentValueEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18363 jmp NtQuerySystemEnvironmentValueEx_SystemCall_Unknown NtQuerySystemEnvironmentValueEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00dfh jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0129h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0124h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0124h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012bh jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012bh jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013dh jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0140h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0146h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0149h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014dh jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0153h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0156h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0158h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0159h jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015ah jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015ah jmp NtQuerySystemEnvironmentValueEx_Epilogue NtQuerySystemEnvironmentValueEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySystemEnvironmentValueEx_Epilogue: mov r10, rcx syscall ret NtQuerySystemEnvironmentValueEx ENDP NtQuerySystemInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySystemInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySystemInformation_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySystemInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySystemInformation_Check_10_0_XXXX jmp NtQuerySystemInformation_SystemCall_Unknown NtQuerySystemInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySystemInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySystemInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemInformation_SystemCall_6_3_XXXX jmp NtQuerySystemInformation_SystemCall_Unknown NtQuerySystemInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySystemInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySystemInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySystemInformation_SystemCall_6_0_6002 jmp NtQuerySystemInformation_SystemCall_Unknown NtQuerySystemInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySystemInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySystemInformation_SystemCall_6_1_7601 jmp NtQuerySystemInformation_SystemCall_Unknown NtQuerySystemInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySystemInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySystemInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySystemInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySystemInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySystemInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySystemInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySystemInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySystemInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySystemInformation_SystemCall_10_0_18363 jmp NtQuerySystemInformation_SystemCall_Unknown NtQuerySystemInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0033h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0034h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0035h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0036h jmp NtQuerySystemInformation_Epilogue NtQuerySystemInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySystemInformation_Epilogue: mov r10, rcx syscall ret NtQuerySystemInformation ENDP NtQuerySystemInformationEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySystemInformationEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQuerySystemInformationEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySystemInformationEx_Check_10_0_XXXX jmp NtQuerySystemInformationEx_SystemCall_Unknown NtQuerySystemInformationEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtQuerySystemInformationEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemInformationEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemInformationEx_SystemCall_6_3_XXXX jmp NtQuerySystemInformationEx_SystemCall_Unknown NtQuerySystemInformationEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySystemInformationEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySystemInformationEx_SystemCall_6_1_7601 jmp NtQuerySystemInformationEx_SystemCall_Unknown NtQuerySystemInformationEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySystemInformationEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySystemInformationEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySystemInformationEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySystemInformationEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySystemInformationEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySystemInformationEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySystemInformationEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySystemInformationEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySystemInformationEx_SystemCall_10_0_18363 jmp NtQuerySystemInformationEx_SystemCall_Unknown NtQuerySystemInformationEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012ch jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012ch jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013eh jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0141h jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0147h jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014ah jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014eh jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0154h jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0157h jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0159h jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015ah jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015bh jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015bh jmp NtQuerySystemInformationEx_Epilogue NtQuerySystemInformationEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySystemInformationEx_Epilogue: mov r10, rcx syscall ret NtQuerySystemInformationEx ENDP NtQuerySystemTime PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQuerySystemTime_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQuerySystemTime_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQuerySystemTime_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQuerySystemTime_Check_10_0_XXXX jmp NtQuerySystemTime_SystemCall_Unknown NtQuerySystemTime_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQuerySystemTime_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQuerySystemTime_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemTime_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQuerySystemTime_SystemCall_6_3_XXXX jmp NtQuerySystemTime_SystemCall_Unknown NtQuerySystemTime_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQuerySystemTime_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQuerySystemTime_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQuerySystemTime_SystemCall_6_0_6002 jmp NtQuerySystemTime_SystemCall_Unknown NtQuerySystemTime_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQuerySystemTime_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQuerySystemTime_SystemCall_6_1_7601 jmp NtQuerySystemTime_SystemCall_Unknown NtQuerySystemTime_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQuerySystemTime_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQuerySystemTime_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQuerySystemTime_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQuerySystemTime_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQuerySystemTime_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQuerySystemTime_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQuerySystemTime_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQuerySystemTime_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQuerySystemTime_SystemCall_10_0_18363 jmp NtQuerySystemTime_SystemCall_Unknown NtQuerySystemTime_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0057h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0058h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0059h jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005ah jmp NtQuerySystemTime_Epilogue NtQuerySystemTime_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQuerySystemTime_Epilogue: mov r10, rcx syscall ret NtQuerySystemTime ENDP NtQueryTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryTimer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryTimer_Check_10_0_XXXX jmp NtQueryTimer_SystemCall_Unknown NtQueryTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryTimer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryTimer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryTimer_SystemCall_6_3_XXXX jmp NtQueryTimer_SystemCall_Unknown NtQueryTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryTimer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryTimer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryTimer_SystemCall_6_0_6002 jmp NtQueryTimer_SystemCall_Unknown NtQueryTimer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryTimer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryTimer_SystemCall_6_1_7601 jmp NtQueryTimer_SystemCall_Unknown NtQueryTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryTimer_SystemCall_10_0_18363 jmp NtQueryTimer_SystemCall_Unknown NtQueryTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0035h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0036h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0037h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0038h jmp NtQueryTimer_Epilogue NtQueryTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryTimer_Epilogue: mov r10, rcx syscall ret NtQueryTimer ENDP NtQueryTimerResolution PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryTimerResolution_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryTimerResolution_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryTimerResolution_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryTimerResolution_Check_10_0_XXXX jmp NtQueryTimerResolution_SystemCall_Unknown NtQueryTimerResolution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryTimerResolution_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryTimerResolution_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryTimerResolution_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryTimerResolution_SystemCall_6_3_XXXX jmp NtQueryTimerResolution_SystemCall_Unknown NtQueryTimerResolution_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryTimerResolution_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryTimerResolution_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryTimerResolution_SystemCall_6_0_6002 jmp NtQueryTimerResolution_SystemCall_Unknown NtQueryTimerResolution_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryTimerResolution_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryTimerResolution_SystemCall_6_1_7601 jmp NtQueryTimerResolution_SystemCall_Unknown NtQueryTimerResolution_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryTimerResolution_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryTimerResolution_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryTimerResolution_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryTimerResolution_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryTimerResolution_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryTimerResolution_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryTimerResolution_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryTimerResolution_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryTimerResolution_SystemCall_10_0_18363 jmp NtQueryTimerResolution_SystemCall_Unknown NtQueryTimerResolution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e0h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012ah jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0125h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0125h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012dh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012dh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 013fh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0142h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0148h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014bh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 014fh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0155h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0158h jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015ah jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015bh jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015ch jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015ch jmp NtQueryTimerResolution_Epilogue NtQueryTimerResolution_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryTimerResolution_Epilogue: mov r10, rcx syscall ret NtQueryTimerResolution ENDP NtQueryValueKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryValueKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryValueKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryValueKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryValueKey_Check_10_0_XXXX jmp NtQueryValueKey_SystemCall_Unknown NtQueryValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryValueKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryValueKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryValueKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryValueKey_SystemCall_6_3_XXXX jmp NtQueryValueKey_SystemCall_Unknown NtQueryValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryValueKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryValueKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryValueKey_SystemCall_6_0_6002 jmp NtQueryValueKey_SystemCall_Unknown NtQueryValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryValueKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryValueKey_SystemCall_6_1_7601 jmp NtQueryValueKey_SystemCall_Unknown NtQueryValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryValueKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryValueKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryValueKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryValueKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryValueKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryValueKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryValueKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryValueKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryValueKey_SystemCall_10_0_18363 jmp NtQueryValueKey_SystemCall_Unknown NtQueryValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0014h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0015h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0016h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0017h jmp NtQueryValueKey_Epilogue NtQueryValueKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryValueKey_Epilogue: mov r10, rcx syscall ret NtQueryValueKey ENDP NtQueryVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryVirtualMemory_Check_10_0_XXXX jmp NtQueryVirtualMemory_SystemCall_Unknown NtQueryVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryVirtualMemory_SystemCall_6_3_XXXX jmp NtQueryVirtualMemory_SystemCall_Unknown NtQueryVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryVirtualMemory_SystemCall_6_0_6002 jmp NtQueryVirtualMemory_SystemCall_Unknown NtQueryVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryVirtualMemory_SystemCall_6_1_7601 jmp NtQueryVirtualMemory_SystemCall_Unknown NtQueryVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryVirtualMemory_SystemCall_10_0_18363 jmp NtQueryVirtualMemory_SystemCall_Unknown NtQueryVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0020h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0021h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0022h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0023h jmp NtQueryVirtualMemory_Epilogue NtQueryVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryVirtualMemory_Epilogue: mov r10, rcx syscall ret NtQueryVirtualMemory ENDP NtQueryVolumeInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryVolumeInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueryVolumeInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueryVolumeInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryVolumeInformationFile_Check_10_0_XXXX jmp NtQueryVolumeInformationFile_SystemCall_Unknown NtQueryVolumeInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueryVolumeInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueryVolumeInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryVolumeInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryVolumeInformationFile_SystemCall_6_3_XXXX jmp NtQueryVolumeInformationFile_SystemCall_Unknown NtQueryVolumeInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueryVolumeInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueryVolumeInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueryVolumeInformationFile_SystemCall_6_0_6002 jmp NtQueryVolumeInformationFile_SystemCall_Unknown NtQueryVolumeInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueryVolumeInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueryVolumeInformationFile_SystemCall_6_1_7601 jmp NtQueryVolumeInformationFile_SystemCall_Unknown NtQueryVolumeInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryVolumeInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryVolumeInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryVolumeInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryVolumeInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryVolumeInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryVolumeInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryVolumeInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryVolumeInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryVolumeInformationFile_SystemCall_10_0_18363 jmp NtQueryVolumeInformationFile_SystemCall_Unknown NtQueryVolumeInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0046h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0047h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0048h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0049h jmp NtQueryVolumeInformationFile_Epilogue NtQueryVolumeInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryVolumeInformationFile_Epilogue: mov r10, rcx syscall ret NtQueryVolumeInformationFile ENDP NtQueryWnfStateData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryWnfStateData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryWnfStateData_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryWnfStateData_Check_10_0_XXXX jmp NtQueryWnfStateData_SystemCall_Unknown NtQueryWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtQueryWnfStateData_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryWnfStateData_SystemCall_6_3_XXXX jmp NtQueryWnfStateData_SystemCall_Unknown NtQueryWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryWnfStateData_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryWnfStateData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryWnfStateData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryWnfStateData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryWnfStateData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryWnfStateData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryWnfStateData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryWnfStateData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryWnfStateData_SystemCall_10_0_18363 jmp NtQueryWnfStateData_SystemCall_Unknown NtQueryWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0140h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0143h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0149h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014ch jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0150h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0156h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0159h jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015bh jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015ch jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015dh jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015dh jmp NtQueryWnfStateData_Epilogue NtQueryWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryWnfStateData_Epilogue: mov r10, rcx syscall ret NtQueryWnfStateData ENDP NtQueryWnfStateNameInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueryWnfStateNameInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueryWnfStateNameInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueryWnfStateNameInformation_Check_10_0_XXXX jmp NtQueryWnfStateNameInformation_SystemCall_Unknown NtQueryWnfStateNameInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtQueryWnfStateNameInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueryWnfStateNameInformation_SystemCall_6_3_XXXX jmp NtQueryWnfStateNameInformation_SystemCall_Unknown NtQueryWnfStateNameInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueryWnfStateNameInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueryWnfStateNameInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueryWnfStateNameInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueryWnfStateNameInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueryWnfStateNameInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueryWnfStateNameInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueryWnfStateNameInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueryWnfStateNameInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueryWnfStateNameInformation_SystemCall_10_0_18363 jmp NtQueryWnfStateNameInformation_SystemCall_Unknown NtQueryWnfStateNameInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0141h jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0144h jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014ah jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014dh jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0151h jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0157h jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015ah jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015ch jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015dh jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015eh jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015eh jmp NtQueryWnfStateNameInformation_Epilogue NtQueryWnfStateNameInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueryWnfStateNameInformation_Epilogue: mov r10, rcx syscall ret NtQueryWnfStateNameInformation ENDP NtQueueApcThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueueApcThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtQueueApcThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtQueueApcThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueueApcThread_Check_10_0_XXXX jmp NtQueueApcThread_SystemCall_Unknown NtQueueApcThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtQueueApcThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtQueueApcThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueueApcThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueueApcThread_SystemCall_6_3_XXXX jmp NtQueueApcThread_SystemCall_Unknown NtQueueApcThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtQueueApcThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtQueueApcThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtQueueApcThread_SystemCall_6_0_6002 jmp NtQueueApcThread_SystemCall_Unknown NtQueueApcThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueueApcThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueueApcThread_SystemCall_6_1_7601 jmp NtQueueApcThread_SystemCall_Unknown NtQueueApcThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueueApcThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueueApcThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueueApcThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueueApcThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueueApcThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueueApcThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueueApcThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueueApcThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueueApcThread_SystemCall_10_0_18363 jmp NtQueueApcThread_SystemCall_Unknown NtQueueApcThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0042h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0043h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0044h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0045h jmp NtQueueApcThread_Epilogue NtQueueApcThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueueApcThread_Epilogue: mov r10, rcx syscall ret NtQueueApcThread ENDP NtQueueApcThreadEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtQueueApcThreadEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtQueueApcThreadEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtQueueApcThreadEx_Check_10_0_XXXX jmp NtQueueApcThreadEx_SystemCall_Unknown NtQueueApcThreadEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtQueueApcThreadEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtQueueApcThreadEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtQueueApcThreadEx_SystemCall_6_3_XXXX jmp NtQueueApcThreadEx_SystemCall_Unknown NtQueueApcThreadEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtQueueApcThreadEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtQueueApcThreadEx_SystemCall_6_1_7601 jmp NtQueueApcThreadEx_SystemCall_Unknown NtQueueApcThreadEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtQueueApcThreadEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtQueueApcThreadEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtQueueApcThreadEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtQueueApcThreadEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtQueueApcThreadEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtQueueApcThreadEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtQueueApcThreadEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtQueueApcThreadEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtQueueApcThreadEx_SystemCall_10_0_18363 jmp NtQueueApcThreadEx_SystemCall_Unknown NtQueueApcThreadEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012eh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012eh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0142h jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0145h jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014bh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014eh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0152h jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0158h jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015bh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015dh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015eh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 015fh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 015fh jmp NtQueueApcThreadEx_Epilogue NtQueueApcThreadEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtQueueApcThreadEx_Epilogue: mov r10, rcx syscall ret NtQueueApcThreadEx ENDP NtRaiseException PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRaiseException_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRaiseException_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRaiseException_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRaiseException_Check_10_0_XXXX jmp NtRaiseException_SystemCall_Unknown NtRaiseException_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRaiseException_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRaiseException_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRaiseException_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRaiseException_SystemCall_6_3_XXXX jmp NtRaiseException_SystemCall_Unknown NtRaiseException_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRaiseException_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRaiseException_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRaiseException_SystemCall_6_0_6002 jmp NtRaiseException_SystemCall_Unknown NtRaiseException_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRaiseException_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRaiseException_SystemCall_6_1_7601 jmp NtRaiseException_SystemCall_Unknown NtRaiseException_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRaiseException_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRaiseException_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRaiseException_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRaiseException_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRaiseException_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRaiseException_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRaiseException_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRaiseException_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRaiseException_SystemCall_10_0_18363 jmp NtRaiseException_SystemCall_Unknown NtRaiseException_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e1h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012bh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0126h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0126h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 012fh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 012fh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0143h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0146h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014ch jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 014fh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0153h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0159h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015ch jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015eh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 015fh jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0160h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0160h jmp NtRaiseException_Epilogue NtRaiseException_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRaiseException_Epilogue: mov r10, rcx syscall ret NtRaiseException ENDP NtRaiseHardError PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRaiseHardError_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRaiseHardError_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRaiseHardError_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRaiseHardError_Check_10_0_XXXX jmp NtRaiseHardError_SystemCall_Unknown NtRaiseHardError_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRaiseHardError_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRaiseHardError_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRaiseHardError_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRaiseHardError_SystemCall_6_3_XXXX jmp NtRaiseHardError_SystemCall_Unknown NtRaiseHardError_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRaiseHardError_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRaiseHardError_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRaiseHardError_SystemCall_6_0_6002 jmp NtRaiseHardError_SystemCall_Unknown NtRaiseHardError_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRaiseHardError_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRaiseHardError_SystemCall_6_1_7601 jmp NtRaiseHardError_SystemCall_Unknown NtRaiseHardError_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRaiseHardError_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRaiseHardError_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRaiseHardError_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRaiseHardError_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRaiseHardError_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRaiseHardError_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRaiseHardError_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRaiseHardError_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRaiseHardError_SystemCall_10_0_18363 jmp NtRaiseHardError_SystemCall_Unknown NtRaiseHardError_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e2h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012ch jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0127h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0127h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0130h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0130h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0144h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0147h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014dh jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0150h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0154h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015ah jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015dh jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 015fh jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0160h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0161h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0161h jmp NtRaiseHardError_Epilogue NtRaiseHardError_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRaiseHardError_Epilogue: mov r10, rcx syscall ret NtRaiseHardError ENDP NtReadFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReadFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReadFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReadFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReadFile_Check_10_0_XXXX jmp NtReadFile_SystemCall_Unknown NtReadFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReadFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReadFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReadFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReadFile_SystemCall_6_3_XXXX jmp NtReadFile_SystemCall_Unknown NtReadFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReadFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReadFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReadFile_SystemCall_6_0_6002 jmp NtReadFile_SystemCall_Unknown NtReadFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReadFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReadFile_SystemCall_6_1_7601 jmp NtReadFile_SystemCall_Unknown NtReadFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReadFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReadFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReadFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReadFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReadFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReadFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReadFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReadFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReadFile_SystemCall_10_0_18363 jmp NtReadFile_SystemCall_Unknown NtReadFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0003h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0004h jmp NtReadFile_Epilogue NtReadFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0005h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0006h jmp NtReadFile_Epilogue NtReadFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReadFile_Epilogue: mov r10, rcx syscall ret NtReadFile ENDP NtReadFileScatter PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReadFileScatter_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReadFileScatter_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReadFileScatter_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReadFileScatter_Check_10_0_XXXX jmp NtReadFileScatter_SystemCall_Unknown NtReadFileScatter_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReadFileScatter_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReadFileScatter_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReadFileScatter_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReadFileScatter_SystemCall_6_3_XXXX jmp NtReadFileScatter_SystemCall_Unknown NtReadFileScatter_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReadFileScatter_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReadFileScatter_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReadFileScatter_SystemCall_6_0_6002 jmp NtReadFileScatter_SystemCall_Unknown NtReadFileScatter_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReadFileScatter_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReadFileScatter_SystemCall_6_1_7601 jmp NtReadFileScatter_SystemCall_Unknown NtReadFileScatter_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReadFileScatter_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReadFileScatter_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReadFileScatter_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReadFileScatter_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReadFileScatter_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReadFileScatter_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReadFileScatter_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReadFileScatter_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReadFileScatter_SystemCall_10_0_18363 jmp NtReadFileScatter_SystemCall_Unknown NtReadFileScatter_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002bh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002ch jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002dh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002eh jmp NtReadFileScatter_Epilogue NtReadFileScatter_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReadFileScatter_Epilogue: mov r10, rcx syscall ret NtReadFileScatter ENDP NtReadOnlyEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReadOnlyEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtReadOnlyEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReadOnlyEnlistment_Check_10_0_XXXX jmp NtReadOnlyEnlistment_SystemCall_Unknown NtReadOnlyEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReadOnlyEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReadOnlyEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReadOnlyEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReadOnlyEnlistment_SystemCall_6_3_XXXX jmp NtReadOnlyEnlistment_SystemCall_Unknown NtReadOnlyEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReadOnlyEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReadOnlyEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReadOnlyEnlistment_SystemCall_6_0_6002 jmp NtReadOnlyEnlistment_SystemCall_Unknown NtReadOnlyEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReadOnlyEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReadOnlyEnlistment_SystemCall_6_1_7601 jmp NtReadOnlyEnlistment_SystemCall_Unknown NtReadOnlyEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReadOnlyEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReadOnlyEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReadOnlyEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReadOnlyEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReadOnlyEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReadOnlyEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReadOnlyEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReadOnlyEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReadOnlyEnlistment_SystemCall_10_0_18363 jmp NtReadOnlyEnlistment_SystemCall_Unknown NtReadOnlyEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012dh jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0128h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0128h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0131h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0131h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0145h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0148h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014eh jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0151h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0155h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015bh jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015eh jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0160h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0161h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0162h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0162h jmp NtReadOnlyEnlistment_Epilogue NtReadOnlyEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReadOnlyEnlistment_Epilogue: mov r10, rcx syscall ret NtReadOnlyEnlistment ENDP NtReadRequestData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReadRequestData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReadRequestData_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReadRequestData_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReadRequestData_Check_10_0_XXXX jmp NtReadRequestData_SystemCall_Unknown NtReadRequestData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReadRequestData_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReadRequestData_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReadRequestData_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReadRequestData_SystemCall_6_3_XXXX jmp NtReadRequestData_SystemCall_Unknown NtReadRequestData_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReadRequestData_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReadRequestData_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReadRequestData_SystemCall_6_0_6002 jmp NtReadRequestData_SystemCall_Unknown NtReadRequestData_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReadRequestData_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReadRequestData_SystemCall_6_1_7601 jmp NtReadRequestData_SystemCall_Unknown NtReadRequestData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReadRequestData_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReadRequestData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReadRequestData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReadRequestData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReadRequestData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReadRequestData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReadRequestData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReadRequestData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReadRequestData_SystemCall_10_0_18363 jmp NtReadRequestData_SystemCall_Unknown NtReadRequestData_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0051h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0052h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0053h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0054h jmp NtReadRequestData_Epilogue NtReadRequestData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReadRequestData_Epilogue: mov r10, rcx syscall ret NtReadRequestData ENDP NtReadVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReadVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReadVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReadVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReadVirtualMemory_Check_10_0_XXXX jmp NtReadVirtualMemory_SystemCall_Unknown NtReadVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReadVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReadVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReadVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReadVirtualMemory_SystemCall_6_3_XXXX jmp NtReadVirtualMemory_SystemCall_Unknown NtReadVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReadVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReadVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReadVirtualMemory_SystemCall_6_0_6002 jmp NtReadVirtualMemory_SystemCall_Unknown NtReadVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReadVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReadVirtualMemory_SystemCall_6_1_7601 jmp NtReadVirtualMemory_SystemCall_Unknown NtReadVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReadVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReadVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReadVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReadVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReadVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReadVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReadVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReadVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReadVirtualMemory_SystemCall_10_0_18363 jmp NtReadVirtualMemory_SystemCall_Unknown NtReadVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 003ch jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 003dh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 003eh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003fh jmp NtReadVirtualMemory_Epilogue NtReadVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReadVirtualMemory_Epilogue: mov r10, rcx syscall ret NtReadVirtualMemory ENDP NtRecoverEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRecoverEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRecoverEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRecoverEnlistment_Check_10_0_XXXX jmp NtRecoverEnlistment_SystemCall_Unknown NtRecoverEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRecoverEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRecoverEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverEnlistment_SystemCall_6_3_XXXX jmp NtRecoverEnlistment_SystemCall_Unknown NtRecoverEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRecoverEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRecoverEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRecoverEnlistment_SystemCall_6_0_6002 jmp NtRecoverEnlistment_SystemCall_Unknown NtRecoverEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRecoverEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRecoverEnlistment_SystemCall_6_1_7601 jmp NtRecoverEnlistment_SystemCall_Unknown NtRecoverEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRecoverEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRecoverEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRecoverEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRecoverEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRecoverEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRecoverEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRecoverEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRecoverEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRecoverEnlistment_SystemCall_10_0_18363 jmp NtRecoverEnlistment_SystemCall_Unknown NtRecoverEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012eh jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0129h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0129h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0132h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0132h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0146h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0149h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 014fh jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0152h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0156h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015ch jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 015fh jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0161h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0162h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0163h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0163h jmp NtRecoverEnlistment_Epilogue NtRecoverEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRecoverEnlistment_Epilogue: mov r10, rcx syscall ret NtRecoverEnlistment ENDP NtRecoverResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRecoverResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRecoverResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRecoverResourceManager_Check_10_0_XXXX jmp NtRecoverResourceManager_SystemCall_Unknown NtRecoverResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRecoverResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRecoverResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverResourceManager_SystemCall_6_3_XXXX jmp NtRecoverResourceManager_SystemCall_Unknown NtRecoverResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRecoverResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRecoverResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRecoverResourceManager_SystemCall_6_0_6002 jmp NtRecoverResourceManager_SystemCall_Unknown NtRecoverResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRecoverResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRecoverResourceManager_SystemCall_6_1_7601 jmp NtRecoverResourceManager_SystemCall_Unknown NtRecoverResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRecoverResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRecoverResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRecoverResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRecoverResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRecoverResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRecoverResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRecoverResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRecoverResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRecoverResourceManager_SystemCall_10_0_18363 jmp NtRecoverResourceManager_SystemCall_Unknown NtRecoverResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 012fh jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012ah jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012ah jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0133h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0133h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0147h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014ah jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0150h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0153h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0157h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015dh jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0160h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0162h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0163h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0164h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0164h jmp NtRecoverResourceManager_Epilogue NtRecoverResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRecoverResourceManager_Epilogue: mov r10, rcx syscall ret NtRecoverResourceManager ENDP NtRecoverTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRecoverTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRecoverTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRecoverTransactionManager_Check_10_0_XXXX jmp NtRecoverTransactionManager_SystemCall_Unknown NtRecoverTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRecoverTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRecoverTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRecoverTransactionManager_SystemCall_6_3_XXXX jmp NtRecoverTransactionManager_SystemCall_Unknown NtRecoverTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRecoverTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRecoverTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRecoverTransactionManager_SystemCall_6_0_6002 jmp NtRecoverTransactionManager_SystemCall_Unknown NtRecoverTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRecoverTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRecoverTransactionManager_SystemCall_6_1_7601 jmp NtRecoverTransactionManager_SystemCall_Unknown NtRecoverTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRecoverTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRecoverTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRecoverTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRecoverTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRecoverTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRecoverTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRecoverTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRecoverTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRecoverTransactionManager_SystemCall_10_0_18363 jmp NtRecoverTransactionManager_SystemCall_Unknown NtRecoverTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0130h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012bh jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012bh jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0134h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0134h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0148h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014bh jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0151h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0154h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0158h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015eh jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0161h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0163h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0164h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0165h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0165h jmp NtRecoverTransactionManager_Epilogue NtRecoverTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRecoverTransactionManager_Epilogue: mov r10, rcx syscall ret NtRecoverTransactionManager ENDP NtRegisterProtocolAddressInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRegisterProtocolAddressInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRegisterProtocolAddressInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRegisterProtocolAddressInformation_Check_10_0_XXXX jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown NtRegisterProtocolAddressInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRegisterProtocolAddressInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRegisterProtocolAddressInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRegisterProtocolAddressInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRegisterProtocolAddressInformation_SystemCall_6_3_XXXX jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown NtRegisterProtocolAddressInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRegisterProtocolAddressInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRegisterProtocolAddressInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRegisterProtocolAddressInformation_SystemCall_6_0_6002 jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown NtRegisterProtocolAddressInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRegisterProtocolAddressInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRegisterProtocolAddressInformation_SystemCall_6_1_7601 jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown NtRegisterProtocolAddressInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRegisterProtocolAddressInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRegisterProtocolAddressInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRegisterProtocolAddressInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRegisterProtocolAddressInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRegisterProtocolAddressInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRegisterProtocolAddressInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRegisterProtocolAddressInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRegisterProtocolAddressInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRegisterProtocolAddressInformation_SystemCall_10_0_18363 jmp NtRegisterProtocolAddressInformation_SystemCall_Unknown NtRegisterProtocolAddressInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0131h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012ch jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012ch jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0135h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0135h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0149h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014ch jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0152h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0155h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0159h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 015fh jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0162h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0164h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0165h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0166h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0166h jmp NtRegisterProtocolAddressInformation_Epilogue NtRegisterProtocolAddressInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRegisterProtocolAddressInformation_Epilogue: mov r10, rcx syscall ret NtRegisterProtocolAddressInformation ENDP NtRegisterThreadTerminatePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRegisterThreadTerminatePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRegisterThreadTerminatePort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRegisterThreadTerminatePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRegisterThreadTerminatePort_Check_10_0_XXXX jmp NtRegisterThreadTerminatePort_SystemCall_Unknown NtRegisterThreadTerminatePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRegisterThreadTerminatePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRegisterThreadTerminatePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRegisterThreadTerminatePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRegisterThreadTerminatePort_SystemCall_6_3_XXXX jmp NtRegisterThreadTerminatePort_SystemCall_Unknown NtRegisterThreadTerminatePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRegisterThreadTerminatePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRegisterThreadTerminatePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRegisterThreadTerminatePort_SystemCall_6_0_6002 jmp NtRegisterThreadTerminatePort_SystemCall_Unknown NtRegisterThreadTerminatePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRegisterThreadTerminatePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRegisterThreadTerminatePort_SystemCall_6_1_7601 jmp NtRegisterThreadTerminatePort_SystemCall_Unknown NtRegisterThreadTerminatePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRegisterThreadTerminatePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRegisterThreadTerminatePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRegisterThreadTerminatePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRegisterThreadTerminatePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRegisterThreadTerminatePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRegisterThreadTerminatePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRegisterThreadTerminatePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRegisterThreadTerminatePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRegisterThreadTerminatePort_SystemCall_10_0_18363 jmp NtRegisterThreadTerminatePort_SystemCall_Unknown NtRegisterThreadTerminatePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e3h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0132h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012dh jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012dh jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0136h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0136h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014ah jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014dh jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0153h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0156h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015ah jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0160h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0163h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0165h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0166h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0167h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0167h jmp NtRegisterThreadTerminatePort_Epilogue NtRegisterThreadTerminatePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRegisterThreadTerminatePort_Epilogue: mov r10, rcx syscall ret NtRegisterThreadTerminatePort ENDP NtReleaseCMFViewOwnership PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReleaseCMFViewOwnership_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtReleaseCMFViewOwnership_Check_6_X_XXXX jmp NtReleaseCMFViewOwnership_SystemCall_Unknown NtReleaseCMFViewOwnership_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReleaseCMFViewOwnership_Check_6_0_XXXX jmp NtReleaseCMFViewOwnership_SystemCall_Unknown NtReleaseCMFViewOwnership_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReleaseCMFViewOwnership_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReleaseCMFViewOwnership_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReleaseCMFViewOwnership_SystemCall_6_0_6002 jmp NtReleaseCMFViewOwnership_SystemCall_Unknown NtReleaseCMFViewOwnership_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0133h jmp NtReleaseCMFViewOwnership_Epilogue NtReleaseCMFViewOwnership_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012eh jmp NtReleaseCMFViewOwnership_Epilogue NtReleaseCMFViewOwnership_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012eh jmp NtReleaseCMFViewOwnership_Epilogue NtReleaseCMFViewOwnership_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReleaseCMFViewOwnership_Epilogue: mov r10, rcx syscall ret NtReleaseCMFViewOwnership ENDP NtReleaseKeyedEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReleaseKeyedEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReleaseKeyedEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReleaseKeyedEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReleaseKeyedEvent_Check_10_0_XXXX jmp NtReleaseKeyedEvent_SystemCall_Unknown NtReleaseKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReleaseKeyedEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReleaseKeyedEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseKeyedEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseKeyedEvent_SystemCall_6_3_XXXX jmp NtReleaseKeyedEvent_SystemCall_Unknown NtReleaseKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReleaseKeyedEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReleaseKeyedEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReleaseKeyedEvent_SystemCall_6_0_6002 jmp NtReleaseKeyedEvent_SystemCall_Unknown NtReleaseKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReleaseKeyedEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReleaseKeyedEvent_SystemCall_6_1_7601 jmp NtReleaseKeyedEvent_SystemCall_Unknown NtReleaseKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReleaseKeyedEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReleaseKeyedEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReleaseKeyedEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReleaseKeyedEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReleaseKeyedEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReleaseKeyedEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReleaseKeyedEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReleaseKeyedEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReleaseKeyedEvent_SystemCall_10_0_18363 jmp NtReleaseKeyedEvent_SystemCall_Unknown NtReleaseKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e4h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0134h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 012fh jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 012fh jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0137h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0137h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014bh jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014eh jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0154h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0157h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015bh jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0161h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0164h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0166h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0167h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0168h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0168h jmp NtReleaseKeyedEvent_Epilogue NtReleaseKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReleaseKeyedEvent_Epilogue: mov r10, rcx syscall ret NtReleaseKeyedEvent ENDP NtReleaseMutant PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReleaseMutant_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReleaseMutant_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReleaseMutant_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReleaseMutant_Check_10_0_XXXX jmp NtReleaseMutant_SystemCall_Unknown NtReleaseMutant_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReleaseMutant_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReleaseMutant_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseMutant_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseMutant_SystemCall_6_3_XXXX jmp NtReleaseMutant_SystemCall_Unknown NtReleaseMutant_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReleaseMutant_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReleaseMutant_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReleaseMutant_SystemCall_6_0_6002 jmp NtReleaseMutant_SystemCall_Unknown NtReleaseMutant_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReleaseMutant_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReleaseMutant_SystemCall_6_1_7601 jmp NtReleaseMutant_SystemCall_Unknown NtReleaseMutant_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReleaseMutant_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReleaseMutant_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReleaseMutant_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReleaseMutant_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReleaseMutant_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReleaseMutant_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReleaseMutant_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReleaseMutant_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReleaseMutant_SystemCall_10_0_18363 jmp NtReleaseMutant_SystemCall_Unknown NtReleaseMutant_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001dh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001eh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001fh jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0020h jmp NtReleaseMutant_Epilogue NtReleaseMutant_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReleaseMutant_Epilogue: mov r10, rcx syscall ret NtReleaseMutant ENDP NtReleaseSemaphore PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReleaseSemaphore_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReleaseSemaphore_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReleaseSemaphore_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReleaseSemaphore_Check_10_0_XXXX jmp NtReleaseSemaphore_SystemCall_Unknown NtReleaseSemaphore_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReleaseSemaphore_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReleaseSemaphore_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseSemaphore_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseSemaphore_SystemCall_6_3_XXXX jmp NtReleaseSemaphore_SystemCall_Unknown NtReleaseSemaphore_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReleaseSemaphore_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReleaseSemaphore_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReleaseSemaphore_SystemCall_6_0_6002 jmp NtReleaseSemaphore_SystemCall_Unknown NtReleaseSemaphore_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReleaseSemaphore_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReleaseSemaphore_SystemCall_6_1_7601 jmp NtReleaseSemaphore_SystemCall_Unknown NtReleaseSemaphore_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReleaseSemaphore_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReleaseSemaphore_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReleaseSemaphore_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReleaseSemaphore_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReleaseSemaphore_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReleaseSemaphore_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReleaseSemaphore_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReleaseSemaphore_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReleaseSemaphore_SystemCall_10_0_18363 jmp NtReleaseSemaphore_SystemCall_Unknown NtReleaseSemaphore_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0007h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0008h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0009h jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000ah jmp NtReleaseSemaphore_Epilogue NtReleaseSemaphore_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReleaseSemaphore_Epilogue: mov r10, rcx syscall ret NtReleaseSemaphore ENDP NtReleaseWorkerFactoryWorker PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReleaseWorkerFactoryWorker_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtReleaseWorkerFactoryWorker_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReleaseWorkerFactoryWorker_Check_10_0_XXXX jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown NtReleaseWorkerFactoryWorker_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReleaseWorkerFactoryWorker_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReleaseWorkerFactoryWorker_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseWorkerFactoryWorker_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReleaseWorkerFactoryWorker_SystemCall_6_3_XXXX jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown NtReleaseWorkerFactoryWorker_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReleaseWorkerFactoryWorker_SystemCall_6_0_6002 jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown NtReleaseWorkerFactoryWorker_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReleaseWorkerFactoryWorker_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReleaseWorkerFactoryWorker_SystemCall_6_1_7601 jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown NtReleaseWorkerFactoryWorker_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReleaseWorkerFactoryWorker_SystemCall_10_0_18363 jmp NtReleaseWorkerFactoryWorker_SystemCall_Unknown NtReleaseWorkerFactoryWorker_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0135h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0130h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0130h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0138h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0138h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014ch jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 014fh jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0155h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0158h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015ch jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0162h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0165h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0167h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0168h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0169h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0169h jmp NtReleaseWorkerFactoryWorker_Epilogue NtReleaseWorkerFactoryWorker_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReleaseWorkerFactoryWorker_Epilogue: mov r10, rcx syscall ret NtReleaseWorkerFactoryWorker ENDP NtRemoveIoCompletion PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRemoveIoCompletion_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRemoveIoCompletion_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRemoveIoCompletion_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRemoveIoCompletion_Check_10_0_XXXX jmp NtRemoveIoCompletion_SystemCall_Unknown NtRemoveIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRemoveIoCompletion_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRemoveIoCompletion_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveIoCompletion_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveIoCompletion_SystemCall_6_3_XXXX jmp NtRemoveIoCompletion_SystemCall_Unknown NtRemoveIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRemoveIoCompletion_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRemoveIoCompletion_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRemoveIoCompletion_SystemCall_6_0_6002 jmp NtRemoveIoCompletion_SystemCall_Unknown NtRemoveIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRemoveIoCompletion_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRemoveIoCompletion_SystemCall_6_1_7601 jmp NtRemoveIoCompletion_SystemCall_Unknown NtRemoveIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRemoveIoCompletion_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRemoveIoCompletion_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRemoveIoCompletion_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRemoveIoCompletion_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRemoveIoCompletion_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRemoveIoCompletion_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRemoveIoCompletion_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRemoveIoCompletion_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRemoveIoCompletion_SystemCall_10_0_18363 jmp NtRemoveIoCompletion_SystemCall_Unknown NtRemoveIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0006h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0007h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0008h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0009h jmp NtRemoveIoCompletion_Epilogue NtRemoveIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRemoveIoCompletion_Epilogue: mov r10, rcx syscall ret NtRemoveIoCompletion ENDP NtRemoveIoCompletionEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRemoveIoCompletionEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRemoveIoCompletionEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRemoveIoCompletionEx_Check_10_0_XXXX jmp NtRemoveIoCompletionEx_SystemCall_Unknown NtRemoveIoCompletionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRemoveIoCompletionEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRemoveIoCompletionEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveIoCompletionEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveIoCompletionEx_SystemCall_6_3_XXXX jmp NtRemoveIoCompletionEx_SystemCall_Unknown NtRemoveIoCompletionEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRemoveIoCompletionEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRemoveIoCompletionEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRemoveIoCompletionEx_SystemCall_6_0_6002 jmp NtRemoveIoCompletionEx_SystemCall_Unknown NtRemoveIoCompletionEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRemoveIoCompletionEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRemoveIoCompletionEx_SystemCall_6_1_7601 jmp NtRemoveIoCompletionEx_SystemCall_Unknown NtRemoveIoCompletionEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRemoveIoCompletionEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRemoveIoCompletionEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRemoveIoCompletionEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRemoveIoCompletionEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRemoveIoCompletionEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRemoveIoCompletionEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRemoveIoCompletionEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRemoveIoCompletionEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRemoveIoCompletionEx_SystemCall_10_0_18363 jmp NtRemoveIoCompletionEx_SystemCall_Unknown NtRemoveIoCompletionEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0136h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0131h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0131h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0139h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0139h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014dh jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0150h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0156h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0159h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015dh jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0163h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0166h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0168h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0169h jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016ah jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016ah jmp NtRemoveIoCompletionEx_Epilogue NtRemoveIoCompletionEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRemoveIoCompletionEx_Epilogue: mov r10, rcx syscall ret NtRemoveIoCompletionEx ENDP NtRemoveProcessDebug PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRemoveProcessDebug_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRemoveProcessDebug_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRemoveProcessDebug_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRemoveProcessDebug_Check_10_0_XXXX jmp NtRemoveProcessDebug_SystemCall_Unknown NtRemoveProcessDebug_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRemoveProcessDebug_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRemoveProcessDebug_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveProcessDebug_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRemoveProcessDebug_SystemCall_6_3_XXXX jmp NtRemoveProcessDebug_SystemCall_Unknown NtRemoveProcessDebug_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRemoveProcessDebug_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRemoveProcessDebug_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRemoveProcessDebug_SystemCall_6_0_6002 jmp NtRemoveProcessDebug_SystemCall_Unknown NtRemoveProcessDebug_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRemoveProcessDebug_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRemoveProcessDebug_SystemCall_6_1_7601 jmp NtRemoveProcessDebug_SystemCall_Unknown NtRemoveProcessDebug_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRemoveProcessDebug_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRemoveProcessDebug_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRemoveProcessDebug_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRemoveProcessDebug_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRemoveProcessDebug_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRemoveProcessDebug_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRemoveProcessDebug_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRemoveProcessDebug_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRemoveProcessDebug_SystemCall_10_0_18363 jmp NtRemoveProcessDebug_SystemCall_Unknown NtRemoveProcessDebug_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e5h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0137h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0132h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0132h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013ah jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013ah jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014eh jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0151h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0157h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015ah jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015eh jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0164h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0167h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0169h jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016ah jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016bh jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016bh jmp NtRemoveProcessDebug_Epilogue NtRemoveProcessDebug_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRemoveProcessDebug_Epilogue: mov r10, rcx syscall ret NtRemoveProcessDebug ENDP NtRenameKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRenameKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRenameKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRenameKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRenameKey_Check_10_0_XXXX jmp NtRenameKey_SystemCall_Unknown NtRenameKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRenameKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRenameKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRenameKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRenameKey_SystemCall_6_3_XXXX jmp NtRenameKey_SystemCall_Unknown NtRenameKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRenameKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRenameKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRenameKey_SystemCall_6_0_6002 jmp NtRenameKey_SystemCall_Unknown NtRenameKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRenameKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRenameKey_SystemCall_6_1_7601 jmp NtRenameKey_SystemCall_Unknown NtRenameKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRenameKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRenameKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRenameKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRenameKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRenameKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRenameKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRenameKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRenameKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRenameKey_SystemCall_10_0_18363 jmp NtRenameKey_SystemCall_Unknown NtRenameKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e6h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0138h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0133h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0133h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013bh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013bh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 014fh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0152h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0158h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015bh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 015fh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0165h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0168h jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016ah jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016bh jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016ch jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016ch jmp NtRenameKey_Epilogue NtRenameKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRenameKey_Epilogue: mov r10, rcx syscall ret NtRenameKey ENDP NtRenameTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRenameTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRenameTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRenameTransactionManager_Check_10_0_XXXX jmp NtRenameTransactionManager_SystemCall_Unknown NtRenameTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRenameTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRenameTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRenameTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRenameTransactionManager_SystemCall_6_3_XXXX jmp NtRenameTransactionManager_SystemCall_Unknown NtRenameTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6001 je NtRenameTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRenameTransactionManager_SystemCall_6_0_6002 jmp NtRenameTransactionManager_SystemCall_Unknown NtRenameTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRenameTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRenameTransactionManager_SystemCall_6_1_7601 jmp NtRenameTransactionManager_SystemCall_Unknown NtRenameTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRenameTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRenameTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRenameTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRenameTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRenameTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRenameTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRenameTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRenameTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRenameTransactionManager_SystemCall_10_0_18363 jmp NtRenameTransactionManager_SystemCall_Unknown NtRenameTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0134h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0134h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013ch jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013ch jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0150h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0153h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0159h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015ch jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0160h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0166h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0169h jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016bh jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016ch jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016dh jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016dh jmp NtRenameTransactionManager_Epilogue NtRenameTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRenameTransactionManager_Epilogue: mov r10, rcx syscall ret NtRenameTransactionManager ENDP NtReplaceKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplaceKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReplaceKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReplaceKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplaceKey_Check_10_0_XXXX jmp NtReplaceKey_SystemCall_Unknown NtReplaceKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplaceKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplaceKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplaceKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplaceKey_SystemCall_6_3_XXXX jmp NtReplaceKey_SystemCall_Unknown NtReplaceKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReplaceKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReplaceKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplaceKey_SystemCall_6_0_6002 jmp NtReplaceKey_SystemCall_Unknown NtReplaceKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplaceKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplaceKey_SystemCall_6_1_7601 jmp NtReplaceKey_SystemCall_Unknown NtReplaceKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplaceKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplaceKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplaceKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplaceKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplaceKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplaceKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplaceKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplaceKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplaceKey_SystemCall_10_0_18363 jmp NtReplaceKey_SystemCall_Unknown NtReplaceKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e7h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0139h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0135h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0135h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013dh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013dh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0151h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0154h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015ah jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015dh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0161h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0167h jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016ah jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016ch jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016dh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016eh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016eh jmp NtReplaceKey_Epilogue NtReplaceKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplaceKey_Epilogue: mov r10, rcx syscall ret NtReplaceKey ENDP NtReplacePartitionUnit PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplacePartitionUnit_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtReplacePartitionUnit_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplacePartitionUnit_Check_10_0_XXXX jmp NtReplacePartitionUnit_SystemCall_Unknown NtReplacePartitionUnit_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplacePartitionUnit_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplacePartitionUnit_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplacePartitionUnit_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplacePartitionUnit_SystemCall_6_3_XXXX jmp NtReplacePartitionUnit_SystemCall_Unknown NtReplacePartitionUnit_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6001 je NtReplacePartitionUnit_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplacePartitionUnit_SystemCall_6_0_6002 jmp NtReplacePartitionUnit_SystemCall_Unknown NtReplacePartitionUnit_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplacePartitionUnit_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplacePartitionUnit_SystemCall_6_1_7601 jmp NtReplacePartitionUnit_SystemCall_Unknown NtReplacePartitionUnit_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplacePartitionUnit_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplacePartitionUnit_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplacePartitionUnit_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplacePartitionUnit_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplacePartitionUnit_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplacePartitionUnit_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplacePartitionUnit_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplacePartitionUnit_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplacePartitionUnit_SystemCall_10_0_18363 jmp NtReplacePartitionUnit_SystemCall_Unknown NtReplacePartitionUnit_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0136h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0136h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013eh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013eh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0152h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0155h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015bh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015eh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0162h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0168h jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016bh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016dh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016eh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 016fh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 016fh jmp NtReplacePartitionUnit_Epilogue NtReplacePartitionUnit_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplacePartitionUnit_Epilogue: mov r10, rcx syscall ret NtReplacePartitionUnit ENDP NtReplyPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplyPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReplyPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReplyPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplyPort_Check_10_0_XXXX jmp NtReplyPort_SystemCall_Unknown NtReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplyPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplyPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyPort_SystemCall_6_3_XXXX jmp NtReplyPort_SystemCall_Unknown NtReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReplyPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReplyPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplyPort_SystemCall_6_0_6002 jmp NtReplyPort_SystemCall_Unknown NtReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplyPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplyPort_SystemCall_6_1_7601 jmp NtReplyPort_SystemCall_Unknown NtReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplyPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplyPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplyPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplyPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplyPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplyPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplyPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplyPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplyPort_SystemCall_10_0_18363 jmp NtReplyPort_SystemCall_Unknown NtReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0009h jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000ah jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000bh jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000ch jmp NtReplyPort_Epilogue NtReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplyPort_Epilogue: mov r10, rcx syscall ret NtReplyPort ENDP NtReplyWaitReceivePort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplyWaitReceivePort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReplyWaitReceivePort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReplyWaitReceivePort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplyWaitReceivePort_Check_10_0_XXXX jmp NtReplyWaitReceivePort_SystemCall_Unknown NtReplyWaitReceivePort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplyWaitReceivePort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplyWaitReceivePort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReceivePort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReceivePort_SystemCall_6_3_XXXX jmp NtReplyWaitReceivePort_SystemCall_Unknown NtReplyWaitReceivePort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReplyWaitReceivePort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReplyWaitReceivePort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplyWaitReceivePort_SystemCall_6_0_6002 jmp NtReplyWaitReceivePort_SystemCall_Unknown NtReplyWaitReceivePort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplyWaitReceivePort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplyWaitReceivePort_SystemCall_6_1_7601 jmp NtReplyWaitReceivePort_SystemCall_Unknown NtReplyWaitReceivePort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplyWaitReceivePort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplyWaitReceivePort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplyWaitReceivePort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplyWaitReceivePort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplyWaitReceivePort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplyWaitReceivePort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplyWaitReceivePort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplyWaitReceivePort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplyWaitReceivePort_SystemCall_10_0_18363 jmp NtReplyWaitReceivePort_SystemCall_Unknown NtReplyWaitReceivePort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0008h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0009h jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000ah jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000bh jmp NtReplyWaitReceivePort_Epilogue NtReplyWaitReceivePort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplyWaitReceivePort_Epilogue: mov r10, rcx syscall ret NtReplyWaitReceivePort ENDP NtReplyWaitReceivePortEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplyWaitReceivePortEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReplyWaitReceivePortEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReplyWaitReceivePortEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplyWaitReceivePortEx_Check_10_0_XXXX jmp NtReplyWaitReceivePortEx_SystemCall_Unknown NtReplyWaitReceivePortEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplyWaitReceivePortEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplyWaitReceivePortEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReceivePortEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReceivePortEx_SystemCall_6_3_XXXX jmp NtReplyWaitReceivePortEx_SystemCall_Unknown NtReplyWaitReceivePortEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReplyWaitReceivePortEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReplyWaitReceivePortEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplyWaitReceivePortEx_SystemCall_6_0_6002 jmp NtReplyWaitReceivePortEx_SystemCall_Unknown NtReplyWaitReceivePortEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplyWaitReceivePortEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplyWaitReceivePortEx_SystemCall_6_1_7601 jmp NtReplyWaitReceivePortEx_SystemCall_Unknown NtReplyWaitReceivePortEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplyWaitReceivePortEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplyWaitReceivePortEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplyWaitReceivePortEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplyWaitReceivePortEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplyWaitReceivePortEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplyWaitReceivePortEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplyWaitReceivePortEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplyWaitReceivePortEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplyWaitReceivePortEx_SystemCall_10_0_18363 jmp NtReplyWaitReceivePortEx_SystemCall_Unknown NtReplyWaitReceivePortEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0028h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0029h jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002ah jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002bh jmp NtReplyWaitReceivePortEx_Epilogue NtReplyWaitReceivePortEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplyWaitReceivePortEx_Epilogue: mov r10, rcx syscall ret NtReplyWaitReceivePortEx ENDP NtReplyWaitReplyPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtReplyWaitReplyPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtReplyWaitReplyPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtReplyWaitReplyPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtReplyWaitReplyPort_Check_10_0_XXXX jmp NtReplyWaitReplyPort_SystemCall_Unknown NtReplyWaitReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtReplyWaitReplyPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtReplyWaitReplyPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReplyPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtReplyWaitReplyPort_SystemCall_6_3_XXXX jmp NtReplyWaitReplyPort_SystemCall_Unknown NtReplyWaitReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtReplyWaitReplyPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtReplyWaitReplyPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtReplyWaitReplyPort_SystemCall_6_0_6002 jmp NtReplyWaitReplyPort_SystemCall_Unknown NtReplyWaitReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtReplyWaitReplyPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtReplyWaitReplyPort_SystemCall_6_1_7601 jmp NtReplyWaitReplyPort_SystemCall_Unknown NtReplyWaitReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtReplyWaitReplyPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtReplyWaitReplyPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtReplyWaitReplyPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtReplyWaitReplyPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtReplyWaitReplyPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtReplyWaitReplyPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtReplyWaitReplyPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtReplyWaitReplyPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtReplyWaitReplyPort_SystemCall_10_0_18363 jmp NtReplyWaitReplyPort_SystemCall_Unknown NtReplyWaitReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e8h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013ah jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0137h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0137h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 013fh jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 013fh jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0153h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0156h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015ch jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 015fh jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0163h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0169h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016ch jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016eh jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 016fh jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0170h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0170h jmp NtReplyWaitReplyPort_Epilogue NtReplyWaitReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtReplyWaitReplyPort_Epilogue: mov r10, rcx syscall ret NtReplyWaitReplyPort ENDP NtRequestDeviceWakeup PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRequestDeviceWakeup_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRequestDeviceWakeup_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRequestDeviceWakeup_Check_6_X_XXXX jmp NtRequestDeviceWakeup_SystemCall_Unknown NtRequestDeviceWakeup_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRequestDeviceWakeup_Check_6_0_XXXX jmp NtRequestDeviceWakeup_SystemCall_Unknown NtRequestDeviceWakeup_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRequestDeviceWakeup_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRequestDeviceWakeup_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRequestDeviceWakeup_SystemCall_6_0_6002 jmp NtRequestDeviceWakeup_SystemCall_Unknown NtRequestDeviceWakeup_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00e9h jmp NtRequestDeviceWakeup_Epilogue NtRequestDeviceWakeup_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013bh jmp NtRequestDeviceWakeup_Epilogue NtRequestDeviceWakeup_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0138h jmp NtRequestDeviceWakeup_Epilogue NtRequestDeviceWakeup_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0138h jmp NtRequestDeviceWakeup_Epilogue NtRequestDeviceWakeup_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRequestDeviceWakeup_Epilogue: mov r10, rcx syscall ret NtRequestDeviceWakeup ENDP NtRequestPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRequestPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRequestPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRequestPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRequestPort_Check_10_0_XXXX jmp NtRequestPort_SystemCall_Unknown NtRequestPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRequestPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRequestPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRequestPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRequestPort_SystemCall_6_3_XXXX jmp NtRequestPort_SystemCall_Unknown NtRequestPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRequestPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRequestPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRequestPort_SystemCall_6_0_6002 jmp NtRequestPort_SystemCall_Unknown NtRequestPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRequestPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRequestPort_SystemCall_6_1_7601 jmp NtRequestPort_SystemCall_Unknown NtRequestPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRequestPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRequestPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRequestPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRequestPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRequestPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRequestPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRequestPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRequestPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRequestPort_SystemCall_10_0_18363 jmp NtRequestPort_SystemCall_Unknown NtRequestPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00eah jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013ch jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0139h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0139h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0140h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0140h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0154h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0157h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015dh jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0160h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0164h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016ah jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016dh jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 016fh jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0170h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0171h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0171h jmp NtRequestPort_Epilogue NtRequestPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRequestPort_Epilogue: mov r10, rcx syscall ret NtRequestPort ENDP NtRequestWaitReplyPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRequestWaitReplyPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRequestWaitReplyPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRequestWaitReplyPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRequestWaitReplyPort_Check_10_0_XXXX jmp NtRequestWaitReplyPort_SystemCall_Unknown NtRequestWaitReplyPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRequestWaitReplyPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRequestWaitReplyPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRequestWaitReplyPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRequestWaitReplyPort_SystemCall_6_3_XXXX jmp NtRequestWaitReplyPort_SystemCall_Unknown NtRequestWaitReplyPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRequestWaitReplyPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRequestWaitReplyPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRequestWaitReplyPort_SystemCall_6_0_6002 jmp NtRequestWaitReplyPort_SystemCall_Unknown NtRequestWaitReplyPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRequestWaitReplyPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRequestWaitReplyPort_SystemCall_6_1_7601 jmp NtRequestWaitReplyPort_SystemCall_Unknown NtRequestWaitReplyPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRequestWaitReplyPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRequestWaitReplyPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRequestWaitReplyPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRequestWaitReplyPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRequestWaitReplyPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRequestWaitReplyPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRequestWaitReplyPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRequestWaitReplyPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRequestWaitReplyPort_SystemCall_10_0_18363 jmp NtRequestWaitReplyPort_SystemCall_Unknown NtRequestWaitReplyPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 001fh jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0020h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0021h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0022h jmp NtRequestWaitReplyPort_Epilogue NtRequestWaitReplyPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRequestWaitReplyPort_Epilogue: mov r10, rcx syscall ret NtRequestWaitReplyPort ENDP NtRequestWakeupLatency PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRequestWakeupLatency_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRequestWakeupLatency_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRequestWakeupLatency_Check_6_X_XXXX jmp NtRequestWakeupLatency_SystemCall_Unknown NtRequestWakeupLatency_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRequestWakeupLatency_Check_6_0_XXXX jmp NtRequestWakeupLatency_SystemCall_Unknown NtRequestWakeupLatency_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRequestWakeupLatency_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRequestWakeupLatency_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRequestWakeupLatency_SystemCall_6_0_6002 jmp NtRequestWakeupLatency_SystemCall_Unknown NtRequestWakeupLatency_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ebh jmp NtRequestWakeupLatency_Epilogue NtRequestWakeupLatency_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013dh jmp NtRequestWakeupLatency_Epilogue NtRequestWakeupLatency_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013ah jmp NtRequestWakeupLatency_Epilogue NtRequestWakeupLatency_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013ah jmp NtRequestWakeupLatency_Epilogue NtRequestWakeupLatency_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRequestWakeupLatency_Epilogue: mov r10, rcx syscall ret NtRequestWakeupLatency ENDP NtResetEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtResetEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtResetEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtResetEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtResetEvent_Check_10_0_XXXX jmp NtResetEvent_SystemCall_Unknown NtResetEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtResetEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtResetEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtResetEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtResetEvent_SystemCall_6_3_XXXX jmp NtResetEvent_SystemCall_Unknown NtResetEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtResetEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtResetEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtResetEvent_SystemCall_6_0_6002 jmp NtResetEvent_SystemCall_Unknown NtResetEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtResetEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtResetEvent_SystemCall_6_1_7601 jmp NtResetEvent_SystemCall_Unknown NtResetEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtResetEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtResetEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtResetEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtResetEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtResetEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtResetEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtResetEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtResetEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtResetEvent_SystemCall_10_0_18363 jmp NtResetEvent_SystemCall_Unknown NtResetEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ech jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013eh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013bh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013bh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0141h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0141h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0155h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0158h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015eh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0161h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0165h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016bh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016eh jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0170h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0171h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0172h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0172h jmp NtResetEvent_Epilogue NtResetEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtResetEvent_Epilogue: mov r10, rcx syscall ret NtResetEvent ENDP NtResetWriteWatch PROC mov rax, gs:[60h] ; Load PEB into RAX. NtResetWriteWatch_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtResetWriteWatch_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtResetWriteWatch_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtResetWriteWatch_Check_10_0_XXXX jmp NtResetWriteWatch_SystemCall_Unknown NtResetWriteWatch_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtResetWriteWatch_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtResetWriteWatch_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtResetWriteWatch_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtResetWriteWatch_SystemCall_6_3_XXXX jmp NtResetWriteWatch_SystemCall_Unknown NtResetWriteWatch_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtResetWriteWatch_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtResetWriteWatch_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtResetWriteWatch_SystemCall_6_0_6002 jmp NtResetWriteWatch_SystemCall_Unknown NtResetWriteWatch_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtResetWriteWatch_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtResetWriteWatch_SystemCall_6_1_7601 jmp NtResetWriteWatch_SystemCall_Unknown NtResetWriteWatch_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtResetWriteWatch_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtResetWriteWatch_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtResetWriteWatch_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtResetWriteWatch_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtResetWriteWatch_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtResetWriteWatch_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtResetWriteWatch_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtResetWriteWatch_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtResetWriteWatch_SystemCall_10_0_18363 jmp NtResetWriteWatch_SystemCall_Unknown NtResetWriteWatch_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00edh jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 013fh jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013ch jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013ch jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0142h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0142h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0156h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0159h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 015fh jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0162h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0166h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016ch jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 016fh jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0171h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0172h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0173h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0173h jmp NtResetWriteWatch_Epilogue NtResetWriteWatch_SystemCall_Unknown: ; Unknown/unsupported version. ret NtResetWriteWatch_Epilogue: mov r10, rcx syscall ret NtResetWriteWatch ENDP NtRestoreKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRestoreKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtRestoreKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtRestoreKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRestoreKey_Check_10_0_XXXX jmp NtRestoreKey_SystemCall_Unknown NtRestoreKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRestoreKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRestoreKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRestoreKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRestoreKey_SystemCall_6_3_XXXX jmp NtRestoreKey_SystemCall_Unknown NtRestoreKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRestoreKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRestoreKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRestoreKey_SystemCall_6_0_6002 jmp NtRestoreKey_SystemCall_Unknown NtRestoreKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRestoreKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRestoreKey_SystemCall_6_1_7601 jmp NtRestoreKey_SystemCall_Unknown NtRestoreKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRestoreKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRestoreKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRestoreKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRestoreKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRestoreKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRestoreKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRestoreKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRestoreKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRestoreKey_SystemCall_10_0_18363 jmp NtRestoreKey_SystemCall_Unknown NtRestoreKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00eeh jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0140h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013dh jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013dh jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0143h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0143h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0157h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015ah jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0160h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0163h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0167h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016dh jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0170h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0172h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0173h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0174h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0174h jmp NtRestoreKey_Epilogue NtRestoreKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRestoreKey_Epilogue: mov r10, rcx syscall ret NtRestoreKey ENDP NtResumeProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtResumeProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtResumeProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtResumeProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtResumeProcess_Check_10_0_XXXX jmp NtResumeProcess_SystemCall_Unknown NtResumeProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtResumeProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtResumeProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtResumeProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtResumeProcess_SystemCall_6_3_XXXX jmp NtResumeProcess_SystemCall_Unknown NtResumeProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtResumeProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtResumeProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtResumeProcess_SystemCall_6_0_6002 jmp NtResumeProcess_SystemCall_Unknown NtResumeProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtResumeProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtResumeProcess_SystemCall_6_1_7601 jmp NtResumeProcess_SystemCall_Unknown NtResumeProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtResumeProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtResumeProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtResumeProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtResumeProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtResumeProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtResumeProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtResumeProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtResumeProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtResumeProcess_SystemCall_10_0_18363 jmp NtResumeProcess_SystemCall_Unknown NtResumeProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00efh jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0141h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013eh jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013eh jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0144h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0144h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0158h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015bh jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0161h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0164h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0168h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016eh jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0171h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0173h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0174h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0175h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0175h jmp NtResumeProcess_Epilogue NtResumeProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtResumeProcess_Epilogue: mov r10, rcx syscall ret NtResumeProcess ENDP NtResumeThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtResumeThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtResumeThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtResumeThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtResumeThread_Check_10_0_XXXX jmp NtResumeThread_SystemCall_Unknown NtResumeThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtResumeThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtResumeThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtResumeThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtResumeThread_SystemCall_6_3_XXXX jmp NtResumeThread_SystemCall_Unknown NtResumeThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtResumeThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtResumeThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtResumeThread_SystemCall_6_0_6002 jmp NtResumeThread_SystemCall_Unknown NtResumeThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtResumeThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtResumeThread_SystemCall_6_1_7601 jmp NtResumeThread_SystemCall_Unknown NtResumeThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtResumeThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtResumeThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtResumeThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtResumeThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtResumeThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtResumeThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtResumeThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtResumeThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtResumeThread_SystemCall_10_0_18363 jmp NtResumeThread_SystemCall_Unknown NtResumeThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 004fh jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0050h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0051h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0052h jmp NtResumeThread_Epilogue NtResumeThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtResumeThread_Epilogue: mov r10, rcx syscall ret NtResumeThread ENDP NtRevertContainerImpersonation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRevertContainerImpersonation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtRevertContainerImpersonation_Check_10_0_XXXX jmp NtRevertContainerImpersonation_SystemCall_Unknown NtRevertContainerImpersonation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRevertContainerImpersonation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRevertContainerImpersonation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRevertContainerImpersonation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRevertContainerImpersonation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRevertContainerImpersonation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRevertContainerImpersonation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRevertContainerImpersonation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRevertContainerImpersonation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRevertContainerImpersonation_SystemCall_10_0_18363 jmp NtRevertContainerImpersonation_SystemCall_Unknown NtRevertContainerImpersonation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0162h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0165h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0169h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 016fh jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0172h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0174h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0175h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0176h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0176h jmp NtRevertContainerImpersonation_Epilogue NtRevertContainerImpersonation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRevertContainerImpersonation_Epilogue: mov r10, rcx syscall ret NtRevertContainerImpersonation ENDP NtRollbackComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollbackComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRollbackComplete_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRollbackComplete_Check_10_0_XXXX jmp NtRollbackComplete_SystemCall_Unknown NtRollbackComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRollbackComplete_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRollbackComplete_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackComplete_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackComplete_SystemCall_6_3_XXXX jmp NtRollbackComplete_SystemCall_Unknown NtRollbackComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRollbackComplete_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRollbackComplete_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRollbackComplete_SystemCall_6_0_6002 jmp NtRollbackComplete_SystemCall_Unknown NtRollbackComplete_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRollbackComplete_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRollbackComplete_SystemCall_6_1_7601 jmp NtRollbackComplete_SystemCall_Unknown NtRollbackComplete_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRollbackComplete_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRollbackComplete_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRollbackComplete_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRollbackComplete_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRollbackComplete_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRollbackComplete_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRollbackComplete_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRollbackComplete_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRollbackComplete_SystemCall_10_0_18363 jmp NtRollbackComplete_SystemCall_Unknown NtRollbackComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0142h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 013fh jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 013fh jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0145h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0145h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0159h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015ch jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0163h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0166h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016ah jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0170h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0173h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0175h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0176h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0177h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0177h jmp NtRollbackComplete_Epilogue NtRollbackComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollbackComplete_Epilogue: mov r10, rcx syscall ret NtRollbackComplete ENDP NtRollbackEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollbackEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRollbackEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRollbackEnlistment_Check_10_0_XXXX jmp NtRollbackEnlistment_SystemCall_Unknown NtRollbackEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRollbackEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRollbackEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackEnlistment_SystemCall_6_3_XXXX jmp NtRollbackEnlistment_SystemCall_Unknown NtRollbackEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRollbackEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRollbackEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRollbackEnlistment_SystemCall_6_0_6002 jmp NtRollbackEnlistment_SystemCall_Unknown NtRollbackEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRollbackEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRollbackEnlistment_SystemCall_6_1_7601 jmp NtRollbackEnlistment_SystemCall_Unknown NtRollbackEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRollbackEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRollbackEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRollbackEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRollbackEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRollbackEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRollbackEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRollbackEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRollbackEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRollbackEnlistment_SystemCall_10_0_18363 jmp NtRollbackEnlistment_SystemCall_Unknown NtRollbackEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0143h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0140h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0140h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0146h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0146h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015ah jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015dh jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0164h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0167h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016bh jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0171h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0174h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0176h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0177h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0178h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0178h jmp NtRollbackEnlistment_Epilogue NtRollbackEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollbackEnlistment_Epilogue: mov r10, rcx syscall ret NtRollbackEnlistment ENDP NtRollbackRegistryTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollbackRegistryTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtRollbackRegistryTransaction_Check_10_0_XXXX jmp NtRollbackRegistryTransaction_SystemCall_Unknown NtRollbackRegistryTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtRollbackRegistryTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRollbackRegistryTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRollbackRegistryTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRollbackRegistryTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRollbackRegistryTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRollbackRegistryTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRollbackRegistryTransaction_SystemCall_10_0_18363 jmp NtRollbackRegistryTransaction_SystemCall_Unknown NtRollbackRegistryTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016ch jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0172h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0175h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0177h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0178h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0179h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0179h jmp NtRollbackRegistryTransaction_Epilogue NtRollbackRegistryTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollbackRegistryTransaction_Epilogue: mov r10, rcx syscall ret NtRollbackRegistryTransaction ENDP NtRollbackSavepointTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollbackSavepointTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRollbackSavepointTransaction_Check_6_X_XXXX jmp NtRollbackSavepointTransaction_SystemCall_Unknown NtRollbackSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRollbackSavepointTransaction_Check_6_0_XXXX jmp NtRollbackSavepointTransaction_SystemCall_Unknown NtRollbackSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRollbackSavepointTransaction_SystemCall_6_0_6000 jmp NtRollbackSavepointTransaction_SystemCall_Unknown NtRollbackSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0144h jmp NtRollbackSavepointTransaction_Epilogue NtRollbackSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollbackSavepointTransaction_Epilogue: mov r10, rcx syscall ret NtRollbackSavepointTransaction ENDP NtRollbackTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollbackTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRollbackTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRollbackTransaction_Check_10_0_XXXX jmp NtRollbackTransaction_SystemCall_Unknown NtRollbackTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRollbackTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRollbackTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRollbackTransaction_SystemCall_6_3_XXXX jmp NtRollbackTransaction_SystemCall_Unknown NtRollbackTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRollbackTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRollbackTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRollbackTransaction_SystemCall_6_0_6002 jmp NtRollbackTransaction_SystemCall_Unknown NtRollbackTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRollbackTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRollbackTransaction_SystemCall_6_1_7601 jmp NtRollbackTransaction_SystemCall_Unknown NtRollbackTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRollbackTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRollbackTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRollbackTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRollbackTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRollbackTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRollbackTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRollbackTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRollbackTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRollbackTransaction_SystemCall_10_0_18363 jmp NtRollbackTransaction_SystemCall_Unknown NtRollbackTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0145h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0141h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0141h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0147h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0147h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015bh jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015eh jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0165h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0168h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016dh jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0173h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0176h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0178h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0179h jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017ah jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017ah jmp NtRollbackTransaction_Epilogue NtRollbackTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollbackTransaction_Epilogue: mov r10, rcx syscall ret NtRollbackTransaction ENDP NtRollforwardTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtRollforwardTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtRollforwardTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtRollforwardTransactionManager_Check_10_0_XXXX jmp NtRollforwardTransactionManager_SystemCall_Unknown NtRollforwardTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtRollforwardTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtRollforwardTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtRollforwardTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtRollforwardTransactionManager_SystemCall_6_3_XXXX jmp NtRollforwardTransactionManager_SystemCall_Unknown NtRollforwardTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtRollforwardTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtRollforwardTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtRollforwardTransactionManager_SystemCall_6_0_6002 jmp NtRollforwardTransactionManager_SystemCall_Unknown NtRollforwardTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtRollforwardTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtRollforwardTransactionManager_SystemCall_6_1_7601 jmp NtRollforwardTransactionManager_SystemCall_Unknown NtRollforwardTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtRollforwardTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtRollforwardTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtRollforwardTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtRollforwardTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtRollforwardTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtRollforwardTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtRollforwardTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtRollforwardTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtRollforwardTransactionManager_SystemCall_10_0_18363 jmp NtRollforwardTransactionManager_SystemCall_Unknown NtRollforwardTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0146h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0142h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0142h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0148h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0148h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015ch jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 015fh jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0166h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0169h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016eh jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0174h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0177h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0179h jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017ah jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017bh jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017bh jmp NtRollforwardTransactionManager_Epilogue NtRollforwardTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtRollforwardTransactionManager_Epilogue: mov r10, rcx syscall ret NtRollforwardTransactionManager ENDP NtSaveKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSaveKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSaveKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSaveKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSaveKey_Check_10_0_XXXX jmp NtSaveKey_SystemCall_Unknown NtSaveKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSaveKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSaveKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveKey_SystemCall_6_3_XXXX jmp NtSaveKey_SystemCall_Unknown NtSaveKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSaveKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSaveKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSaveKey_SystemCall_6_0_6002 jmp NtSaveKey_SystemCall_Unknown NtSaveKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSaveKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSaveKey_SystemCall_6_1_7601 jmp NtSaveKey_SystemCall_Unknown NtSaveKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSaveKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSaveKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSaveKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSaveKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSaveKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSaveKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSaveKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSaveKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSaveKey_SystemCall_10_0_18363 jmp NtSaveKey_SystemCall_Unknown NtSaveKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f0h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0147h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0143h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0143h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0149h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0149h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015dh jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0160h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0167h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016ah jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 016fh jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0175h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0178h jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017ah jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017bh jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017ch jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017ch jmp NtSaveKey_Epilogue NtSaveKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSaveKey_Epilogue: mov r10, rcx syscall ret NtSaveKey ENDP NtSaveKeyEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSaveKeyEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSaveKeyEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSaveKeyEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSaveKeyEx_Check_10_0_XXXX jmp NtSaveKeyEx_SystemCall_Unknown NtSaveKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSaveKeyEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSaveKeyEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveKeyEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveKeyEx_SystemCall_6_3_XXXX jmp NtSaveKeyEx_SystemCall_Unknown NtSaveKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSaveKeyEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSaveKeyEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSaveKeyEx_SystemCall_6_0_6002 jmp NtSaveKeyEx_SystemCall_Unknown NtSaveKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSaveKeyEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSaveKeyEx_SystemCall_6_1_7601 jmp NtSaveKeyEx_SystemCall_Unknown NtSaveKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSaveKeyEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSaveKeyEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSaveKeyEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSaveKeyEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSaveKeyEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSaveKeyEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSaveKeyEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSaveKeyEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSaveKeyEx_SystemCall_10_0_18363 jmp NtSaveKeyEx_SystemCall_Unknown NtSaveKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f1h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0148h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0144h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0144h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014ah jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014ah jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015eh jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0161h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0168h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016bh jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0170h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0176h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0179h jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017bh jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017ch jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017dh jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017dh jmp NtSaveKeyEx_Epilogue NtSaveKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSaveKeyEx_Epilogue: mov r10, rcx syscall ret NtSaveKeyEx ENDP NtSaveMergedKeys PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSaveMergedKeys_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSaveMergedKeys_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSaveMergedKeys_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSaveMergedKeys_Check_10_0_XXXX jmp NtSaveMergedKeys_SystemCall_Unknown NtSaveMergedKeys_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSaveMergedKeys_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSaveMergedKeys_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveMergedKeys_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSaveMergedKeys_SystemCall_6_3_XXXX jmp NtSaveMergedKeys_SystemCall_Unknown NtSaveMergedKeys_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSaveMergedKeys_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSaveMergedKeys_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSaveMergedKeys_SystemCall_6_0_6002 jmp NtSaveMergedKeys_SystemCall_Unknown NtSaveMergedKeys_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSaveMergedKeys_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSaveMergedKeys_SystemCall_6_1_7601 jmp NtSaveMergedKeys_SystemCall_Unknown NtSaveMergedKeys_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSaveMergedKeys_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSaveMergedKeys_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSaveMergedKeys_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSaveMergedKeys_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSaveMergedKeys_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSaveMergedKeys_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSaveMergedKeys_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSaveMergedKeys_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSaveMergedKeys_SystemCall_10_0_18363 jmp NtSaveMergedKeys_SystemCall_Unknown NtSaveMergedKeys_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f2h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0149h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0145h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0145h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014bh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014bh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 015fh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0162h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0169h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016ch jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0171h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0177h jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017ah jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017ch jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017dh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017eh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017eh jmp NtSaveMergedKeys_Epilogue NtSaveMergedKeys_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSaveMergedKeys_Epilogue: mov r10, rcx syscall ret NtSaveMergedKeys ENDP NtSavepointComplete PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSavepointComplete_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSavepointComplete_Check_6_X_XXXX jmp NtSavepointComplete_SystemCall_Unknown NtSavepointComplete_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSavepointComplete_Check_6_0_XXXX jmp NtSavepointComplete_SystemCall_Unknown NtSavepointComplete_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSavepointComplete_SystemCall_6_0_6000 jmp NtSavepointComplete_SystemCall_Unknown NtSavepointComplete_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014ah jmp NtSavepointComplete_Epilogue NtSavepointComplete_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSavepointComplete_Epilogue: mov r10, rcx syscall ret NtSavepointComplete ENDP NtSavepointTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSavepointTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSavepointTransaction_Check_6_X_XXXX jmp NtSavepointTransaction_SystemCall_Unknown NtSavepointTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSavepointTransaction_Check_6_0_XXXX jmp NtSavepointTransaction_SystemCall_Unknown NtSavepointTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSavepointTransaction_SystemCall_6_0_6000 jmp NtSavepointTransaction_SystemCall_Unknown NtSavepointTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014bh jmp NtSavepointTransaction_Epilogue NtSavepointTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSavepointTransaction_Epilogue: mov r10, rcx syscall ret NtSavepointTransaction ENDP NtSecureConnectPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSecureConnectPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSecureConnectPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSecureConnectPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSecureConnectPort_Check_10_0_XXXX jmp NtSecureConnectPort_SystemCall_Unknown NtSecureConnectPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSecureConnectPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSecureConnectPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSecureConnectPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSecureConnectPort_SystemCall_6_3_XXXX jmp NtSecureConnectPort_SystemCall_Unknown NtSecureConnectPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSecureConnectPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSecureConnectPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSecureConnectPort_SystemCall_6_0_6002 jmp NtSecureConnectPort_SystemCall_Unknown NtSecureConnectPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSecureConnectPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSecureConnectPort_SystemCall_6_1_7601 jmp NtSecureConnectPort_SystemCall_Unknown NtSecureConnectPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSecureConnectPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSecureConnectPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSecureConnectPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSecureConnectPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSecureConnectPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSecureConnectPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSecureConnectPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSecureConnectPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSecureConnectPort_SystemCall_10_0_18363 jmp NtSecureConnectPort_SystemCall_Unknown NtSecureConnectPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f3h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014ch jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0146h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0146h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014ch jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014ch jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0160h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0163h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016ah jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016dh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0172h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0178h jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017bh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017dh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017eh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 017fh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 017fh jmp NtSecureConnectPort_Epilogue NtSecureConnectPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSecureConnectPort_Epilogue: mov r10, rcx syscall ret NtSecureConnectPort ENDP NtSerializeBoot PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSerializeBoot_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSerializeBoot_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSerializeBoot_Check_10_0_XXXX jmp NtSerializeBoot_SystemCall_Unknown NtSerializeBoot_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtSerializeBoot_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSerializeBoot_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSerializeBoot_SystemCall_6_3_XXXX jmp NtSerializeBoot_SystemCall_Unknown NtSerializeBoot_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSerializeBoot_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSerializeBoot_SystemCall_6_1_7601 jmp NtSerializeBoot_SystemCall_Unknown NtSerializeBoot_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSerializeBoot_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSerializeBoot_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSerializeBoot_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSerializeBoot_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSerializeBoot_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSerializeBoot_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSerializeBoot_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSerializeBoot_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSerializeBoot_SystemCall_10_0_18363 jmp NtSerializeBoot_SystemCall_Unknown NtSerializeBoot_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014dh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014dh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0161h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0164h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016bh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016eh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0173h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0179h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017ch jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017eh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 017fh jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0180h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0180h jmp NtSerializeBoot_Epilogue NtSerializeBoot_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSerializeBoot_Epilogue: mov r10, rcx syscall ret NtSerializeBoot ENDP NtSetBootEntryOrder PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetBootEntryOrder_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetBootEntryOrder_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetBootEntryOrder_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetBootEntryOrder_Check_10_0_XXXX jmp NtSetBootEntryOrder_SystemCall_Unknown NtSetBootEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetBootEntryOrder_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetBootEntryOrder_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetBootEntryOrder_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetBootEntryOrder_SystemCall_6_3_XXXX jmp NtSetBootEntryOrder_SystemCall_Unknown NtSetBootEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetBootEntryOrder_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetBootEntryOrder_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetBootEntryOrder_SystemCall_6_0_6002 jmp NtSetBootEntryOrder_SystemCall_Unknown NtSetBootEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetBootEntryOrder_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetBootEntryOrder_SystemCall_6_1_7601 jmp NtSetBootEntryOrder_SystemCall_Unknown NtSetBootEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetBootEntryOrder_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetBootEntryOrder_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetBootEntryOrder_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetBootEntryOrder_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetBootEntryOrder_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetBootEntryOrder_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetBootEntryOrder_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetBootEntryOrder_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetBootEntryOrder_SystemCall_10_0_18363 jmp NtSetBootEntryOrder_SystemCall_Unknown NtSetBootEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f4h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014dh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0147h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0147h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014eh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014eh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0162h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0165h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016ch jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 016fh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0174h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017ah jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017dh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 017fh jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0180h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0181h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0181h jmp NtSetBootEntryOrder_Epilogue NtSetBootEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetBootEntryOrder_Epilogue: mov r10, rcx syscall ret NtSetBootEntryOrder ENDP NtSetBootOptions PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetBootOptions_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetBootOptions_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetBootOptions_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetBootOptions_Check_10_0_XXXX jmp NtSetBootOptions_SystemCall_Unknown NtSetBootOptions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetBootOptions_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetBootOptions_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetBootOptions_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetBootOptions_SystemCall_6_3_XXXX jmp NtSetBootOptions_SystemCall_Unknown NtSetBootOptions_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetBootOptions_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetBootOptions_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetBootOptions_SystemCall_6_0_6002 jmp NtSetBootOptions_SystemCall_Unknown NtSetBootOptions_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetBootOptions_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetBootOptions_SystemCall_6_1_7601 jmp NtSetBootOptions_SystemCall_Unknown NtSetBootOptions_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetBootOptions_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetBootOptions_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetBootOptions_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetBootOptions_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetBootOptions_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetBootOptions_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetBootOptions_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetBootOptions_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetBootOptions_SystemCall_10_0_18363 jmp NtSetBootOptions_SystemCall_Unknown NtSetBootOptions_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f5h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014eh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0148h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0148h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 014fh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 014fh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0163h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0166h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016dh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0170h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0175h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017bh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017eh jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0180h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0181h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0182h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0182h jmp NtSetBootOptions_Epilogue NtSetBootOptions_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetBootOptions_Epilogue: mov r10, rcx syscall ret NtSetBootOptions ENDP NtSetCachedSigningLevel PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetCachedSigningLevel_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetCachedSigningLevel_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetCachedSigningLevel_Check_10_0_XXXX jmp NtSetCachedSigningLevel_SystemCall_Unknown NtSetCachedSigningLevel_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSetCachedSigningLevel_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetCachedSigningLevel_SystemCall_6_3_XXXX jmp NtSetCachedSigningLevel_SystemCall_Unknown NtSetCachedSigningLevel_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetCachedSigningLevel_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetCachedSigningLevel_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetCachedSigningLevel_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetCachedSigningLevel_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetCachedSigningLevel_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetCachedSigningLevel_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetCachedSigningLevel_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetCachedSigningLevel_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetCachedSigningLevel_SystemCall_10_0_18363 jmp NtSetCachedSigningLevel_SystemCall_Unknown NtSetCachedSigningLevel_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0164h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0167h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016eh jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0171h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0176h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017ch jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 017fh jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0181h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0182h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0183h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0183h jmp NtSetCachedSigningLevel_Epilogue NtSetCachedSigningLevel_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetCachedSigningLevel_Epilogue: mov r10, rcx syscall ret NtSetCachedSigningLevel ENDP NtSetCachedSigningLevel2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetCachedSigningLevel2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtSetCachedSigningLevel2_Check_10_0_XXXX jmp NtSetCachedSigningLevel2_SystemCall_Unknown NtSetCachedSigningLevel2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 14393 je NtSetCachedSigningLevel2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetCachedSigningLevel2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetCachedSigningLevel2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetCachedSigningLevel2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetCachedSigningLevel2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetCachedSigningLevel2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetCachedSigningLevel2_SystemCall_10_0_18363 jmp NtSetCachedSigningLevel2_SystemCall_Unknown NtSetCachedSigningLevel2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0177h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017dh jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0180h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0182h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0183h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0184h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0184h jmp NtSetCachedSigningLevel2_Epilogue NtSetCachedSigningLevel2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetCachedSigningLevel2_Epilogue: mov r10, rcx syscall ret NtSetCachedSigningLevel2 ENDP NtSetContextThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetContextThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetContextThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetContextThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetContextThread_Check_10_0_XXXX jmp NtSetContextThread_SystemCall_Unknown NtSetContextThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetContextThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetContextThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetContextThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetContextThread_SystemCall_6_3_XXXX jmp NtSetContextThread_SystemCall_Unknown NtSetContextThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetContextThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetContextThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetContextThread_SystemCall_6_0_6002 jmp NtSetContextThread_SystemCall_Unknown NtSetContextThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetContextThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetContextThread_SystemCall_6_1_7601 jmp NtSetContextThread_SystemCall_Unknown NtSetContextThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetContextThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetContextThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetContextThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetContextThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetContextThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetContextThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetContextThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetContextThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetContextThread_SystemCall_10_0_18363 jmp NtSetContextThread_SystemCall_Unknown NtSetContextThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f6h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 014fh jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0149h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0149h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0150h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0150h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0165h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0168h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 016fh jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0172h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0178h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017eh jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0181h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0183h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0184h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0185h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0185h jmp NtSetContextThread_Epilogue NtSetContextThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetContextThread_Epilogue: mov r10, rcx syscall ret NtSetContextThread ENDP NtSetDebugFilterState PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetDebugFilterState_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetDebugFilterState_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetDebugFilterState_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetDebugFilterState_Check_10_0_XXXX jmp NtSetDebugFilterState_SystemCall_Unknown NtSetDebugFilterState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetDebugFilterState_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetDebugFilterState_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDebugFilterState_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDebugFilterState_SystemCall_6_3_XXXX jmp NtSetDebugFilterState_SystemCall_Unknown NtSetDebugFilterState_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetDebugFilterState_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetDebugFilterState_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetDebugFilterState_SystemCall_6_0_6002 jmp NtSetDebugFilterState_SystemCall_Unknown NtSetDebugFilterState_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetDebugFilterState_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetDebugFilterState_SystemCall_6_1_7601 jmp NtSetDebugFilterState_SystemCall_Unknown NtSetDebugFilterState_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetDebugFilterState_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetDebugFilterState_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetDebugFilterState_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetDebugFilterState_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetDebugFilterState_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetDebugFilterState_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetDebugFilterState_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetDebugFilterState_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetDebugFilterState_SystemCall_10_0_18363 jmp NtSetDebugFilterState_SystemCall_Unknown NtSetDebugFilterState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f7h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0150h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014ah jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014ah jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0151h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0151h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0166h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0169h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0170h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0173h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0179h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 017fh jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0182h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0184h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0185h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0186h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0186h jmp NtSetDebugFilterState_Epilogue NtSetDebugFilterState_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetDebugFilterState_Epilogue: mov r10, rcx syscall ret NtSetDebugFilterState ENDP NtSetDefaultHardErrorPort PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetDefaultHardErrorPort_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetDefaultHardErrorPort_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetDefaultHardErrorPort_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetDefaultHardErrorPort_Check_10_0_XXXX jmp NtSetDefaultHardErrorPort_SystemCall_Unknown NtSetDefaultHardErrorPort_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetDefaultHardErrorPort_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetDefaultHardErrorPort_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultHardErrorPort_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultHardErrorPort_SystemCall_6_3_XXXX jmp NtSetDefaultHardErrorPort_SystemCall_Unknown NtSetDefaultHardErrorPort_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetDefaultHardErrorPort_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetDefaultHardErrorPort_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetDefaultHardErrorPort_SystemCall_6_0_6002 jmp NtSetDefaultHardErrorPort_SystemCall_Unknown NtSetDefaultHardErrorPort_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetDefaultHardErrorPort_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetDefaultHardErrorPort_SystemCall_6_1_7601 jmp NtSetDefaultHardErrorPort_SystemCall_Unknown NtSetDefaultHardErrorPort_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetDefaultHardErrorPort_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetDefaultHardErrorPort_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetDefaultHardErrorPort_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetDefaultHardErrorPort_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetDefaultHardErrorPort_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetDefaultHardErrorPort_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetDefaultHardErrorPort_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetDefaultHardErrorPort_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetDefaultHardErrorPort_SystemCall_10_0_18363 jmp NtSetDefaultHardErrorPort_SystemCall_Unknown NtSetDefaultHardErrorPort_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f8h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0151h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014bh jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014bh jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0152h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0152h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0167h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016ah jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0171h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0174h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017ah jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0180h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0183h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0185h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0186h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0187h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0187h jmp NtSetDefaultHardErrorPort_Epilogue NtSetDefaultHardErrorPort_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetDefaultHardErrorPort_Epilogue: mov r10, rcx syscall ret NtSetDefaultHardErrorPort ENDP NtSetDefaultLocale PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetDefaultLocale_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetDefaultLocale_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetDefaultLocale_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetDefaultLocale_Check_10_0_XXXX jmp NtSetDefaultLocale_SystemCall_Unknown NtSetDefaultLocale_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetDefaultLocale_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetDefaultLocale_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultLocale_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultLocale_SystemCall_6_3_XXXX jmp NtSetDefaultLocale_SystemCall_Unknown NtSetDefaultLocale_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetDefaultLocale_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetDefaultLocale_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetDefaultLocale_SystemCall_6_0_6002 jmp NtSetDefaultLocale_SystemCall_Unknown NtSetDefaultLocale_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetDefaultLocale_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetDefaultLocale_SystemCall_6_1_7601 jmp NtSetDefaultLocale_SystemCall_Unknown NtSetDefaultLocale_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetDefaultLocale_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetDefaultLocale_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetDefaultLocale_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetDefaultLocale_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetDefaultLocale_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetDefaultLocale_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetDefaultLocale_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetDefaultLocale_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetDefaultLocale_SystemCall_10_0_18363 jmp NtSetDefaultLocale_SystemCall_Unknown NtSetDefaultLocale_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00f9h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0152h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014ch jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014ch jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0153h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0153h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0168h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016bh jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0172h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0175h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017bh jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0181h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0184h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0186h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0187h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0188h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0188h jmp NtSetDefaultLocale_Epilogue NtSetDefaultLocale_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetDefaultLocale_Epilogue: mov r10, rcx syscall ret NtSetDefaultLocale ENDP NtSetDefaultUILanguage PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetDefaultUILanguage_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetDefaultUILanguage_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetDefaultUILanguage_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetDefaultUILanguage_Check_10_0_XXXX jmp NtSetDefaultUILanguage_SystemCall_Unknown NtSetDefaultUILanguage_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetDefaultUILanguage_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetDefaultUILanguage_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultUILanguage_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDefaultUILanguage_SystemCall_6_3_XXXX jmp NtSetDefaultUILanguage_SystemCall_Unknown NtSetDefaultUILanguage_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetDefaultUILanguage_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetDefaultUILanguage_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetDefaultUILanguage_SystemCall_6_0_6002 jmp NtSetDefaultUILanguage_SystemCall_Unknown NtSetDefaultUILanguage_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetDefaultUILanguage_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetDefaultUILanguage_SystemCall_6_1_7601 jmp NtSetDefaultUILanguage_SystemCall_Unknown NtSetDefaultUILanguage_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetDefaultUILanguage_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetDefaultUILanguage_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetDefaultUILanguage_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetDefaultUILanguage_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetDefaultUILanguage_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetDefaultUILanguage_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetDefaultUILanguage_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetDefaultUILanguage_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetDefaultUILanguage_SystemCall_10_0_18363 jmp NtSetDefaultUILanguage_SystemCall_Unknown NtSetDefaultUILanguage_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00fah jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0153h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014dh jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014dh jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0154h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0154h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0169h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016ch jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0173h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0176h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017ch jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0182h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0185h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0187h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0188h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0189h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0189h jmp NtSetDefaultUILanguage_Epilogue NtSetDefaultUILanguage_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetDefaultUILanguage_Epilogue: mov r10, rcx syscall ret NtSetDefaultUILanguage ENDP NtSetDriverEntryOrder PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetDriverEntryOrder_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetDriverEntryOrder_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetDriverEntryOrder_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetDriverEntryOrder_Check_10_0_XXXX jmp NtSetDriverEntryOrder_SystemCall_Unknown NtSetDriverEntryOrder_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetDriverEntryOrder_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetDriverEntryOrder_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDriverEntryOrder_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetDriverEntryOrder_SystemCall_6_3_XXXX jmp NtSetDriverEntryOrder_SystemCall_Unknown NtSetDriverEntryOrder_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetDriverEntryOrder_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetDriverEntryOrder_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetDriverEntryOrder_SystemCall_6_0_6002 jmp NtSetDriverEntryOrder_SystemCall_Unknown NtSetDriverEntryOrder_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetDriverEntryOrder_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetDriverEntryOrder_SystemCall_6_1_7601 jmp NtSetDriverEntryOrder_SystemCall_Unknown NtSetDriverEntryOrder_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetDriverEntryOrder_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetDriverEntryOrder_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetDriverEntryOrder_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetDriverEntryOrder_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetDriverEntryOrder_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetDriverEntryOrder_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetDriverEntryOrder_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetDriverEntryOrder_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetDriverEntryOrder_SystemCall_10_0_18363 jmp NtSetDriverEntryOrder_SystemCall_Unknown NtSetDriverEntryOrder_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00fbh jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0154h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014eh jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014eh jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0155h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0155h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016ah jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016dh jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0174h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0177h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017dh jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0183h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0186h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0188h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0189h jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018ah jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018ah jmp NtSetDriverEntryOrder_Epilogue NtSetDriverEntryOrder_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetDriverEntryOrder_Epilogue: mov r10, rcx syscall ret NtSetDriverEntryOrder ENDP NtSetEaFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetEaFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetEaFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetEaFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetEaFile_Check_10_0_XXXX jmp NtSetEaFile_SystemCall_Unknown NtSetEaFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetEaFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetEaFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEaFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEaFile_SystemCall_6_3_XXXX jmp NtSetEaFile_SystemCall_Unknown NtSetEaFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetEaFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetEaFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetEaFile_SystemCall_6_0_6002 jmp NtSetEaFile_SystemCall_Unknown NtSetEaFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetEaFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetEaFile_SystemCall_6_1_7601 jmp NtSetEaFile_SystemCall_Unknown NtSetEaFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetEaFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetEaFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetEaFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetEaFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetEaFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetEaFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetEaFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetEaFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetEaFile_SystemCall_10_0_18363 jmp NtSetEaFile_SystemCall_Unknown NtSetEaFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00fch jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0155h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 014fh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 014fh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0156h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0156h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016bh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016eh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0175h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0178h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017eh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0184h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0187h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0189h jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018ah jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018bh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018bh jmp NtSetEaFile_Epilogue NtSetEaFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetEaFile_Epilogue: mov r10, rcx syscall ret NtSetEaFile ENDP NtSetEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetEvent_Check_10_0_XXXX jmp NtSetEvent_SystemCall_Unknown NtSetEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEvent_SystemCall_6_3_XXXX jmp NtSetEvent_SystemCall_Unknown NtSetEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetEvent_SystemCall_6_0_6002 jmp NtSetEvent_SystemCall_Unknown NtSetEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetEvent_SystemCall_6_1_7601 jmp NtSetEvent_SystemCall_Unknown NtSetEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetEvent_SystemCall_10_0_18363 jmp NtSetEvent_SystemCall_Unknown NtSetEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000bh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000ch jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000dh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000eh jmp NtSetEvent_Epilogue NtSetEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetEvent_Epilogue: mov r10, rcx syscall ret NtSetEvent ENDP NtSetEventBoostPriority PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetEventBoostPriority_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetEventBoostPriority_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetEventBoostPriority_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetEventBoostPriority_Check_10_0_XXXX jmp NtSetEventBoostPriority_SystemCall_Unknown NtSetEventBoostPriority_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetEventBoostPriority_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetEventBoostPriority_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEventBoostPriority_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetEventBoostPriority_SystemCall_6_3_XXXX jmp NtSetEventBoostPriority_SystemCall_Unknown NtSetEventBoostPriority_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetEventBoostPriority_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetEventBoostPriority_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetEventBoostPriority_SystemCall_6_0_6002 jmp NtSetEventBoostPriority_SystemCall_Unknown NtSetEventBoostPriority_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetEventBoostPriority_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetEventBoostPriority_SystemCall_6_1_7601 jmp NtSetEventBoostPriority_SystemCall_Unknown NtSetEventBoostPriority_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetEventBoostPriority_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetEventBoostPriority_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetEventBoostPriority_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetEventBoostPriority_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetEventBoostPriority_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetEventBoostPriority_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetEventBoostPriority_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetEventBoostPriority_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetEventBoostPriority_SystemCall_10_0_18363 jmp NtSetEventBoostPriority_SystemCall_Unknown NtSetEventBoostPriority_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 002ah jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002bh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002ch jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002dh jmp NtSetEventBoostPriority_Epilogue NtSetEventBoostPriority_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetEventBoostPriority_Epilogue: mov r10, rcx syscall ret NtSetEventBoostPriority ENDP NtSetHighEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetHighEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetHighEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetHighEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetHighEventPair_Check_10_0_XXXX jmp NtSetHighEventPair_SystemCall_Unknown NtSetHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetHighEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetHighEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetHighEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetHighEventPair_SystemCall_6_3_XXXX jmp NtSetHighEventPair_SystemCall_Unknown NtSetHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetHighEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetHighEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetHighEventPair_SystemCall_6_0_6002 jmp NtSetHighEventPair_SystemCall_Unknown NtSetHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetHighEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetHighEventPair_SystemCall_6_1_7601 jmp NtSetHighEventPair_SystemCall_Unknown NtSetHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetHighEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetHighEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetHighEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetHighEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetHighEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetHighEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetHighEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetHighEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetHighEventPair_SystemCall_10_0_18363 jmp NtSetHighEventPair_SystemCall_Unknown NtSetHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00fdh jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0156h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0150h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0150h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0157h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0157h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016ch jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 016fh jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0176h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0179h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 017fh jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0185h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0188h jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018ah jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018bh jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018ch jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018ch jmp NtSetHighEventPair_Epilogue NtSetHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetHighEventPair_Epilogue: mov r10, rcx syscall ret NtSetHighEventPair ENDP NtSetHighWaitLowEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetHighWaitLowEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetHighWaitLowEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetHighWaitLowEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetHighWaitLowEventPair_Check_10_0_XXXX jmp NtSetHighWaitLowEventPair_SystemCall_Unknown NtSetHighWaitLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetHighWaitLowEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetHighWaitLowEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetHighWaitLowEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetHighWaitLowEventPair_SystemCall_6_3_XXXX jmp NtSetHighWaitLowEventPair_SystemCall_Unknown NtSetHighWaitLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetHighWaitLowEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetHighWaitLowEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetHighWaitLowEventPair_SystemCall_6_0_6002 jmp NtSetHighWaitLowEventPair_SystemCall_Unknown NtSetHighWaitLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetHighWaitLowEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetHighWaitLowEventPair_SystemCall_6_1_7601 jmp NtSetHighWaitLowEventPair_SystemCall_Unknown NtSetHighWaitLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetHighWaitLowEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetHighWaitLowEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetHighWaitLowEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetHighWaitLowEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetHighWaitLowEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetHighWaitLowEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetHighWaitLowEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetHighWaitLowEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetHighWaitLowEventPair_SystemCall_10_0_18363 jmp NtSetHighWaitLowEventPair_SystemCall_Unknown NtSetHighWaitLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00feh jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0157h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0151h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0151h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0158h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0158h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016dh jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0170h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0177h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017ah jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0180h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0186h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0189h jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018bh jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018ch jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018dh jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018dh jmp NtSetHighWaitLowEventPair_Epilogue NtSetHighWaitLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetHighWaitLowEventPair_Epilogue: mov r10, rcx syscall ret NtSetHighWaitLowEventPair ENDP NtSetIRTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetIRTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetIRTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetIRTimer_Check_10_0_XXXX jmp NtSetIRTimer_SystemCall_Unknown NtSetIRTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSetIRTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIRTimer_SystemCall_6_3_XXXX jmp NtSetIRTimer_SystemCall_Unknown NtSetIRTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetIRTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetIRTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetIRTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetIRTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetIRTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetIRTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetIRTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetIRTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetIRTimer_SystemCall_10_0_18363 jmp NtSetIRTimer_SystemCall_Unknown NtSetIRTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016eh jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0171h jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0178h jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017bh jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0181h jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0187h jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018ah jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018ch jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018dh jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018eh jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018eh jmp NtSetIRTimer_Epilogue NtSetIRTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetIRTimer_Epilogue: mov r10, rcx syscall ret NtSetIRTimer ENDP NtSetInformationDebugObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationDebugObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationDebugObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationDebugObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationDebugObject_Check_10_0_XXXX jmp NtSetInformationDebugObject_SystemCall_Unknown NtSetInformationDebugObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationDebugObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationDebugObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationDebugObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationDebugObject_SystemCall_6_3_XXXX jmp NtSetInformationDebugObject_SystemCall_Unknown NtSetInformationDebugObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationDebugObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationDebugObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationDebugObject_SystemCall_6_0_6002 jmp NtSetInformationDebugObject_SystemCall_Unknown NtSetInformationDebugObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationDebugObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationDebugObject_SystemCall_6_1_7601 jmp NtSetInformationDebugObject_SystemCall_Unknown NtSetInformationDebugObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationDebugObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationDebugObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationDebugObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationDebugObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationDebugObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationDebugObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationDebugObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationDebugObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationDebugObject_SystemCall_10_0_18363 jmp NtSetInformationDebugObject_SystemCall_Unknown NtSetInformationDebugObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 00ffh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0158h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0152h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0152h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0159h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0159h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 016fh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0172h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0179h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017ch jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0182h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0188h jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018bh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018dh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018eh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 018fh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 018fh jmp NtSetInformationDebugObject_Epilogue NtSetInformationDebugObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationDebugObject_Epilogue: mov r10, rcx syscall ret NtSetInformationDebugObject ENDP NtSetInformationEnlistment PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationEnlistment_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationEnlistment_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationEnlistment_Check_10_0_XXXX jmp NtSetInformationEnlistment_SystemCall_Unknown NtSetInformationEnlistment_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationEnlistment_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationEnlistment_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationEnlistment_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationEnlistment_SystemCall_6_3_XXXX jmp NtSetInformationEnlistment_SystemCall_Unknown NtSetInformationEnlistment_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationEnlistment_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationEnlistment_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationEnlistment_SystemCall_6_0_6002 jmp NtSetInformationEnlistment_SystemCall_Unknown NtSetInformationEnlistment_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationEnlistment_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationEnlistment_SystemCall_6_1_7601 jmp NtSetInformationEnlistment_SystemCall_Unknown NtSetInformationEnlistment_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationEnlistment_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationEnlistment_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationEnlistment_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationEnlistment_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationEnlistment_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationEnlistment_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationEnlistment_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationEnlistment_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationEnlistment_SystemCall_10_0_18363 jmp NtSetInformationEnlistment_SystemCall_Unknown NtSetInformationEnlistment_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0159h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0153h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0153h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015ah jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015ah jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0170h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0173h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017ah jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017dh jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0183h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0189h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018ch jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018eh jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 018fh jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0190h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0190h jmp NtSetInformationEnlistment_Epilogue NtSetInformationEnlistment_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationEnlistment_Epilogue: mov r10, rcx syscall ret NtSetInformationEnlistment ENDP NtSetInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationFile_Check_10_0_XXXX jmp NtSetInformationFile_SystemCall_Unknown NtSetInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationFile_SystemCall_6_3_XXXX jmp NtSetInformationFile_SystemCall_Unknown NtSetInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationFile_SystemCall_6_0_6002 jmp NtSetInformationFile_SystemCall_Unknown NtSetInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationFile_SystemCall_6_1_7601 jmp NtSetInformationFile_SystemCall_Unknown NtSetInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationFile_SystemCall_10_0_18363 jmp NtSetInformationFile_SystemCall_Unknown NtSetInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0024h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0025h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0026h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0027h jmp NtSetInformationFile_Epilogue NtSetInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationFile_Epilogue: mov r10, rcx syscall ret NtSetInformationFile ENDP NtSetInformationJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationJobObject_Check_10_0_XXXX jmp NtSetInformationJobObject_SystemCall_Unknown NtSetInformationJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationJobObject_SystemCall_6_3_XXXX jmp NtSetInformationJobObject_SystemCall_Unknown NtSetInformationJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationJobObject_SystemCall_6_0_6002 jmp NtSetInformationJobObject_SystemCall_Unknown NtSetInformationJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationJobObject_SystemCall_6_1_7601 jmp NtSetInformationJobObject_SystemCall_Unknown NtSetInformationJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationJobObject_SystemCall_10_0_18363 jmp NtSetInformationJobObject_SystemCall_Unknown NtSetInformationJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0100h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015ah jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0154h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0154h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015bh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015bh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0171h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0174h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017bh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017eh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0184h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018ah jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018dh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 018fh jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0190h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0191h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0191h jmp NtSetInformationJobObject_Epilogue NtSetInformationJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationJobObject_Epilogue: mov r10, rcx syscall ret NtSetInformationJobObject ENDP NtSetInformationKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationKey_Check_10_0_XXXX jmp NtSetInformationKey_SystemCall_Unknown NtSetInformationKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationKey_SystemCall_6_3_XXXX jmp NtSetInformationKey_SystemCall_Unknown NtSetInformationKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationKey_SystemCall_6_0_6002 jmp NtSetInformationKey_SystemCall_Unknown NtSetInformationKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationKey_SystemCall_6_1_7601 jmp NtSetInformationKey_SystemCall_Unknown NtSetInformationKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationKey_SystemCall_10_0_18363 jmp NtSetInformationKey_SystemCall_Unknown NtSetInformationKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0101h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015bh jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0155h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0155h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015ch jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015ch jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0172h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0175h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017ch jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 017fh jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0185h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018bh jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018eh jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0190h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0191h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0192h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0192h jmp NtSetInformationKey_Epilogue NtSetInformationKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationKey_Epilogue: mov r10, rcx syscall ret NtSetInformationKey ENDP NtSetInformationObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationObject_Check_10_0_XXXX jmp NtSetInformationObject_SystemCall_Unknown NtSetInformationObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationObject_SystemCall_6_3_XXXX jmp NtSetInformationObject_SystemCall_Unknown NtSetInformationObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationObject_SystemCall_6_0_6002 jmp NtSetInformationObject_SystemCall_Unknown NtSetInformationObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationObject_SystemCall_6_1_7601 jmp NtSetInformationObject_SystemCall_Unknown NtSetInformationObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationObject_SystemCall_10_0_18363 jmp NtSetInformationObject_SystemCall_Unknown NtSetInformationObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0059h jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005ah jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005bh jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005ch jmp NtSetInformationObject_Epilogue NtSetInformationObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationObject_Epilogue: mov r10, rcx syscall ret NtSetInformationObject ENDP NtSetInformationProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationProcess_Check_10_0_XXXX jmp NtSetInformationProcess_SystemCall_Unknown NtSetInformationProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationProcess_SystemCall_6_3_XXXX jmp NtSetInformationProcess_SystemCall_Unknown NtSetInformationProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationProcess_SystemCall_6_0_6002 jmp NtSetInformationProcess_SystemCall_Unknown NtSetInformationProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationProcess_SystemCall_6_1_7601 jmp NtSetInformationProcess_SystemCall_Unknown NtSetInformationProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationProcess_SystemCall_10_0_18363 jmp NtSetInformationProcess_SystemCall_Unknown NtSetInformationProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0019h jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 001ah jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001bh jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001ch jmp NtSetInformationProcess_Epilogue NtSetInformationProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationProcess_Epilogue: mov r10, rcx syscall ret NtSetInformationProcess ENDP NtSetInformationResourceManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationResourceManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationResourceManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationResourceManager_Check_10_0_XXXX jmp NtSetInformationResourceManager_SystemCall_Unknown NtSetInformationResourceManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationResourceManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationResourceManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationResourceManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationResourceManager_SystemCall_6_3_XXXX jmp NtSetInformationResourceManager_SystemCall_Unknown NtSetInformationResourceManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationResourceManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationResourceManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationResourceManager_SystemCall_6_0_6002 jmp NtSetInformationResourceManager_SystemCall_Unknown NtSetInformationResourceManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationResourceManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationResourceManager_SystemCall_6_1_7601 jmp NtSetInformationResourceManager_SystemCall_Unknown NtSetInformationResourceManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationResourceManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationResourceManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationResourceManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationResourceManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationResourceManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationResourceManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationResourceManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationResourceManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationResourceManager_SystemCall_10_0_18363 jmp NtSetInformationResourceManager_SystemCall_Unknown NtSetInformationResourceManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015ch jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0156h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0156h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015dh jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015dh jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0173h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0176h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017dh jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0180h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0186h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018ch jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 018fh jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0191h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0192h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0193h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0193h jmp NtSetInformationResourceManager_Epilogue NtSetInformationResourceManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationResourceManager_Epilogue: mov r10, rcx syscall ret NtSetInformationResourceManager ENDP NtSetInformationSymbolicLink PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationSymbolicLink_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtSetInformationSymbolicLink_Check_10_0_XXXX jmp NtSetInformationSymbolicLink_SystemCall_Unknown NtSetInformationSymbolicLink_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationSymbolicLink_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationSymbolicLink_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationSymbolicLink_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationSymbolicLink_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationSymbolicLink_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationSymbolicLink_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationSymbolicLink_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationSymbolicLink_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationSymbolicLink_SystemCall_10_0_18363 jmp NtSetInformationSymbolicLink_SystemCall_Unknown NtSetInformationSymbolicLink_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017eh jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0181h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0187h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018dh jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0190h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0192h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0193h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0194h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0194h jmp NtSetInformationSymbolicLink_Epilogue NtSetInformationSymbolicLink_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationSymbolicLink_Epilogue: mov r10, rcx syscall ret NtSetInformationSymbolicLink ENDP NtSetInformationThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationThread_Check_10_0_XXXX jmp NtSetInformationThread_SystemCall_Unknown NtSetInformationThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationThread_SystemCall_6_3_XXXX jmp NtSetInformationThread_SystemCall_Unknown NtSetInformationThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationThread_SystemCall_6_0_6002 jmp NtSetInformationThread_SystemCall_Unknown NtSetInformationThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationThread_SystemCall_6_1_7601 jmp NtSetInformationThread_SystemCall_Unknown NtSetInformationThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationThread_SystemCall_10_0_18363 jmp NtSetInformationThread_SystemCall_Unknown NtSetInformationThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 000ah jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 000bh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 000ch jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 000dh jmp NtSetInformationThread_Epilogue NtSetInformationThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationThread_Epilogue: mov r10, rcx syscall ret NtSetInformationThread ENDP NtSetInformationToken PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationToken_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetInformationToken_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetInformationToken_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationToken_Check_10_0_XXXX jmp NtSetInformationToken_SystemCall_Unknown NtSetInformationToken_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationToken_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationToken_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationToken_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationToken_SystemCall_6_3_XXXX jmp NtSetInformationToken_SystemCall_Unknown NtSetInformationToken_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationToken_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationToken_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationToken_SystemCall_6_0_6002 jmp NtSetInformationToken_SystemCall_Unknown NtSetInformationToken_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationToken_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationToken_SystemCall_6_1_7601 jmp NtSetInformationToken_SystemCall_Unknown NtSetInformationToken_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationToken_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationToken_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationToken_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationToken_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationToken_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationToken_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationToken_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationToken_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationToken_SystemCall_10_0_18363 jmp NtSetInformationToken_SystemCall_Unknown NtSetInformationToken_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0102h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015dh jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0157h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0157h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015eh jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015eh jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0174h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0177h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 017fh jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0182h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0188h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018eh jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0191h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0193h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0194h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0195h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0195h jmp NtSetInformationToken_Epilogue NtSetInformationToken_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationToken_Epilogue: mov r10, rcx syscall ret NtSetInformationToken ENDP NtSetInformationTransaction PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationTransaction_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationTransaction_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationTransaction_Check_10_0_XXXX jmp NtSetInformationTransaction_SystemCall_Unknown NtSetInformationTransaction_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationTransaction_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationTransaction_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationTransaction_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationTransaction_SystemCall_6_3_XXXX jmp NtSetInformationTransaction_SystemCall_Unknown NtSetInformationTransaction_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationTransaction_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationTransaction_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationTransaction_SystemCall_6_0_6002 jmp NtSetInformationTransaction_SystemCall_Unknown NtSetInformationTransaction_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationTransaction_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationTransaction_SystemCall_6_1_7601 jmp NtSetInformationTransaction_SystemCall_Unknown NtSetInformationTransaction_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationTransaction_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationTransaction_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationTransaction_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationTransaction_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationTransaction_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationTransaction_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationTransaction_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationTransaction_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationTransaction_SystemCall_10_0_18363 jmp NtSetInformationTransaction_SystemCall_Unknown NtSetInformationTransaction_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015eh jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0158h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0158h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 015fh jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 015fh jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0175h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0178h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0180h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0183h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0189h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 018fh jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0192h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0194h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0195h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0196h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0196h jmp NtSetInformationTransaction_Epilogue NtSetInformationTransaction_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationTransaction_Epilogue: mov r10, rcx syscall ret NtSetInformationTransaction ENDP NtSetInformationTransactionManager PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationTransactionManager_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationTransactionManager_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationTransactionManager_Check_10_0_XXXX jmp NtSetInformationTransactionManager_SystemCall_Unknown NtSetInformationTransactionManager_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationTransactionManager_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationTransactionManager_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationTransactionManager_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationTransactionManager_SystemCall_6_3_XXXX jmp NtSetInformationTransactionManager_SystemCall_Unknown NtSetInformationTransactionManager_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationTransactionManager_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationTransactionManager_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationTransactionManager_SystemCall_6_0_6002 jmp NtSetInformationTransactionManager_SystemCall_Unknown NtSetInformationTransactionManager_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationTransactionManager_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationTransactionManager_SystemCall_6_1_7601 jmp NtSetInformationTransactionManager_SystemCall_Unknown NtSetInformationTransactionManager_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationTransactionManager_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationTransactionManager_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationTransactionManager_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationTransactionManager_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationTransactionManager_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationTransactionManager_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationTransactionManager_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationTransactionManager_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationTransactionManager_SystemCall_10_0_18363 jmp NtSetInformationTransactionManager_SystemCall_Unknown NtSetInformationTransactionManager_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 015fh jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0159h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0159h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0160h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0160h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0176h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0179h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0181h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0184h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018ah jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0190h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0193h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0195h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0196h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0197h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0197h jmp NtSetInformationTransactionManager_Epilogue NtSetInformationTransactionManager_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationTransactionManager_Epilogue: mov r10, rcx syscall ret NtSetInformationTransactionManager ENDP NtSetInformationVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationVirtualMemory_Check_10_0_XXXX jmp NtSetInformationVirtualMemory_SystemCall_Unknown NtSetInformationVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSetInformationVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationVirtualMemory_SystemCall_6_3_XXXX jmp NtSetInformationVirtualMemory_SystemCall_Unknown NtSetInformationVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationVirtualMemory_SystemCall_10_0_18363 jmp NtSetInformationVirtualMemory_SystemCall_Unknown NtSetInformationVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0177h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017ah jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0182h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0185h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018bh jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0191h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0194h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0196h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0197h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0198h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0198h jmp NtSetInformationVirtualMemory_Epilogue NtSetInformationVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationVirtualMemory_Epilogue: mov r10, rcx syscall ret NtSetInformationVirtualMemory ENDP NtSetInformationWorkerFactory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetInformationWorkerFactory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetInformationWorkerFactory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetInformationWorkerFactory_Check_10_0_XXXX jmp NtSetInformationWorkerFactory_SystemCall_Unknown NtSetInformationWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetInformationWorkerFactory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetInformationWorkerFactory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationWorkerFactory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetInformationWorkerFactory_SystemCall_6_3_XXXX jmp NtSetInformationWorkerFactory_SystemCall_Unknown NtSetInformationWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetInformationWorkerFactory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetInformationWorkerFactory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetInformationWorkerFactory_SystemCall_6_0_6002 jmp NtSetInformationWorkerFactory_SystemCall_Unknown NtSetInformationWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetInformationWorkerFactory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetInformationWorkerFactory_SystemCall_6_1_7601 jmp NtSetInformationWorkerFactory_SystemCall_Unknown NtSetInformationWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetInformationWorkerFactory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetInformationWorkerFactory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetInformationWorkerFactory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetInformationWorkerFactory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetInformationWorkerFactory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetInformationWorkerFactory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetInformationWorkerFactory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetInformationWorkerFactory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetInformationWorkerFactory_SystemCall_10_0_18363 jmp NtSetInformationWorkerFactory_SystemCall_Unknown NtSetInformationWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0160h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015ah jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015ah jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0161h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0161h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0178h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017bh jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0183h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0186h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018ch jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0192h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0195h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0197h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0198h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0199h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0199h jmp NtSetInformationWorkerFactory_Epilogue NtSetInformationWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetInformationWorkerFactory_Epilogue: mov r10, rcx syscall ret NtSetInformationWorkerFactory ENDP NtSetIntervalProfile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetIntervalProfile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetIntervalProfile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetIntervalProfile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetIntervalProfile_Check_10_0_XXXX jmp NtSetIntervalProfile_SystemCall_Unknown NtSetIntervalProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetIntervalProfile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetIntervalProfile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIntervalProfile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIntervalProfile_SystemCall_6_3_XXXX jmp NtSetIntervalProfile_SystemCall_Unknown NtSetIntervalProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetIntervalProfile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetIntervalProfile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetIntervalProfile_SystemCall_6_0_6002 jmp NtSetIntervalProfile_SystemCall_Unknown NtSetIntervalProfile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetIntervalProfile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetIntervalProfile_SystemCall_6_1_7601 jmp NtSetIntervalProfile_SystemCall_Unknown NtSetIntervalProfile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetIntervalProfile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetIntervalProfile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetIntervalProfile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetIntervalProfile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetIntervalProfile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetIntervalProfile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetIntervalProfile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetIntervalProfile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetIntervalProfile_SystemCall_10_0_18363 jmp NtSetIntervalProfile_SystemCall_Unknown NtSetIntervalProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0103h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0161h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015bh jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015bh jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0162h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0162h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0179h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017ch jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0184h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0187h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018dh jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0193h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0196h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0198h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0199h jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019ah jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019ah jmp NtSetIntervalProfile_Epilogue NtSetIntervalProfile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetIntervalProfile_Epilogue: mov r10, rcx syscall ret NtSetIntervalProfile ENDP NtSetIoCompletion PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetIoCompletion_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetIoCompletion_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetIoCompletion_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetIoCompletion_Check_10_0_XXXX jmp NtSetIoCompletion_SystemCall_Unknown NtSetIoCompletion_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetIoCompletion_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetIoCompletion_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIoCompletion_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIoCompletion_SystemCall_6_3_XXXX jmp NtSetIoCompletion_SystemCall_Unknown NtSetIoCompletion_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetIoCompletion_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetIoCompletion_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetIoCompletion_SystemCall_6_0_6002 jmp NtSetIoCompletion_SystemCall_Unknown NtSetIoCompletion_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetIoCompletion_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetIoCompletion_SystemCall_6_1_7601 jmp NtSetIoCompletion_SystemCall_Unknown NtSetIoCompletion_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetIoCompletion_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetIoCompletion_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetIoCompletion_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetIoCompletion_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetIoCompletion_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetIoCompletion_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetIoCompletion_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetIoCompletion_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetIoCompletion_SystemCall_10_0_18363 jmp NtSetIoCompletion_SystemCall_Unknown NtSetIoCompletion_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0104h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0162h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015ch jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015ch jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0163h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0163h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017ah jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017dh jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0185h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0188h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018eh jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0194h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0197h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0199h jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019ah jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019bh jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019bh jmp NtSetIoCompletion_Epilogue NtSetIoCompletion_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetIoCompletion_Epilogue: mov r10, rcx syscall ret NtSetIoCompletion ENDP NtSetIoCompletionEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetIoCompletionEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetIoCompletionEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetIoCompletionEx_Check_10_0_XXXX jmp NtSetIoCompletionEx_SystemCall_Unknown NtSetIoCompletionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtSetIoCompletionEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIoCompletionEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetIoCompletionEx_SystemCall_6_3_XXXX jmp NtSetIoCompletionEx_SystemCall_Unknown NtSetIoCompletionEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetIoCompletionEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetIoCompletionEx_SystemCall_6_1_7601 jmp NtSetIoCompletionEx_SystemCall_Unknown NtSetIoCompletionEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetIoCompletionEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetIoCompletionEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetIoCompletionEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetIoCompletionEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetIoCompletionEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetIoCompletionEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetIoCompletionEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetIoCompletionEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetIoCompletionEx_SystemCall_10_0_18363 jmp NtSetIoCompletionEx_SystemCall_Unknown NtSetIoCompletionEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0164h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0164h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017bh jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017eh jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0186h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0189h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 018fh jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0195h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0198h jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019ah jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019bh jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019ch jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019ch jmp NtSetIoCompletionEx_Epilogue NtSetIoCompletionEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetIoCompletionEx_Epilogue: mov r10, rcx syscall ret NtSetIoCompletionEx ENDP NtSetLdtEntries PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetLdtEntries_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetLdtEntries_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetLdtEntries_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetLdtEntries_Check_10_0_XXXX jmp NtSetLdtEntries_SystemCall_Unknown NtSetLdtEntries_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetLdtEntries_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetLdtEntries_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLdtEntries_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLdtEntries_SystemCall_6_3_XXXX jmp NtSetLdtEntries_SystemCall_Unknown NtSetLdtEntries_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetLdtEntries_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetLdtEntries_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetLdtEntries_SystemCall_6_0_6002 jmp NtSetLdtEntries_SystemCall_Unknown NtSetLdtEntries_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetLdtEntries_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetLdtEntries_SystemCall_6_1_7601 jmp NtSetLdtEntries_SystemCall_Unknown NtSetLdtEntries_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetLdtEntries_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetLdtEntries_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetLdtEntries_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetLdtEntries_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetLdtEntries_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetLdtEntries_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetLdtEntries_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetLdtEntries_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetLdtEntries_SystemCall_10_0_18363 jmp NtSetLdtEntries_SystemCall_Unknown NtSetLdtEntries_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0105h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0163h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015dh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015dh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0165h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0165h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017ch jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 017fh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0187h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018ah jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0190h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0196h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0199h jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019bh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019ch jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019dh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019dh jmp NtSetLdtEntries_Epilogue NtSetLdtEntries_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetLdtEntries_Epilogue: mov r10, rcx syscall ret NtSetLdtEntries ENDP NtSetLowEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetLowEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetLowEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetLowEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetLowEventPair_Check_10_0_XXXX jmp NtSetLowEventPair_SystemCall_Unknown NtSetLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetLowEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetLowEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLowEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLowEventPair_SystemCall_6_3_XXXX jmp NtSetLowEventPair_SystemCall_Unknown NtSetLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetLowEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetLowEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetLowEventPair_SystemCall_6_0_6002 jmp NtSetLowEventPair_SystemCall_Unknown NtSetLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetLowEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetLowEventPair_SystemCall_6_1_7601 jmp NtSetLowEventPair_SystemCall_Unknown NtSetLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetLowEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetLowEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetLowEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetLowEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetLowEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetLowEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetLowEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetLowEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetLowEventPair_SystemCall_10_0_18363 jmp NtSetLowEventPair_SystemCall_Unknown NtSetLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0106h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0164h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015eh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015eh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0166h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0166h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017dh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0180h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0188h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018bh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0191h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0197h jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019ah jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019ch jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019dh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019eh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019eh jmp NtSetLowEventPair_Epilogue NtSetLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetLowEventPair_Epilogue: mov r10, rcx syscall ret NtSetLowEventPair ENDP NtSetLowWaitHighEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetLowWaitHighEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetLowWaitHighEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetLowWaitHighEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetLowWaitHighEventPair_Check_10_0_XXXX jmp NtSetLowWaitHighEventPair_SystemCall_Unknown NtSetLowWaitHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetLowWaitHighEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetLowWaitHighEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLowWaitHighEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetLowWaitHighEventPair_SystemCall_6_3_XXXX jmp NtSetLowWaitHighEventPair_SystemCall_Unknown NtSetLowWaitHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetLowWaitHighEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetLowWaitHighEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetLowWaitHighEventPair_SystemCall_6_0_6002 jmp NtSetLowWaitHighEventPair_SystemCall_Unknown NtSetLowWaitHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetLowWaitHighEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetLowWaitHighEventPair_SystemCall_6_1_7601 jmp NtSetLowWaitHighEventPair_SystemCall_Unknown NtSetLowWaitHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetLowWaitHighEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetLowWaitHighEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetLowWaitHighEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetLowWaitHighEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetLowWaitHighEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetLowWaitHighEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetLowWaitHighEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetLowWaitHighEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetLowWaitHighEventPair_SystemCall_10_0_18363 jmp NtSetLowWaitHighEventPair_SystemCall_Unknown NtSetLowWaitHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0107h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0165h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 015fh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 015fh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0167h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0167h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017eh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0181h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0189h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018ch jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0192h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0198h jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019bh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019dh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019eh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 019fh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 019fh jmp NtSetLowWaitHighEventPair_Epilogue NtSetLowWaitHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetLowWaitHighEventPair_Epilogue: mov r10, rcx syscall ret NtSetLowWaitHighEventPair ENDP NtSetQuotaInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetQuotaInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetQuotaInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetQuotaInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetQuotaInformationFile_Check_10_0_XXXX jmp NtSetQuotaInformationFile_SystemCall_Unknown NtSetQuotaInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetQuotaInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetQuotaInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetQuotaInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetQuotaInformationFile_SystemCall_6_3_XXXX jmp NtSetQuotaInformationFile_SystemCall_Unknown NtSetQuotaInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetQuotaInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetQuotaInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetQuotaInformationFile_SystemCall_6_0_6002 jmp NtSetQuotaInformationFile_SystemCall_Unknown NtSetQuotaInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetQuotaInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetQuotaInformationFile_SystemCall_6_1_7601 jmp NtSetQuotaInformationFile_SystemCall_Unknown NtSetQuotaInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetQuotaInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetQuotaInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetQuotaInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetQuotaInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetQuotaInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetQuotaInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetQuotaInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetQuotaInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetQuotaInformationFile_SystemCall_10_0_18363 jmp NtSetQuotaInformationFile_SystemCall_Unknown NtSetQuotaInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0108h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0166h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0160h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0160h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0168h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0168h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 017fh jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0182h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018ah jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018dh jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0193h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0199h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019ch jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019eh jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 019fh jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a0h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a0h jmp NtSetQuotaInformationFile_Epilogue NtSetQuotaInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetQuotaInformationFile_Epilogue: mov r10, rcx syscall ret NtSetQuotaInformationFile ENDP NtSetSecurityObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSecurityObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSecurityObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSecurityObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSecurityObject_Check_10_0_XXXX jmp NtSetSecurityObject_SystemCall_Unknown NtSetSecurityObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSecurityObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSecurityObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSecurityObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSecurityObject_SystemCall_6_3_XXXX jmp NtSetSecurityObject_SystemCall_Unknown NtSetSecurityObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSecurityObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSecurityObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSecurityObject_SystemCall_6_0_6002 jmp NtSetSecurityObject_SystemCall_Unknown NtSetSecurityObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSecurityObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSecurityObject_SystemCall_6_1_7601 jmp NtSetSecurityObject_SystemCall_Unknown NtSetSecurityObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSecurityObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSecurityObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSecurityObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSecurityObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSecurityObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSecurityObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSecurityObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSecurityObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSecurityObject_SystemCall_10_0_18363 jmp NtSetSecurityObject_SystemCall_Unknown NtSetSecurityObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0109h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0167h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0161h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0161h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0169h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0169h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0180h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0183h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018bh jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018eh jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0194h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019ah jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019dh jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 019fh jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a0h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a1h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a1h jmp NtSetSecurityObject_Epilogue NtSetSecurityObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSecurityObject_Epilogue: mov r10, rcx syscall ret NtSetSecurityObject ENDP NtSetSystemEnvironmentValue PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSystemEnvironmentValue_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSystemEnvironmentValue_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSystemEnvironmentValue_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSystemEnvironmentValue_Check_10_0_XXXX jmp NtSetSystemEnvironmentValue_SystemCall_Unknown NtSetSystemEnvironmentValue_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSystemEnvironmentValue_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSystemEnvironmentValue_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemEnvironmentValue_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemEnvironmentValue_SystemCall_6_3_XXXX jmp NtSetSystemEnvironmentValue_SystemCall_Unknown NtSetSystemEnvironmentValue_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSystemEnvironmentValue_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSystemEnvironmentValue_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSystemEnvironmentValue_SystemCall_6_0_6002 jmp NtSetSystemEnvironmentValue_SystemCall_Unknown NtSetSystemEnvironmentValue_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSystemEnvironmentValue_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSystemEnvironmentValue_SystemCall_6_1_7601 jmp NtSetSystemEnvironmentValue_SystemCall_Unknown NtSetSystemEnvironmentValue_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSystemEnvironmentValue_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSystemEnvironmentValue_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSystemEnvironmentValue_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSystemEnvironmentValue_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSystemEnvironmentValue_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSystemEnvironmentValue_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSystemEnvironmentValue_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSystemEnvironmentValue_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSystemEnvironmentValue_SystemCall_10_0_18363 jmp NtSetSystemEnvironmentValue_SystemCall_Unknown NtSetSystemEnvironmentValue_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010ah jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0168h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0162h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0162h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016ah jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016ah jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0181h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0184h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018ch jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 018fh jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0195h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019bh jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019eh jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a0h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a1h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a2h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a2h jmp NtSetSystemEnvironmentValue_Epilogue NtSetSystemEnvironmentValue_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSystemEnvironmentValue_Epilogue: mov r10, rcx syscall ret NtSetSystemEnvironmentValue ENDP NtSetSystemEnvironmentValueEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSystemEnvironmentValueEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSystemEnvironmentValueEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSystemEnvironmentValueEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSystemEnvironmentValueEx_Check_10_0_XXXX jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown NtSetSystemEnvironmentValueEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSystemEnvironmentValueEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSystemEnvironmentValueEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemEnvironmentValueEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemEnvironmentValueEx_SystemCall_6_3_XXXX jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown NtSetSystemEnvironmentValueEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSystemEnvironmentValueEx_SystemCall_6_0_6002 jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown NtSetSystemEnvironmentValueEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSystemEnvironmentValueEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSystemEnvironmentValueEx_SystemCall_6_1_7601 jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown NtSetSystemEnvironmentValueEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSystemEnvironmentValueEx_SystemCall_10_0_18363 jmp NtSetSystemEnvironmentValueEx_SystemCall_Unknown NtSetSystemEnvironmentValueEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010bh jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0169h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0163h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0163h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016bh jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016bh jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0182h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0185h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018dh jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0190h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0196h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019ch jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 019fh jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a1h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a2h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a3h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a3h jmp NtSetSystemEnvironmentValueEx_Epilogue NtSetSystemEnvironmentValueEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSystemEnvironmentValueEx_Epilogue: mov r10, rcx syscall ret NtSetSystemEnvironmentValueEx ENDP NtSetSystemInformation PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSystemInformation_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSystemInformation_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSystemInformation_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSystemInformation_Check_10_0_XXXX jmp NtSetSystemInformation_SystemCall_Unknown NtSetSystemInformation_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSystemInformation_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSystemInformation_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemInformation_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemInformation_SystemCall_6_3_XXXX jmp NtSetSystemInformation_SystemCall_Unknown NtSetSystemInformation_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSystemInformation_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSystemInformation_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSystemInformation_SystemCall_6_0_6002 jmp NtSetSystemInformation_SystemCall_Unknown NtSetSystemInformation_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSystemInformation_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSystemInformation_SystemCall_6_1_7601 jmp NtSetSystemInformation_SystemCall_Unknown NtSetSystemInformation_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSystemInformation_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSystemInformation_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSystemInformation_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSystemInformation_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSystemInformation_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSystemInformation_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSystemInformation_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSystemInformation_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSystemInformation_SystemCall_10_0_18363 jmp NtSetSystemInformation_SystemCall_Unknown NtSetSystemInformation_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010ch jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016ah jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0164h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0164h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016ch jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016ch jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0183h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0186h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018eh jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0191h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0197h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019dh jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a0h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a2h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a3h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a4h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a4h jmp NtSetSystemInformation_Epilogue NtSetSystemInformation_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSystemInformation_Epilogue: mov r10, rcx syscall ret NtSetSystemInformation ENDP NtSetSystemPowerState PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSystemPowerState_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSystemPowerState_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSystemPowerState_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSystemPowerState_Check_10_0_XXXX jmp NtSetSystemPowerState_SystemCall_Unknown NtSetSystemPowerState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSystemPowerState_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSystemPowerState_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemPowerState_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemPowerState_SystemCall_6_3_XXXX jmp NtSetSystemPowerState_SystemCall_Unknown NtSetSystemPowerState_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSystemPowerState_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSystemPowerState_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSystemPowerState_SystemCall_6_0_6002 jmp NtSetSystemPowerState_SystemCall_Unknown NtSetSystemPowerState_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSystemPowerState_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSystemPowerState_SystemCall_6_1_7601 jmp NtSetSystemPowerState_SystemCall_Unknown NtSetSystemPowerState_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSystemPowerState_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSystemPowerState_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSystemPowerState_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSystemPowerState_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSystemPowerState_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSystemPowerState_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSystemPowerState_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSystemPowerState_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSystemPowerState_SystemCall_10_0_18363 jmp NtSetSystemPowerState_SystemCall_Unknown NtSetSystemPowerState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010dh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016bh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0165h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0165h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016dh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016dh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0184h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0187h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 018fh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0192h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0198h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019eh jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a1h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a3h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a4h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a5h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a5h jmp NtSetSystemPowerState_Epilogue NtSetSystemPowerState_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSystemPowerState_Epilogue: mov r10, rcx syscall ret NtSetSystemPowerState ENDP NtSetSystemTime PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetSystemTime_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetSystemTime_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetSystemTime_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetSystemTime_Check_10_0_XXXX jmp NtSetSystemTime_SystemCall_Unknown NtSetSystemTime_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetSystemTime_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetSystemTime_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemTime_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetSystemTime_SystemCall_6_3_XXXX jmp NtSetSystemTime_SystemCall_Unknown NtSetSystemTime_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetSystemTime_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetSystemTime_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetSystemTime_SystemCall_6_0_6002 jmp NtSetSystemTime_SystemCall_Unknown NtSetSystemTime_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetSystemTime_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetSystemTime_SystemCall_6_1_7601 jmp NtSetSystemTime_SystemCall_Unknown NtSetSystemTime_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetSystemTime_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetSystemTime_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetSystemTime_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetSystemTime_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetSystemTime_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetSystemTime_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetSystemTime_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetSystemTime_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetSystemTime_SystemCall_10_0_18363 jmp NtSetSystemTime_SystemCall_Unknown NtSetSystemTime_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010eh jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016ch jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0166h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0166h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016eh jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016eh jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0185h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0188h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0190h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0193h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0199h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 019fh jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a2h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a4h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a5h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a6h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a6h jmp NtSetSystemTime_Epilogue NtSetSystemTime_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetSystemTime_Epilogue: mov r10, rcx syscall ret NtSetSystemTime ENDP NtSetThreadExecutionState PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetThreadExecutionState_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetThreadExecutionState_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetThreadExecutionState_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetThreadExecutionState_Check_10_0_XXXX jmp NtSetThreadExecutionState_SystemCall_Unknown NtSetThreadExecutionState_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetThreadExecutionState_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetThreadExecutionState_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetThreadExecutionState_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetThreadExecutionState_SystemCall_6_3_XXXX jmp NtSetThreadExecutionState_SystemCall_Unknown NtSetThreadExecutionState_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetThreadExecutionState_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetThreadExecutionState_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetThreadExecutionState_SystemCall_6_0_6002 jmp NtSetThreadExecutionState_SystemCall_Unknown NtSetThreadExecutionState_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetThreadExecutionState_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetThreadExecutionState_SystemCall_6_1_7601 jmp NtSetThreadExecutionState_SystemCall_Unknown NtSetThreadExecutionState_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetThreadExecutionState_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetThreadExecutionState_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetThreadExecutionState_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetThreadExecutionState_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetThreadExecutionState_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetThreadExecutionState_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetThreadExecutionState_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetThreadExecutionState_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetThreadExecutionState_SystemCall_10_0_18363 jmp NtSetThreadExecutionState_SystemCall_Unknown NtSetThreadExecutionState_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 010fh jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016dh jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0167h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0167h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 016fh jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 016fh jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0186h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0189h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0191h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0194h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019ah jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a0h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a3h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a5h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a6h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a7h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a7h jmp NtSetThreadExecutionState_Epilogue NtSetThreadExecutionState_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetThreadExecutionState_Epilogue: mov r10, rcx syscall ret NtSetThreadExecutionState ENDP NtSetTimer PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetTimer_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetTimer_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetTimer_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetTimer_Check_10_0_XXXX jmp NtSetTimer_SystemCall_Unknown NtSetTimer_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetTimer_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetTimer_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimer_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimer_SystemCall_6_3_XXXX jmp NtSetTimer_SystemCall_Unknown NtSetTimer_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetTimer_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetTimer_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetTimer_SystemCall_6_0_6002 jmp NtSetTimer_SystemCall_Unknown NtSetTimer_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetTimer_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetTimer_SystemCall_6_1_7601 jmp NtSetTimer_SystemCall_Unknown NtSetTimer_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetTimer_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetTimer_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetTimer_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetTimer_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetTimer_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetTimer_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetTimer_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetTimer_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetTimer_SystemCall_10_0_18363 jmp NtSetTimer_SystemCall_Unknown NtSetTimer_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005fh jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0060h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0061h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0062h jmp NtSetTimer_Epilogue NtSetTimer_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetTimer_Epilogue: mov r10, rcx syscall ret NtSetTimer ENDP NtSetTimer2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetTimer2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetTimer2_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetTimer2_Check_10_0_XXXX jmp NtSetTimer2_SystemCall_Unknown NtSetTimer2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSetTimer2_SystemCall_6_3_XXXX jmp NtSetTimer2_SystemCall_Unknown NtSetTimer2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetTimer2_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetTimer2_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetTimer2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetTimer2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetTimer2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetTimer2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetTimer2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetTimer2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetTimer2_SystemCall_10_0_18363 jmp NtSetTimer2_SystemCall_Unknown NtSetTimer2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018ah jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0192h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0195h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019bh jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a1h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a4h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a6h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a7h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a8h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a8h jmp NtSetTimer2_Epilogue NtSetTimer2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetTimer2_Epilogue: mov r10, rcx syscall ret NtSetTimer2 ENDP NtSetTimerEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetTimerEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetTimerEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetTimerEx_Check_10_0_XXXX jmp NtSetTimerEx_SystemCall_Unknown NtSetTimerEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtSetTimerEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimerEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimerEx_SystemCall_6_3_XXXX jmp NtSetTimerEx_SystemCall_Unknown NtSetTimerEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetTimerEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetTimerEx_SystemCall_6_1_7601 jmp NtSetTimerEx_SystemCall_Unknown NtSetTimerEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetTimerEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetTimerEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetTimerEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetTimerEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetTimerEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetTimerEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetTimerEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetTimerEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetTimerEx_SystemCall_10_0_18363 jmp NtSetTimerEx_SystemCall_Unknown NtSetTimerEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0170h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0170h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0187h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018bh jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0193h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0196h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019ch jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a2h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a5h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a7h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a8h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01a9h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01a9h jmp NtSetTimerEx_Epilogue NtSetTimerEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetTimerEx_Epilogue: mov r10, rcx syscall ret NtSetTimerEx ENDP NtSetTimerResolution PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetTimerResolution_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetTimerResolution_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetTimerResolution_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetTimerResolution_Check_10_0_XXXX jmp NtSetTimerResolution_SystemCall_Unknown NtSetTimerResolution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetTimerResolution_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetTimerResolution_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimerResolution_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetTimerResolution_SystemCall_6_3_XXXX jmp NtSetTimerResolution_SystemCall_Unknown NtSetTimerResolution_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetTimerResolution_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetTimerResolution_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetTimerResolution_SystemCall_6_0_6002 jmp NtSetTimerResolution_SystemCall_Unknown NtSetTimerResolution_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetTimerResolution_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetTimerResolution_SystemCall_6_1_7601 jmp NtSetTimerResolution_SystemCall_Unknown NtSetTimerResolution_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetTimerResolution_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetTimerResolution_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetTimerResolution_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetTimerResolution_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetTimerResolution_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetTimerResolution_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetTimerResolution_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetTimerResolution_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetTimerResolution_SystemCall_10_0_18363 jmp NtSetTimerResolution_SystemCall_Unknown NtSetTimerResolution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0110h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016eh jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0168h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0168h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0171h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0171h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0188h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018ch jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0194h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0197h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019dh jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a3h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a6h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a8h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01a9h jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01aah jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01aah jmp NtSetTimerResolution_Epilogue NtSetTimerResolution_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetTimerResolution_Epilogue: mov r10, rcx syscall ret NtSetTimerResolution ENDP NtSetUuidSeed PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetUuidSeed_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetUuidSeed_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetUuidSeed_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetUuidSeed_Check_10_0_XXXX jmp NtSetUuidSeed_SystemCall_Unknown NtSetUuidSeed_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetUuidSeed_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetUuidSeed_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetUuidSeed_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetUuidSeed_SystemCall_6_3_XXXX jmp NtSetUuidSeed_SystemCall_Unknown NtSetUuidSeed_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetUuidSeed_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetUuidSeed_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetUuidSeed_SystemCall_6_0_6002 jmp NtSetUuidSeed_SystemCall_Unknown NtSetUuidSeed_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetUuidSeed_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetUuidSeed_SystemCall_6_1_7601 jmp NtSetUuidSeed_SystemCall_Unknown NtSetUuidSeed_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetUuidSeed_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetUuidSeed_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetUuidSeed_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetUuidSeed_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetUuidSeed_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetUuidSeed_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetUuidSeed_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetUuidSeed_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetUuidSeed_SystemCall_10_0_18363 jmp NtSetUuidSeed_SystemCall_Unknown NtSetUuidSeed_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0111h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 016fh jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0169h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0169h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0172h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0172h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0189h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018dh jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0195h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0198h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019eh jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a4h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a7h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01a9h jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01aah jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01abh jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01abh jmp NtSetUuidSeed_Epilogue NtSetUuidSeed_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetUuidSeed_Epilogue: mov r10, rcx syscall ret NtSetUuidSeed ENDP NtSetValueKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetValueKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetValueKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetValueKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetValueKey_Check_10_0_XXXX jmp NtSetValueKey_SystemCall_Unknown NtSetValueKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetValueKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetValueKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetValueKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetValueKey_SystemCall_6_3_XXXX jmp NtSetValueKey_SystemCall_Unknown NtSetValueKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetValueKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetValueKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetValueKey_SystemCall_6_0_6002 jmp NtSetValueKey_SystemCall_Unknown NtSetValueKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetValueKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetValueKey_SystemCall_6_1_7601 jmp NtSetValueKey_SystemCall_Unknown NtSetValueKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetValueKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetValueKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetValueKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetValueKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetValueKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetValueKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetValueKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetValueKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetValueKey_SystemCall_10_0_18363 jmp NtSetValueKey_SystemCall_Unknown NtSetValueKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005dh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005eh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005fh jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0060h jmp NtSetValueKey_Epilogue NtSetValueKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetValueKey_Epilogue: mov r10, rcx syscall ret NtSetValueKey ENDP NtSetVolumeInformationFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetVolumeInformationFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSetVolumeInformationFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSetVolumeInformationFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetVolumeInformationFile_Check_10_0_XXXX jmp NtSetVolumeInformationFile_SystemCall_Unknown NtSetVolumeInformationFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSetVolumeInformationFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSetVolumeInformationFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSetVolumeInformationFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSetVolumeInformationFile_SystemCall_6_3_XXXX jmp NtSetVolumeInformationFile_SystemCall_Unknown NtSetVolumeInformationFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSetVolumeInformationFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSetVolumeInformationFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSetVolumeInformationFile_SystemCall_6_0_6002 jmp NtSetVolumeInformationFile_SystemCall_Unknown NtSetVolumeInformationFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSetVolumeInformationFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSetVolumeInformationFile_SystemCall_6_1_7601 jmp NtSetVolumeInformationFile_SystemCall_Unknown NtSetVolumeInformationFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetVolumeInformationFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetVolumeInformationFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetVolumeInformationFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetVolumeInformationFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetVolumeInformationFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetVolumeInformationFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetVolumeInformationFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetVolumeInformationFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetVolumeInformationFile_SystemCall_10_0_18363 jmp NtSetVolumeInformationFile_SystemCall_Unknown NtSetVolumeInformationFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0112h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0170h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016ah jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016ah jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0173h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0173h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018ah jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018eh jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0196h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0199h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 019fh jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a5h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a8h jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01aah jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01abh jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01ach jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01ach jmp NtSetVolumeInformationFile_Epilogue NtSetVolumeInformationFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetVolumeInformationFile_Epilogue: mov r10, rcx syscall ret NtSetVolumeInformationFile ENDP NtSetWnfProcessNotificationEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSetWnfProcessNotificationEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSetWnfProcessNotificationEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSetWnfProcessNotificationEvent_Check_10_0_XXXX jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown NtSetWnfProcessNotificationEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSetWnfProcessNotificationEvent_SystemCall_6_3_XXXX jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown NtSetWnfProcessNotificationEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSetWnfProcessNotificationEvent_SystemCall_10_0_18363 jmp NtSetWnfProcessNotificationEvent_SystemCall_Unknown NtSetWnfProcessNotificationEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 018fh jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0197h jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019ah jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a0h jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a6h jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01a9h jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01abh jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01ach jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01adh jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01adh jmp NtSetWnfProcessNotificationEvent_Epilogue NtSetWnfProcessNotificationEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSetWnfProcessNotificationEvent_Epilogue: mov r10, rcx syscall ret NtSetWnfProcessNotificationEvent ENDP NtShutdownSystem PROC mov rax, gs:[60h] ; Load PEB into RAX. NtShutdownSystem_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtShutdownSystem_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtShutdownSystem_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtShutdownSystem_Check_10_0_XXXX jmp NtShutdownSystem_SystemCall_Unknown NtShutdownSystem_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtShutdownSystem_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtShutdownSystem_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtShutdownSystem_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtShutdownSystem_SystemCall_6_3_XXXX jmp NtShutdownSystem_SystemCall_Unknown NtShutdownSystem_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtShutdownSystem_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtShutdownSystem_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtShutdownSystem_SystemCall_6_0_6002 jmp NtShutdownSystem_SystemCall_Unknown NtShutdownSystem_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtShutdownSystem_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtShutdownSystem_SystemCall_6_1_7601 jmp NtShutdownSystem_SystemCall_Unknown NtShutdownSystem_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtShutdownSystem_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtShutdownSystem_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtShutdownSystem_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtShutdownSystem_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtShutdownSystem_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtShutdownSystem_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtShutdownSystem_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtShutdownSystem_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtShutdownSystem_SystemCall_10_0_18363 jmp NtShutdownSystem_SystemCall_Unknown NtShutdownSystem_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0113h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0171h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016bh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016bh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0174h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0174h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018bh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0190h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0198h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019bh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a1h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a7h jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01aah jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01ach jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01adh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01aeh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01aeh jmp NtShutdownSystem_Epilogue NtShutdownSystem_SystemCall_Unknown: ; Unknown/unsupported version. ret NtShutdownSystem_Epilogue: mov r10, rcx syscall ret NtShutdownSystem ENDP NtShutdownWorkerFactory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtShutdownWorkerFactory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtShutdownWorkerFactory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtShutdownWorkerFactory_Check_10_0_XXXX jmp NtShutdownWorkerFactory_SystemCall_Unknown NtShutdownWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtShutdownWorkerFactory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtShutdownWorkerFactory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtShutdownWorkerFactory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtShutdownWorkerFactory_SystemCall_6_3_XXXX jmp NtShutdownWorkerFactory_SystemCall_Unknown NtShutdownWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtShutdownWorkerFactory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtShutdownWorkerFactory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtShutdownWorkerFactory_SystemCall_6_0_6002 jmp NtShutdownWorkerFactory_SystemCall_Unknown NtShutdownWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtShutdownWorkerFactory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtShutdownWorkerFactory_SystemCall_6_1_7601 jmp NtShutdownWorkerFactory_SystemCall_Unknown NtShutdownWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtShutdownWorkerFactory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtShutdownWorkerFactory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtShutdownWorkerFactory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtShutdownWorkerFactory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtShutdownWorkerFactory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtShutdownWorkerFactory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtShutdownWorkerFactory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtShutdownWorkerFactory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtShutdownWorkerFactory_SystemCall_10_0_18363 jmp NtShutdownWorkerFactory_SystemCall_Unknown NtShutdownWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0172h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016ch jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016ch jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0175h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0175h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018ch jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0191h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0199h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019ch jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a2h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a8h jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01abh jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01adh jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01aeh jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01afh jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01afh jmp NtShutdownWorkerFactory_Epilogue NtShutdownWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtShutdownWorkerFactory_Epilogue: mov r10, rcx syscall ret NtShutdownWorkerFactory ENDP NtSignalAndWaitForSingleObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSignalAndWaitForSingleObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSignalAndWaitForSingleObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSignalAndWaitForSingleObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSignalAndWaitForSingleObject_Check_10_0_XXXX jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown NtSignalAndWaitForSingleObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSignalAndWaitForSingleObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSignalAndWaitForSingleObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSignalAndWaitForSingleObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSignalAndWaitForSingleObject_SystemCall_6_3_XXXX jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown NtSignalAndWaitForSingleObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSignalAndWaitForSingleObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSignalAndWaitForSingleObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSignalAndWaitForSingleObject_SystemCall_6_0_6002 jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown NtSignalAndWaitForSingleObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSignalAndWaitForSingleObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSignalAndWaitForSingleObject_SystemCall_6_1_7601 jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown NtSignalAndWaitForSingleObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSignalAndWaitForSingleObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSignalAndWaitForSingleObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSignalAndWaitForSingleObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSignalAndWaitForSingleObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSignalAndWaitForSingleObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSignalAndWaitForSingleObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSignalAndWaitForSingleObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSignalAndWaitForSingleObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSignalAndWaitForSingleObject_SystemCall_10_0_18363 jmp NtSignalAndWaitForSingleObject_SystemCall_Unknown NtSignalAndWaitForSingleObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0114h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0173h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016dh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016dh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0176h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0176h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018dh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0192h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019ah jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019dh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a3h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01a9h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01ach jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01aeh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01afh jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b0h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b0h jmp NtSignalAndWaitForSingleObject_Epilogue NtSignalAndWaitForSingleObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSignalAndWaitForSingleObject_Epilogue: mov r10, rcx syscall ret NtSignalAndWaitForSingleObject ENDP NtSinglePhaseReject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSinglePhaseReject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSinglePhaseReject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSinglePhaseReject_Check_10_0_XXXX jmp NtSinglePhaseReject_SystemCall_Unknown NtSinglePhaseReject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSinglePhaseReject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSinglePhaseReject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSinglePhaseReject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSinglePhaseReject_SystemCall_6_3_XXXX jmp NtSinglePhaseReject_SystemCall_Unknown NtSinglePhaseReject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSinglePhaseReject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSinglePhaseReject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSinglePhaseReject_SystemCall_6_0_6002 jmp NtSinglePhaseReject_SystemCall_Unknown NtSinglePhaseReject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSinglePhaseReject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSinglePhaseReject_SystemCall_6_1_7601 jmp NtSinglePhaseReject_SystemCall_Unknown NtSinglePhaseReject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSinglePhaseReject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSinglePhaseReject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSinglePhaseReject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSinglePhaseReject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSinglePhaseReject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSinglePhaseReject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSinglePhaseReject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSinglePhaseReject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSinglePhaseReject_SystemCall_10_0_18363 jmp NtSinglePhaseReject_SystemCall_Unknown NtSinglePhaseReject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0174h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016eh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016eh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0177h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0177h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018eh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0193h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019bh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019eh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a4h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01aah jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01adh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01afh jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b0h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b1h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b1h jmp NtSinglePhaseReject_Epilogue NtSinglePhaseReject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSinglePhaseReject_Epilogue: mov r10, rcx syscall ret NtSinglePhaseReject ENDP NtStartProfile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtStartProfile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtStartProfile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtStartProfile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtStartProfile_Check_10_0_XXXX jmp NtStartProfile_SystemCall_Unknown NtStartProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtStartProfile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtStartProfile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtStartProfile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtStartProfile_SystemCall_6_3_XXXX jmp NtStartProfile_SystemCall_Unknown NtStartProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtStartProfile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtStartProfile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtStartProfile_SystemCall_6_0_6002 jmp NtStartProfile_SystemCall_Unknown NtStartProfile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtStartProfile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtStartProfile_SystemCall_6_1_7601 jmp NtStartProfile_SystemCall_Unknown NtStartProfile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtStartProfile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtStartProfile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtStartProfile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtStartProfile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtStartProfile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtStartProfile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtStartProfile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtStartProfile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtStartProfile_SystemCall_10_0_18363 jmp NtStartProfile_SystemCall_Unknown NtStartProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0115h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0175h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 016fh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 016fh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0178h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0178h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 018fh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0194h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019ch jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 019fh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a5h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01abh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01aeh jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b0h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b1h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b2h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b2h jmp NtStartProfile_Epilogue NtStartProfile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtStartProfile_Epilogue: mov r10, rcx syscall ret NtStartProfile ENDP NtStartTm PROC mov rax, gs:[60h] ; Load PEB into RAX. NtStartTm_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtStartTm_Check_6_X_XXXX jmp NtStartTm_SystemCall_Unknown NtStartTm_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtStartTm_Check_6_0_XXXX jmp NtStartTm_SystemCall_Unknown NtStartTm_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtStartTm_SystemCall_6_0_6000 jmp NtStartTm_SystemCall_Unknown NtStartTm_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0176h jmp NtStartTm_Epilogue NtStartTm_SystemCall_Unknown: ; Unknown/unsupported version. ret NtStartTm_Epilogue: mov r10, rcx syscall ret NtStartTm ENDP NtStopProfile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtStopProfile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtStopProfile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtStopProfile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtStopProfile_Check_10_0_XXXX jmp NtStopProfile_SystemCall_Unknown NtStopProfile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtStopProfile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtStopProfile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtStopProfile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtStopProfile_SystemCall_6_3_XXXX jmp NtStopProfile_SystemCall_Unknown NtStopProfile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtStopProfile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtStopProfile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtStopProfile_SystemCall_6_0_6002 jmp NtStopProfile_SystemCall_Unknown NtStopProfile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtStopProfile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtStopProfile_SystemCall_6_1_7601 jmp NtStopProfile_SystemCall_Unknown NtStopProfile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtStopProfile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtStopProfile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtStopProfile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtStopProfile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtStopProfile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtStopProfile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtStopProfile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtStopProfile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtStopProfile_SystemCall_10_0_18363 jmp NtStopProfile_SystemCall_Unknown NtStopProfile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0116h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0177h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0170h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0170h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0179h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0179h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0190h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0195h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019dh jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a0h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a6h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01ach jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01afh jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b1h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b2h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b3h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b3h jmp NtStopProfile_Epilogue NtStopProfile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtStopProfile_Epilogue: mov r10, rcx syscall ret NtStopProfile ENDP NtSubscribeWnfStateChange PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSubscribeWnfStateChange_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtSubscribeWnfStateChange_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSubscribeWnfStateChange_Check_10_0_XXXX jmp NtSubscribeWnfStateChange_SystemCall_Unknown NtSubscribeWnfStateChange_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtSubscribeWnfStateChange_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSubscribeWnfStateChange_SystemCall_6_3_XXXX jmp NtSubscribeWnfStateChange_SystemCall_Unknown NtSubscribeWnfStateChange_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSubscribeWnfStateChange_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSubscribeWnfStateChange_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSubscribeWnfStateChange_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSubscribeWnfStateChange_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSubscribeWnfStateChange_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSubscribeWnfStateChange_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSubscribeWnfStateChange_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSubscribeWnfStateChange_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSubscribeWnfStateChange_SystemCall_10_0_18363 jmp NtSubscribeWnfStateChange_SystemCall_Unknown NtSubscribeWnfStateChange_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0191h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0196h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019eh jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a1h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a7h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01adh jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b0h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b2h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b3h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b4h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b4h jmp NtSubscribeWnfStateChange_Epilogue NtSubscribeWnfStateChange_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSubscribeWnfStateChange_Epilogue: mov r10, rcx syscall ret NtSubscribeWnfStateChange ENDP NtSuspendProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSuspendProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSuspendProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSuspendProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSuspendProcess_Check_10_0_XXXX jmp NtSuspendProcess_SystemCall_Unknown NtSuspendProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSuspendProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSuspendProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSuspendProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSuspendProcess_SystemCall_6_3_XXXX jmp NtSuspendProcess_SystemCall_Unknown NtSuspendProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSuspendProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSuspendProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSuspendProcess_SystemCall_6_0_6002 jmp NtSuspendProcess_SystemCall_Unknown NtSuspendProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSuspendProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSuspendProcess_SystemCall_6_1_7601 jmp NtSuspendProcess_SystemCall_Unknown NtSuspendProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSuspendProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSuspendProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSuspendProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSuspendProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSuspendProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSuspendProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSuspendProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSuspendProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSuspendProcess_SystemCall_10_0_18363 jmp NtSuspendProcess_SystemCall_Unknown NtSuspendProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0117h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0178h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0171h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0171h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017ah jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017ah jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0192h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0197h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 019fh jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a2h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a8h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01aeh jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b1h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b3h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b4h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b5h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b5h jmp NtSuspendProcess_Epilogue NtSuspendProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSuspendProcess_Epilogue: mov r10, rcx syscall ret NtSuspendProcess ENDP NtSuspendThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSuspendThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSuspendThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSuspendThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSuspendThread_Check_10_0_XXXX jmp NtSuspendThread_SystemCall_Unknown NtSuspendThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSuspendThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSuspendThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSuspendThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSuspendThread_SystemCall_6_3_XXXX jmp NtSuspendThread_SystemCall_Unknown NtSuspendThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSuspendThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSuspendThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSuspendThread_SystemCall_6_0_6002 jmp NtSuspendThread_SystemCall_Unknown NtSuspendThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSuspendThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSuspendThread_SystemCall_6_1_7601 jmp NtSuspendThread_SystemCall_Unknown NtSuspendThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSuspendThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSuspendThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSuspendThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSuspendThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSuspendThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSuspendThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSuspendThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSuspendThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSuspendThread_SystemCall_10_0_18363 jmp NtSuspendThread_SystemCall_Unknown NtSuspendThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0118h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0179h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0172h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0172h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017bh jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017bh jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0193h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0198h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a0h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a3h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01a9h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01afh jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b2h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b4h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b5h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b6h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b6h jmp NtSuspendThread_Epilogue NtSuspendThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSuspendThread_Epilogue: mov r10, rcx syscall ret NtSuspendThread ENDP NtSystemDebugControl PROC mov rax, gs:[60h] ; Load PEB into RAX. NtSystemDebugControl_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtSystemDebugControl_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtSystemDebugControl_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtSystemDebugControl_Check_10_0_XXXX jmp NtSystemDebugControl_SystemCall_Unknown NtSystemDebugControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtSystemDebugControl_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtSystemDebugControl_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtSystemDebugControl_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtSystemDebugControl_SystemCall_6_3_XXXX jmp NtSystemDebugControl_SystemCall_Unknown NtSystemDebugControl_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtSystemDebugControl_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtSystemDebugControl_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtSystemDebugControl_SystemCall_6_0_6002 jmp NtSystemDebugControl_SystemCall_Unknown NtSystemDebugControl_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtSystemDebugControl_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtSystemDebugControl_SystemCall_6_1_7601 jmp NtSystemDebugControl_SystemCall_Unknown NtSystemDebugControl_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtSystemDebugControl_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtSystemDebugControl_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtSystemDebugControl_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtSystemDebugControl_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtSystemDebugControl_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtSystemDebugControl_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtSystemDebugControl_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtSystemDebugControl_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtSystemDebugControl_SystemCall_10_0_18363 jmp NtSystemDebugControl_SystemCall_Unknown NtSystemDebugControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0119h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017ah jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0173h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0173h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017ch jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017ch jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0194h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0199h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a1h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a4h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01aah jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b0h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b3h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b5h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b6h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b7h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b7h jmp NtSystemDebugControl_Epilogue NtSystemDebugControl_SystemCall_Unknown: ; Unknown/unsupported version. ret NtSystemDebugControl_Epilogue: mov r10, rcx syscall ret NtSystemDebugControl ENDP NtTerminateEnclave PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTerminateEnclave_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 10 je NtTerminateEnclave_Check_10_0_XXXX jmp NtTerminateEnclave_SystemCall_Unknown NtTerminateEnclave_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 16299 je NtTerminateEnclave_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTerminateEnclave_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTerminateEnclave_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTerminateEnclave_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTerminateEnclave_SystemCall_10_0_18363 jmp NtTerminateEnclave_SystemCall_Unknown NtTerminateEnclave_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b4h jmp NtTerminateEnclave_Epilogue NtTerminateEnclave_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b6h jmp NtTerminateEnclave_Epilogue NtTerminateEnclave_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b7h jmp NtTerminateEnclave_Epilogue NtTerminateEnclave_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b8h jmp NtTerminateEnclave_Epilogue NtTerminateEnclave_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b8h jmp NtTerminateEnclave_Epilogue NtTerminateEnclave_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTerminateEnclave_Epilogue: mov r10, rcx syscall ret NtTerminateEnclave ENDP NtTerminateJobObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTerminateJobObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTerminateJobObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTerminateJobObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTerminateJobObject_Check_10_0_XXXX jmp NtTerminateJobObject_SystemCall_Unknown NtTerminateJobObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTerminateJobObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTerminateJobObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateJobObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateJobObject_SystemCall_6_3_XXXX jmp NtTerminateJobObject_SystemCall_Unknown NtTerminateJobObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTerminateJobObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTerminateJobObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTerminateJobObject_SystemCall_6_0_6002 jmp NtTerminateJobObject_SystemCall_Unknown NtTerminateJobObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTerminateJobObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTerminateJobObject_SystemCall_6_1_7601 jmp NtTerminateJobObject_SystemCall_Unknown NtTerminateJobObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTerminateJobObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTerminateJobObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTerminateJobObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTerminateJobObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTerminateJobObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTerminateJobObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTerminateJobObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTerminateJobObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTerminateJobObject_SystemCall_10_0_18363 jmp NtTerminateJobObject_SystemCall_Unknown NtTerminateJobObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011ah jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017bh jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0174h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0174h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017dh jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017dh jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0195h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019ah jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a2h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a5h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01abh jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b1h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b5h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b7h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b8h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01b9h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01b9h jmp NtTerminateJobObject_Epilogue NtTerminateJobObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTerminateJobObject_Epilogue: mov r10, rcx syscall ret NtTerminateJobObject ENDP NtTerminateProcess PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTerminateProcess_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTerminateProcess_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTerminateProcess_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTerminateProcess_Check_10_0_XXXX jmp NtTerminateProcess_SystemCall_Unknown NtTerminateProcess_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTerminateProcess_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTerminateProcess_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateProcess_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateProcess_SystemCall_6_3_XXXX jmp NtTerminateProcess_SystemCall_Unknown NtTerminateProcess_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTerminateProcess_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTerminateProcess_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTerminateProcess_SystemCall_6_0_6002 jmp NtTerminateProcess_SystemCall_Unknown NtTerminateProcess_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTerminateProcess_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTerminateProcess_SystemCall_6_1_7601 jmp NtTerminateProcess_SystemCall_Unknown NtTerminateProcess_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTerminateProcess_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTerminateProcess_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTerminateProcess_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTerminateProcess_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTerminateProcess_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTerminateProcess_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTerminateProcess_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTerminateProcess_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTerminateProcess_SystemCall_10_0_18363 jmp NtTerminateProcess_SystemCall_Unknown NtTerminateProcess_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0029h jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 002ah jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 002bh jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002ch jmp NtTerminateProcess_Epilogue NtTerminateProcess_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTerminateProcess_Epilogue: mov r10, rcx syscall ret NtTerminateProcess ENDP NtTerminateThread PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTerminateThread_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTerminateThread_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTerminateThread_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTerminateThread_Check_10_0_XXXX jmp NtTerminateThread_SystemCall_Unknown NtTerminateThread_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTerminateThread_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTerminateThread_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateThread_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTerminateThread_SystemCall_6_3_XXXX jmp NtTerminateThread_SystemCall_Unknown NtTerminateThread_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTerminateThread_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTerminateThread_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTerminateThread_SystemCall_6_0_6002 jmp NtTerminateThread_SystemCall_Unknown NtTerminateThread_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTerminateThread_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTerminateThread_SystemCall_6_1_7601 jmp NtTerminateThread_SystemCall_Unknown NtTerminateThread_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTerminateThread_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTerminateThread_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTerminateThread_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTerminateThread_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTerminateThread_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTerminateThread_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTerminateThread_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTerminateThread_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTerminateThread_SystemCall_10_0_18363 jmp NtTerminateThread_SystemCall_Unknown NtTerminateThread_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0050h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0051h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0052h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0053h jmp NtTerminateThread_Epilogue NtTerminateThread_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTerminateThread_Epilogue: mov r10, rcx syscall ret NtTerminateThread ENDP NtTestAlert PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTestAlert_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTestAlert_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTestAlert_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTestAlert_Check_10_0_XXXX jmp NtTestAlert_SystemCall_Unknown NtTestAlert_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTestAlert_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTestAlert_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTestAlert_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTestAlert_SystemCall_6_3_XXXX jmp NtTestAlert_SystemCall_Unknown NtTestAlert_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTestAlert_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTestAlert_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTestAlert_SystemCall_6_0_6002 jmp NtTestAlert_SystemCall_Unknown NtTestAlert_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTestAlert_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTestAlert_SystemCall_6_1_7601 jmp NtTestAlert_SystemCall_Unknown NtTestAlert_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTestAlert_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTestAlert_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTestAlert_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTestAlert_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTestAlert_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTestAlert_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTestAlert_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTestAlert_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTestAlert_SystemCall_10_0_18363 jmp NtTestAlert_SystemCall_Unknown NtTestAlert_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011bh jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017ch jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0175h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0175h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017eh jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017eh jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0196h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019bh jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a3h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a6h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01ach jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b2h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b6h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b8h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01b9h jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01bah jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01bah jmp NtTestAlert_Epilogue NtTestAlert_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTestAlert_Epilogue: mov r10, rcx syscall ret NtTestAlert ENDP NtThawRegistry PROC mov rax, gs:[60h] ; Load PEB into RAX. NtThawRegistry_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtThawRegistry_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtThawRegistry_Check_10_0_XXXX jmp NtThawRegistry_SystemCall_Unknown NtThawRegistry_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtThawRegistry_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtThawRegistry_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtThawRegistry_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtThawRegistry_SystemCall_6_3_XXXX jmp NtThawRegistry_SystemCall_Unknown NtThawRegistry_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtThawRegistry_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtThawRegistry_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtThawRegistry_SystemCall_6_0_6002 jmp NtThawRegistry_SystemCall_Unknown NtThawRegistry_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtThawRegistry_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtThawRegistry_SystemCall_6_1_7601 jmp NtThawRegistry_SystemCall_Unknown NtThawRegistry_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtThawRegistry_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtThawRegistry_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtThawRegistry_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtThawRegistry_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtThawRegistry_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtThawRegistry_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtThawRegistry_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtThawRegistry_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtThawRegistry_SystemCall_10_0_18363 jmp NtThawRegistry_SystemCall_Unknown NtThawRegistry_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017dh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0176h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0176h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 017fh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 017fh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0197h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019ch jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a4h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a7h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01adh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b3h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b7h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01b9h jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01bah jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01bbh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01bbh jmp NtThawRegistry_Epilogue NtThawRegistry_SystemCall_Unknown: ; Unknown/unsupported version. ret NtThawRegistry_Epilogue: mov r10, rcx syscall ret NtThawRegistry ENDP NtThawTransactions PROC mov rax, gs:[60h] ; Load PEB into RAX. NtThawTransactions_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtThawTransactions_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtThawTransactions_Check_10_0_XXXX jmp NtThawTransactions_SystemCall_Unknown NtThawTransactions_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtThawTransactions_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtThawTransactions_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtThawTransactions_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtThawTransactions_SystemCall_6_3_XXXX jmp NtThawTransactions_SystemCall_Unknown NtThawTransactions_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtThawTransactions_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtThawTransactions_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtThawTransactions_SystemCall_6_0_6002 jmp NtThawTransactions_SystemCall_Unknown NtThawTransactions_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtThawTransactions_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtThawTransactions_SystemCall_6_1_7601 jmp NtThawTransactions_SystemCall_Unknown NtThawTransactions_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtThawTransactions_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtThawTransactions_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtThawTransactions_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtThawTransactions_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtThawTransactions_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtThawTransactions_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtThawTransactions_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtThawTransactions_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtThawTransactions_SystemCall_10_0_18363 jmp NtThawTransactions_SystemCall_Unknown NtThawTransactions_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017eh jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0177h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0177h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0180h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0180h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0198h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019dh jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a5h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a8h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01aeh jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b4h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b8h jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01bah jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01bbh jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01bch jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01bch jmp NtThawTransactions_Epilogue NtThawTransactions_SystemCall_Unknown: ; Unknown/unsupported version. ret NtThawTransactions_Epilogue: mov r10, rcx syscall ret NtThawTransactions ENDP NtTraceControl PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTraceControl_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtTraceControl_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTraceControl_Check_10_0_XXXX jmp NtTraceControl_SystemCall_Unknown NtTraceControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTraceControl_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTraceControl_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTraceControl_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTraceControl_SystemCall_6_3_XXXX jmp NtTraceControl_SystemCall_Unknown NtTraceControl_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTraceControl_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTraceControl_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTraceControl_SystemCall_6_0_6002 jmp NtTraceControl_SystemCall_Unknown NtTraceControl_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTraceControl_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTraceControl_SystemCall_6_1_7601 jmp NtTraceControl_SystemCall_Unknown NtTraceControl_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTraceControl_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTraceControl_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTraceControl_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTraceControl_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTraceControl_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTraceControl_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTraceControl_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTraceControl_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTraceControl_SystemCall_10_0_18363 jmp NtTraceControl_SystemCall_Unknown NtTraceControl_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 017fh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0178h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0178h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0181h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0181h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0199h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019eh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a6h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01a9h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01afh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b5h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01b9h jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01bbh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01bch jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01bdh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01bdh jmp NtTraceControl_Epilogue NtTraceControl_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTraceControl_Epilogue: mov r10, rcx syscall ret NtTraceControl ENDP NtTraceEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTraceEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTraceEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTraceEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTraceEvent_Check_10_0_XXXX jmp NtTraceEvent_SystemCall_Unknown NtTraceEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTraceEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTraceEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTraceEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTraceEvent_SystemCall_6_3_XXXX jmp NtTraceEvent_SystemCall_Unknown NtTraceEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTraceEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTraceEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTraceEvent_SystemCall_6_0_6002 jmp NtTraceEvent_SystemCall_Unknown NtTraceEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTraceEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTraceEvent_SystemCall_6_1_7601 jmp NtTraceEvent_SystemCall_Unknown NtTraceEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTraceEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTraceEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTraceEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTraceEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTraceEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTraceEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTraceEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTraceEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTraceEvent_SystemCall_10_0_18363 jmp NtTraceEvent_SystemCall_Unknown NtTraceEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 005bh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 005ch jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005dh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005eh jmp NtTraceEvent_Epilogue NtTraceEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTraceEvent_Epilogue: mov r10, rcx syscall ret NtTraceEvent ENDP NtTranslateFilePath PROC mov rax, gs:[60h] ; Load PEB into RAX. NtTranslateFilePath_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtTranslateFilePath_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtTranslateFilePath_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtTranslateFilePath_Check_10_0_XXXX jmp NtTranslateFilePath_SystemCall_Unknown NtTranslateFilePath_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtTranslateFilePath_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtTranslateFilePath_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtTranslateFilePath_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtTranslateFilePath_SystemCall_6_3_XXXX jmp NtTranslateFilePath_SystemCall_Unknown NtTranslateFilePath_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtTranslateFilePath_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtTranslateFilePath_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtTranslateFilePath_SystemCall_6_0_6002 jmp NtTranslateFilePath_SystemCall_Unknown NtTranslateFilePath_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtTranslateFilePath_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtTranslateFilePath_SystemCall_6_1_7601 jmp NtTranslateFilePath_SystemCall_Unknown NtTranslateFilePath_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtTranslateFilePath_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtTranslateFilePath_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtTranslateFilePath_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtTranslateFilePath_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtTranslateFilePath_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtTranslateFilePath_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtTranslateFilePath_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtTranslateFilePath_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtTranslateFilePath_SystemCall_10_0_18363 jmp NtTranslateFilePath_SystemCall_Unknown NtTranslateFilePath_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011ch jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0180h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0179h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0179h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0182h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0182h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019ah jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 019fh jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a7h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01aah jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b0h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b6h jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01bah jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01bch jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01bdh jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01beh jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01beh jmp NtTranslateFilePath_Epilogue NtTranslateFilePath_SystemCall_Unknown: ; Unknown/unsupported version. ret NtTranslateFilePath_Epilogue: mov r10, rcx syscall ret NtTranslateFilePath ENDP NtUmsThreadYield PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUmsThreadYield_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtUmsThreadYield_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUmsThreadYield_Check_10_0_XXXX jmp NtUmsThreadYield_SystemCall_Unknown NtUmsThreadYield_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 1 je NtUmsThreadYield_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUmsThreadYield_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUmsThreadYield_SystemCall_6_3_XXXX jmp NtUmsThreadYield_SystemCall_Unknown NtUmsThreadYield_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUmsThreadYield_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUmsThreadYield_SystemCall_6_1_7601 jmp NtUmsThreadYield_SystemCall_Unknown NtUmsThreadYield_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUmsThreadYield_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUmsThreadYield_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUmsThreadYield_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUmsThreadYield_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUmsThreadYield_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUmsThreadYield_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUmsThreadYield_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUmsThreadYield_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUmsThreadYield_SystemCall_10_0_18363 jmp NtUmsThreadYield_SystemCall_Unknown NtUmsThreadYield_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0183h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0183h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019bh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a0h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a8h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01abh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b1h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b7h jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01bbh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01bdh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01beh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01bfh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01bfh jmp NtUmsThreadYield_Epilogue NtUmsThreadYield_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUmsThreadYield_Epilogue: mov r10, rcx syscall ret NtUmsThreadYield ENDP NtUnloadDriver PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnloadDriver_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnloadDriver_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnloadDriver_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnloadDriver_Check_10_0_XXXX jmp NtUnloadDriver_SystemCall_Unknown NtUnloadDriver_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnloadDriver_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnloadDriver_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadDriver_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadDriver_SystemCall_6_3_XXXX jmp NtUnloadDriver_SystemCall_Unknown NtUnloadDriver_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnloadDriver_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnloadDriver_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnloadDriver_SystemCall_6_0_6002 jmp NtUnloadDriver_SystemCall_Unknown NtUnloadDriver_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnloadDriver_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnloadDriver_SystemCall_6_1_7601 jmp NtUnloadDriver_SystemCall_Unknown NtUnloadDriver_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnloadDriver_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnloadDriver_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnloadDriver_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnloadDriver_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnloadDriver_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnloadDriver_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnloadDriver_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnloadDriver_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnloadDriver_SystemCall_10_0_18363 jmp NtUnloadDriver_SystemCall_Unknown NtUnloadDriver_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011dh jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0181h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017ah jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017ah jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0184h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0184h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019ch jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a1h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01a9h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01ach jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b2h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b8h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01bch jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01beh jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01bfh jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c0h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c0h jmp NtUnloadDriver_Epilogue NtUnloadDriver_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnloadDriver_Epilogue: mov r10, rcx syscall ret NtUnloadDriver ENDP NtUnloadKey PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnloadKey_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnloadKey_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnloadKey_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnloadKey_Check_10_0_XXXX jmp NtUnloadKey_SystemCall_Unknown NtUnloadKey_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnloadKey_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnloadKey_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKey_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKey_SystemCall_6_3_XXXX jmp NtUnloadKey_SystemCall_Unknown NtUnloadKey_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnloadKey_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnloadKey_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnloadKey_SystemCall_6_0_6002 jmp NtUnloadKey_SystemCall_Unknown NtUnloadKey_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnloadKey_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnloadKey_SystemCall_6_1_7601 jmp NtUnloadKey_SystemCall_Unknown NtUnloadKey_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnloadKey_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnloadKey_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnloadKey_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnloadKey_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnloadKey_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnloadKey_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnloadKey_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnloadKey_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnloadKey_SystemCall_10_0_18363 jmp NtUnloadKey_SystemCall_Unknown NtUnloadKey_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011eh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0182h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017bh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017bh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0185h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0185h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019dh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a2h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01aah jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01adh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b3h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01b9h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01bdh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01bfh jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c0h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c1h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c1h jmp NtUnloadKey_Epilogue NtUnloadKey_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnloadKey_Epilogue: mov r10, rcx syscall ret NtUnloadKey ENDP NtUnloadKey2 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnloadKey2_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnloadKey2_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnloadKey2_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnloadKey2_Check_10_0_XXXX jmp NtUnloadKey2_SystemCall_Unknown NtUnloadKey2_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnloadKey2_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnloadKey2_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKey2_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKey2_SystemCall_6_3_XXXX jmp NtUnloadKey2_SystemCall_Unknown NtUnloadKey2_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnloadKey2_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnloadKey2_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnloadKey2_SystemCall_6_0_6002 jmp NtUnloadKey2_SystemCall_Unknown NtUnloadKey2_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnloadKey2_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnloadKey2_SystemCall_6_1_7601 jmp NtUnloadKey2_SystemCall_Unknown NtUnloadKey2_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnloadKey2_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnloadKey2_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnloadKey2_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnloadKey2_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnloadKey2_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnloadKey2_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnloadKey2_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnloadKey2_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnloadKey2_SystemCall_10_0_18363 jmp NtUnloadKey2_SystemCall_Unknown NtUnloadKey2_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 011fh jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0183h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017ch jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017ch jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0186h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0186h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019eh jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a3h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01abh jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01aeh jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b4h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01bah jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01beh jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c0h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c1h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c2h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c2h jmp NtUnloadKey2_Epilogue NtUnloadKey2_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnloadKey2_Epilogue: mov r10, rcx syscall ret NtUnloadKey2 ENDP NtUnloadKeyEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnloadKeyEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnloadKeyEx_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnloadKeyEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnloadKeyEx_Check_10_0_XXXX jmp NtUnloadKeyEx_SystemCall_Unknown NtUnloadKeyEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnloadKeyEx_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnloadKeyEx_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKeyEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnloadKeyEx_SystemCall_6_3_XXXX jmp NtUnloadKeyEx_SystemCall_Unknown NtUnloadKeyEx_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnloadKeyEx_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnloadKeyEx_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnloadKeyEx_SystemCall_6_0_6002 jmp NtUnloadKeyEx_SystemCall_Unknown NtUnloadKeyEx_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnloadKeyEx_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnloadKeyEx_SystemCall_6_1_7601 jmp NtUnloadKeyEx_SystemCall_Unknown NtUnloadKeyEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnloadKeyEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnloadKeyEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnloadKeyEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnloadKeyEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnloadKeyEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnloadKeyEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnloadKeyEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnloadKeyEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnloadKeyEx_SystemCall_10_0_18363 jmp NtUnloadKeyEx_SystemCall_Unknown NtUnloadKeyEx_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0120h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0184h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017dh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017dh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0187h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0187h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 019fh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a4h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01ach jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01afh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b5h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01bbh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01bfh jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c1h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c2h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c3h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c3h jmp NtUnloadKeyEx_Epilogue NtUnloadKeyEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnloadKeyEx_Epilogue: mov r10, rcx syscall ret NtUnloadKeyEx ENDP NtUnlockFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnlockFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnlockFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnlockFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnlockFile_Check_10_0_XXXX jmp NtUnlockFile_SystemCall_Unknown NtUnlockFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnlockFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnlockFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnlockFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnlockFile_SystemCall_6_3_XXXX jmp NtUnlockFile_SystemCall_Unknown NtUnlockFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnlockFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnlockFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnlockFile_SystemCall_6_0_6002 jmp NtUnlockFile_SystemCall_Unknown NtUnlockFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnlockFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnlockFile_SystemCall_6_1_7601 jmp NtUnlockFile_SystemCall_Unknown NtUnlockFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnlockFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnlockFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnlockFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnlockFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnlockFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnlockFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnlockFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnlockFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnlockFile_SystemCall_10_0_18363 jmp NtUnlockFile_SystemCall_Unknown NtUnlockFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0121h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0185h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017eh jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017eh jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0188h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0188h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a0h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a5h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01adh jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b0h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b6h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01bch jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c0h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c2h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c3h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c4h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c4h jmp NtUnlockFile_Epilogue NtUnlockFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnlockFile_Epilogue: mov r10, rcx syscall ret NtUnlockFile ENDP NtUnlockVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnlockVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnlockVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnlockVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnlockVirtualMemory_Check_10_0_XXXX jmp NtUnlockVirtualMemory_SystemCall_Unknown NtUnlockVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnlockVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnlockVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnlockVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnlockVirtualMemory_SystemCall_6_3_XXXX jmp NtUnlockVirtualMemory_SystemCall_Unknown NtUnlockVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnlockVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnlockVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnlockVirtualMemory_SystemCall_6_0_6002 jmp NtUnlockVirtualMemory_SystemCall_Unknown NtUnlockVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnlockVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnlockVirtualMemory_SystemCall_6_1_7601 jmp NtUnlockVirtualMemory_SystemCall_Unknown NtUnlockVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnlockVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnlockVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnlockVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnlockVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnlockVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnlockVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnlockVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnlockVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnlockVirtualMemory_SystemCall_10_0_18363 jmp NtUnlockVirtualMemory_SystemCall_Unknown NtUnlockVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0122h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0186h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 017fh jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 017fh jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0189h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0189h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a1h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a6h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01aeh jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b1h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b7h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01bdh jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c1h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c3h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c4h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c5h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c5h jmp NtUnlockVirtualMemory_Epilogue NtUnlockVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnlockVirtualMemory_Epilogue: mov r10, rcx syscall ret NtUnlockVirtualMemory ENDP NtUnmapViewOfSection PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnmapViewOfSection_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtUnmapViewOfSection_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtUnmapViewOfSection_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnmapViewOfSection_Check_10_0_XXXX jmp NtUnmapViewOfSection_SystemCall_Unknown NtUnmapViewOfSection_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtUnmapViewOfSection_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtUnmapViewOfSection_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtUnmapViewOfSection_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnmapViewOfSection_SystemCall_6_3_XXXX jmp NtUnmapViewOfSection_SystemCall_Unknown NtUnmapViewOfSection_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtUnmapViewOfSection_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtUnmapViewOfSection_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtUnmapViewOfSection_SystemCall_6_0_6002 jmp NtUnmapViewOfSection_SystemCall_Unknown NtUnmapViewOfSection_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtUnmapViewOfSection_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtUnmapViewOfSection_SystemCall_6_1_7601 jmp NtUnmapViewOfSection_SystemCall_Unknown NtUnmapViewOfSection_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnmapViewOfSection_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnmapViewOfSection_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnmapViewOfSection_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnmapViewOfSection_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnmapViewOfSection_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnmapViewOfSection_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnmapViewOfSection_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnmapViewOfSection_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnmapViewOfSection_SystemCall_10_0_18363 jmp NtUnmapViewOfSection_SystemCall_Unknown NtUnmapViewOfSection_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0027h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0028h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0029h jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 002ah jmp NtUnmapViewOfSection_Epilogue NtUnmapViewOfSection_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnmapViewOfSection_Epilogue: mov r10, rcx syscall ret NtUnmapViewOfSection ENDP NtUnmapViewOfSectionEx PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnmapViewOfSectionEx_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtUnmapViewOfSectionEx_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnmapViewOfSectionEx_Check_10_0_XXXX jmp NtUnmapViewOfSectionEx_SystemCall_Unknown NtUnmapViewOfSectionEx_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtUnmapViewOfSectionEx_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnmapViewOfSectionEx_SystemCall_6_3_XXXX jmp NtUnmapViewOfSectionEx_SystemCall_Unknown NtUnmapViewOfSectionEx_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnmapViewOfSectionEx_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnmapViewOfSectionEx_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnmapViewOfSectionEx_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnmapViewOfSectionEx_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnmapViewOfSectionEx_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnmapViewOfSectionEx_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnmapViewOfSectionEx_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnmapViewOfSectionEx_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnmapViewOfSectionEx_SystemCall_10_0_18363 jmp NtUnmapViewOfSectionEx_SystemCall_Unknown NtUnmapViewOfSectionEx_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a2h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a7h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01afh jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b2h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b8h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01beh jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c2h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c4h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c5h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c6h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c6h jmp NtUnmapViewOfSectionEx_Epilogue NtUnmapViewOfSectionEx_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnmapViewOfSectionEx_Epilogue: mov r10, rcx syscall ret NtUnmapViewOfSectionEx ENDP NtUnsubscribeWnfStateChange PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUnsubscribeWnfStateChange_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtUnsubscribeWnfStateChange_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUnsubscribeWnfStateChange_Check_10_0_XXXX jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown NtUnsubscribeWnfStateChange_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtUnsubscribeWnfStateChange_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUnsubscribeWnfStateChange_SystemCall_6_3_XXXX jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown NtUnsubscribeWnfStateChange_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUnsubscribeWnfStateChange_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUnsubscribeWnfStateChange_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUnsubscribeWnfStateChange_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUnsubscribeWnfStateChange_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUnsubscribeWnfStateChange_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUnsubscribeWnfStateChange_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUnsubscribeWnfStateChange_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUnsubscribeWnfStateChange_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUnsubscribeWnfStateChange_SystemCall_10_0_18363 jmp NtUnsubscribeWnfStateChange_SystemCall_Unknown NtUnsubscribeWnfStateChange_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a3h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a8h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b0h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b3h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01b9h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01bfh jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c3h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c5h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c6h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c7h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c7h jmp NtUnsubscribeWnfStateChange_Epilogue NtUnsubscribeWnfStateChange_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUnsubscribeWnfStateChange_Epilogue: mov r10, rcx syscall ret NtUnsubscribeWnfStateChange ENDP NtUpdateWnfStateData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtUpdateWnfStateData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtUpdateWnfStateData_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtUpdateWnfStateData_Check_10_0_XXXX jmp NtUpdateWnfStateData_SystemCall_Unknown NtUpdateWnfStateData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtUpdateWnfStateData_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtUpdateWnfStateData_SystemCall_6_3_XXXX jmp NtUpdateWnfStateData_SystemCall_Unknown NtUpdateWnfStateData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtUpdateWnfStateData_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtUpdateWnfStateData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtUpdateWnfStateData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtUpdateWnfStateData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtUpdateWnfStateData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtUpdateWnfStateData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtUpdateWnfStateData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtUpdateWnfStateData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtUpdateWnfStateData_SystemCall_10_0_18363 jmp NtUpdateWnfStateData_SystemCall_Unknown NtUpdateWnfStateData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a4h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01a9h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b1h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b4h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01bah jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c0h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c4h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c6h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c7h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c8h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c8h jmp NtUpdateWnfStateData_Epilogue NtUpdateWnfStateData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtUpdateWnfStateData_Epilogue: mov r10, rcx syscall ret NtUpdateWnfStateData ENDP NtVdmControl PROC mov rax, gs:[60h] ; Load PEB into RAX. NtVdmControl_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtVdmControl_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtVdmControl_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtVdmControl_Check_10_0_XXXX jmp NtVdmControl_SystemCall_Unknown NtVdmControl_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtVdmControl_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtVdmControl_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtVdmControl_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtVdmControl_SystemCall_6_3_XXXX jmp NtVdmControl_SystemCall_Unknown NtVdmControl_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtVdmControl_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtVdmControl_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtVdmControl_SystemCall_6_0_6002 jmp NtVdmControl_SystemCall_Unknown NtVdmControl_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtVdmControl_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtVdmControl_SystemCall_6_1_7601 jmp NtVdmControl_SystemCall_Unknown NtVdmControl_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtVdmControl_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtVdmControl_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtVdmControl_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtVdmControl_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtVdmControl_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtVdmControl_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtVdmControl_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtVdmControl_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtVdmControl_SystemCall_10_0_18363 jmp NtVdmControl_SystemCall_Unknown NtVdmControl_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0123h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0187h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0180h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0180h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018ah jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018ah jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a5h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01aah jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b2h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b5h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01bbh jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c1h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c5h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c7h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c8h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01c9h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01c9h jmp NtVdmControl_Epilogue NtVdmControl_SystemCall_Unknown: ; Unknown/unsupported version. ret NtVdmControl_Epilogue: mov r10, rcx syscall ret NtVdmControl ENDP NtWaitForAlertByThreadId PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForAlertByThreadId_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtWaitForAlertByThreadId_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForAlertByThreadId_Check_10_0_XXXX jmp NtWaitForAlertByThreadId_SystemCall_Unknown NtWaitForAlertByThreadId_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtWaitForAlertByThreadId_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForAlertByThreadId_SystemCall_6_3_XXXX jmp NtWaitForAlertByThreadId_SystemCall_Unknown NtWaitForAlertByThreadId_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForAlertByThreadId_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForAlertByThreadId_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForAlertByThreadId_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForAlertByThreadId_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForAlertByThreadId_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForAlertByThreadId_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForAlertByThreadId_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForAlertByThreadId_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForAlertByThreadId_SystemCall_10_0_18363 jmp NtWaitForAlertByThreadId_SystemCall_Unknown NtWaitForAlertByThreadId_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a6h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01abh jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b3h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b6h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01bch jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c2h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c6h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c8h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01c9h jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01cah jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01cah jmp NtWaitForAlertByThreadId_Epilogue NtWaitForAlertByThreadId_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForAlertByThreadId_Epilogue: mov r10, rcx syscall ret NtWaitForAlertByThreadId ENDP NtWaitForDebugEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForDebugEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitForDebugEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitForDebugEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForDebugEvent_Check_10_0_XXXX jmp NtWaitForDebugEvent_SystemCall_Unknown NtWaitForDebugEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForDebugEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForDebugEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForDebugEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForDebugEvent_SystemCall_6_3_XXXX jmp NtWaitForDebugEvent_SystemCall_Unknown NtWaitForDebugEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForDebugEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForDebugEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForDebugEvent_SystemCall_6_0_6002 jmp NtWaitForDebugEvent_SystemCall_Unknown NtWaitForDebugEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForDebugEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForDebugEvent_SystemCall_6_1_7601 jmp NtWaitForDebugEvent_SystemCall_Unknown NtWaitForDebugEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForDebugEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForDebugEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForDebugEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForDebugEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForDebugEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForDebugEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForDebugEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForDebugEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForDebugEvent_SystemCall_10_0_18363 jmp NtWaitForDebugEvent_SystemCall_Unknown NtWaitForDebugEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0124h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0188h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0181h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0181h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018bh jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018bh jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a7h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01ach jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b4h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b7h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01bdh jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c3h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c7h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01c9h jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01cah jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01cbh jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01cbh jmp NtWaitForDebugEvent_Epilogue NtWaitForDebugEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForDebugEvent_Epilogue: mov r10, rcx syscall ret NtWaitForDebugEvent ENDP NtWaitForKeyedEvent PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForKeyedEvent_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitForKeyedEvent_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitForKeyedEvent_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForKeyedEvent_Check_10_0_XXXX jmp NtWaitForKeyedEvent_SystemCall_Unknown NtWaitForKeyedEvent_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForKeyedEvent_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForKeyedEvent_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForKeyedEvent_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForKeyedEvent_SystemCall_6_3_XXXX jmp NtWaitForKeyedEvent_SystemCall_Unknown NtWaitForKeyedEvent_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForKeyedEvent_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForKeyedEvent_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForKeyedEvent_SystemCall_6_0_6002 jmp NtWaitForKeyedEvent_SystemCall_Unknown NtWaitForKeyedEvent_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForKeyedEvent_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForKeyedEvent_SystemCall_6_1_7601 jmp NtWaitForKeyedEvent_SystemCall_Unknown NtWaitForKeyedEvent_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForKeyedEvent_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForKeyedEvent_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForKeyedEvent_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForKeyedEvent_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForKeyedEvent_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForKeyedEvent_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForKeyedEvent_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForKeyedEvent_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForKeyedEvent_SystemCall_10_0_18363 jmp NtWaitForKeyedEvent_SystemCall_Unknown NtWaitForKeyedEvent_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0125h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0189h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0182h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0182h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018ch jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018ch jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a8h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01adh jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b5h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b8h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01beh jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c4h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c8h jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01cah jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01cbh jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01cch jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01cch jmp NtWaitForKeyedEvent_Epilogue NtWaitForKeyedEvent_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForKeyedEvent_Epilogue: mov r10, rcx syscall ret NtWaitForKeyedEvent ENDP NtWaitForMultipleObjects PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForMultipleObjects_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitForMultipleObjects_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitForMultipleObjects_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForMultipleObjects_Check_10_0_XXXX jmp NtWaitForMultipleObjects_SystemCall_Unknown NtWaitForMultipleObjects_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForMultipleObjects_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForMultipleObjects_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForMultipleObjects_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForMultipleObjects_SystemCall_6_3_XXXX jmp NtWaitForMultipleObjects_SystemCall_Unknown NtWaitForMultipleObjects_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForMultipleObjects_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForMultipleObjects_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForMultipleObjects_SystemCall_6_0_6002 jmp NtWaitForMultipleObjects_SystemCall_Unknown NtWaitForMultipleObjects_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForMultipleObjects_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForMultipleObjects_SystemCall_6_1_7601 jmp NtWaitForMultipleObjects_SystemCall_Unknown NtWaitForMultipleObjects_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForMultipleObjects_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForMultipleObjects_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForMultipleObjects_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForMultipleObjects_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForMultipleObjects_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForMultipleObjects_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForMultipleObjects_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForMultipleObjects_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForMultipleObjects_SystemCall_10_0_18363 jmp NtWaitForMultipleObjects_SystemCall_Unknown NtWaitForMultipleObjects_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0058h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0059h jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 005ah jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 005bh jmp NtWaitForMultipleObjects_Epilogue NtWaitForMultipleObjects_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForMultipleObjects_Epilogue: mov r10, rcx syscall ret NtWaitForMultipleObjects ENDP NtWaitForMultipleObjects32 PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForMultipleObjects32_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitForMultipleObjects32_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitForMultipleObjects32_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForMultipleObjects32_Check_10_0_XXXX jmp NtWaitForMultipleObjects32_SystemCall_Unknown NtWaitForMultipleObjects32_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForMultipleObjects32_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForMultipleObjects32_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForMultipleObjects32_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForMultipleObjects32_SystemCall_6_3_XXXX jmp NtWaitForMultipleObjects32_SystemCall_Unknown NtWaitForMultipleObjects32_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForMultipleObjects32_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForMultipleObjects32_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForMultipleObjects32_SystemCall_6_0_6002 jmp NtWaitForMultipleObjects32_SystemCall_Unknown NtWaitForMultipleObjects32_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForMultipleObjects32_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForMultipleObjects32_SystemCall_6_1_7601 jmp NtWaitForMultipleObjects32_SystemCall_Unknown NtWaitForMultipleObjects32_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForMultipleObjects32_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForMultipleObjects32_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForMultipleObjects32_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForMultipleObjects32_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForMultipleObjects32_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForMultipleObjects32_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForMultipleObjects32_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForMultipleObjects32_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForMultipleObjects32_SystemCall_10_0_18363 jmp NtWaitForMultipleObjects32_SystemCall_Unknown NtWaitForMultipleObjects32_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0017h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0018h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0019h jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001ah jmp NtWaitForMultipleObjects32_Epilogue NtWaitForMultipleObjects32_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForMultipleObjects32_Epilogue: mov r10, rcx syscall ret NtWaitForMultipleObjects32 ENDP NtWaitForSingleObject PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForSingleObject_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitForSingleObject_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitForSingleObject_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForSingleObject_Check_10_0_XXXX jmp NtWaitForSingleObject_SystemCall_Unknown NtWaitForSingleObject_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForSingleObject_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForSingleObject_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForSingleObject_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForSingleObject_SystemCall_6_3_XXXX jmp NtWaitForSingleObject_SystemCall_Unknown NtWaitForSingleObject_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForSingleObject_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForSingleObject_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForSingleObject_SystemCall_6_0_6002 jmp NtWaitForSingleObject_SystemCall_Unknown NtWaitForSingleObject_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForSingleObject_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForSingleObject_SystemCall_6_1_7601 jmp NtWaitForSingleObject_SystemCall_Unknown NtWaitForSingleObject_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForSingleObject_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForSingleObject_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForSingleObject_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForSingleObject_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForSingleObject_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForSingleObject_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForSingleObject_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForSingleObject_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForSingleObject_SystemCall_10_0_18363 jmp NtWaitForSingleObject_SystemCall_Unknown NtWaitForSingleObject_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0001h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0002h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0003h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0004h jmp NtWaitForSingleObject_Epilogue NtWaitForSingleObject_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForSingleObject_Epilogue: mov r10, rcx syscall ret NtWaitForSingleObject ENDP NtWaitForWnfNotifications PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForWnfNotifications_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtWaitForWnfNotifications_Check_6_X_XXXX jmp NtWaitForWnfNotifications_SystemCall_Unknown NtWaitForWnfNotifications_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 2 je NtWaitForWnfNotifications_SystemCall_6_2_XXXX jmp NtWaitForWnfNotifications_SystemCall_Unknown NtWaitForWnfNotifications_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01a9h jmp NtWaitForWnfNotifications_Epilogue NtWaitForWnfNotifications_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForWnfNotifications_Epilogue: mov r10, rcx syscall ret NtWaitForWnfNotifications ENDP NtWaitForWorkViaWorkerFactory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitForWorkViaWorkerFactory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtWaitForWorkViaWorkerFactory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitForWorkViaWorkerFactory_Check_10_0_XXXX jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown NtWaitForWorkViaWorkerFactory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitForWorkViaWorkerFactory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitForWorkViaWorkerFactory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForWorkViaWorkerFactory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitForWorkViaWorkerFactory_SystemCall_6_3_XXXX jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown NtWaitForWorkViaWorkerFactory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6002 jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown NtWaitForWorkViaWorkerFactory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7601 jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown NtWaitForWorkViaWorkerFactory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18363 jmp NtWaitForWorkViaWorkerFactory_SystemCall_Unknown NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 018ah jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0183h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0183h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018dh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018dh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01aah jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01aeh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b6h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01b9h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01bfh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c5h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01c9h jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01cbh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01cch jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01cdh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01cdh jmp NtWaitForWorkViaWorkerFactory_Epilogue NtWaitForWorkViaWorkerFactory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitForWorkViaWorkerFactory_Epilogue: mov r10, rcx syscall ret NtWaitForWorkViaWorkerFactory ENDP NtWaitHighEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitHighEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitHighEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitHighEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitHighEventPair_Check_10_0_XXXX jmp NtWaitHighEventPair_SystemCall_Unknown NtWaitHighEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitHighEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitHighEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitHighEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitHighEventPair_SystemCall_6_3_XXXX jmp NtWaitHighEventPair_SystemCall_Unknown NtWaitHighEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitHighEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitHighEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitHighEventPair_SystemCall_6_0_6002 jmp NtWaitHighEventPair_SystemCall_Unknown NtWaitHighEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitHighEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitHighEventPair_SystemCall_6_1_7601 jmp NtWaitHighEventPair_SystemCall_Unknown NtWaitHighEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitHighEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitHighEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitHighEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitHighEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitHighEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitHighEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitHighEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitHighEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitHighEventPair_SystemCall_10_0_18363 jmp NtWaitHighEventPair_SystemCall_Unknown NtWaitHighEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0126h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 018bh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0184h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0184h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018eh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018eh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01abh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01afh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b7h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01bah jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01c0h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c6h jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01cah jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01cch jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01cdh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01ceh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01ceh jmp NtWaitHighEventPair_Epilogue NtWaitHighEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitHighEventPair_Epilogue: mov r10, rcx syscall ret NtWaitHighEventPair ENDP NtWaitLowEventPair PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWaitLowEventPair_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWaitLowEventPair_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWaitLowEventPair_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWaitLowEventPair_Check_10_0_XXXX jmp NtWaitLowEventPair_SystemCall_Unknown NtWaitLowEventPair_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWaitLowEventPair_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWaitLowEventPair_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitLowEventPair_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWaitLowEventPair_SystemCall_6_3_XXXX jmp NtWaitLowEventPair_SystemCall_Unknown NtWaitLowEventPair_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWaitLowEventPair_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWaitLowEventPair_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWaitLowEventPair_SystemCall_6_0_6002 jmp NtWaitLowEventPair_SystemCall_Unknown NtWaitLowEventPair_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWaitLowEventPair_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWaitLowEventPair_SystemCall_6_1_7601 jmp NtWaitLowEventPair_SystemCall_Unknown NtWaitLowEventPair_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWaitLowEventPair_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWaitLowEventPair_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWaitLowEventPair_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWaitLowEventPair_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWaitLowEventPair_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWaitLowEventPair_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWaitLowEventPair_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWaitLowEventPair_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWaitLowEventPair_SystemCall_10_0_18363 jmp NtWaitLowEventPair_SystemCall_Unknown NtWaitLowEventPair_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0127h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 018ch jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0185h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0185h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 018fh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 018fh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 01ach jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 01b0h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 01b8h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 01bbh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 01c1h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 01c7h jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 01cbh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 01cdh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 01ceh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 01cfh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 01cfh jmp NtWaitLowEventPair_Epilogue NtWaitLowEventPair_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWaitLowEventPair_Epilogue: mov r10, rcx syscall ret NtWaitLowEventPair ENDP NtWorkerFactoryWorkerReady PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWorkerFactoryWorkerReady_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 6 je NtWorkerFactoryWorkerReady_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWorkerFactoryWorkerReady_Check_10_0_XXXX jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown NtWorkerFactoryWorkerReady_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWorkerFactoryWorkerReady_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWorkerFactoryWorkerReady_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWorkerFactoryWorkerReady_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWorkerFactoryWorkerReady_SystemCall_6_3_XXXX jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown NtWorkerFactoryWorkerReady_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWorkerFactoryWorkerReady_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWorkerFactoryWorkerReady_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWorkerFactoryWorkerReady_SystemCall_6_0_6002 jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown NtWorkerFactoryWorkerReady_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWorkerFactoryWorkerReady_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWorkerFactoryWorkerReady_SystemCall_6_1_7601 jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown NtWorkerFactoryWorkerReady_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWorkerFactoryWorkerReady_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWorkerFactoryWorkerReady_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWorkerFactoryWorkerReady_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWorkerFactoryWorkerReady_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWorkerFactoryWorkerReady_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWorkerFactoryWorkerReady_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWorkerFactoryWorkerReady_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWorkerFactoryWorkerReady_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWorkerFactoryWorkerReady_SystemCall_10_0_18363 jmp NtWorkerFactoryWorkerReady_SystemCall_Unknown NtWorkerFactoryWorkerReady_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 018dh jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0186h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0186h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0190h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0190h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0000h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0000h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0001h jmp NtWorkerFactoryWorkerReady_Epilogue NtWorkerFactoryWorkerReady_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWorkerFactoryWorkerReady_Epilogue: mov r10, rcx syscall ret NtWorkerFactoryWorkerReady ENDP NtWriteFile PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWriteFile_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWriteFile_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWriteFile_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWriteFile_Check_10_0_XXXX jmp NtWriteFile_SystemCall_Unknown NtWriteFile_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWriteFile_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWriteFile_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteFile_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteFile_SystemCall_6_3_XXXX jmp NtWriteFile_SystemCall_Unknown NtWriteFile_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWriteFile_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWriteFile_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWriteFile_SystemCall_6_0_6002 jmp NtWriteFile_SystemCall_Unknown NtWriteFile_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWriteFile_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWriteFile_SystemCall_6_1_7601 jmp NtWriteFile_SystemCall_Unknown NtWriteFile_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWriteFile_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWriteFile_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWriteFile_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWriteFile_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWriteFile_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWriteFile_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWriteFile_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWriteFile_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWriteFile_SystemCall_10_0_18363 jmp NtWriteFile_SystemCall_Unknown NtWriteFile_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0005h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0006h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0007h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0008h jmp NtWriteFile_Epilogue NtWriteFile_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWriteFile_Epilogue: mov r10, rcx syscall ret NtWriteFile ENDP NtWriteFileGather PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWriteFileGather_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWriteFileGather_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWriteFileGather_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWriteFileGather_Check_10_0_XXXX jmp NtWriteFileGather_SystemCall_Unknown NtWriteFileGather_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWriteFileGather_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWriteFileGather_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteFileGather_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteFileGather_SystemCall_6_3_XXXX jmp NtWriteFileGather_SystemCall_Unknown NtWriteFileGather_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWriteFileGather_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWriteFileGather_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWriteFileGather_SystemCall_6_0_6002 jmp NtWriteFileGather_SystemCall_Unknown NtWriteFileGather_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWriteFileGather_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWriteFileGather_SystemCall_6_1_7601 jmp NtWriteFileGather_SystemCall_Unknown NtWriteFileGather_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWriteFileGather_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWriteFileGather_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWriteFileGather_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWriteFileGather_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWriteFileGather_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWriteFileGather_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWriteFileGather_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWriteFileGather_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWriteFileGather_SystemCall_10_0_18363 jmp NtWriteFileGather_SystemCall_Unknown NtWriteFileGather_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0018h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0019h jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 001ah jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 001bh jmp NtWriteFileGather_Epilogue NtWriteFileGather_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWriteFileGather_Epilogue: mov r10, rcx syscall ret NtWriteFileGather ENDP NtWriteRequestData PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWriteRequestData_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWriteRequestData_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWriteRequestData_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWriteRequestData_Check_10_0_XXXX jmp NtWriteRequestData_SystemCall_Unknown NtWriteRequestData_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWriteRequestData_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWriteRequestData_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteRequestData_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteRequestData_SystemCall_6_3_XXXX jmp NtWriteRequestData_SystemCall_Unknown NtWriteRequestData_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWriteRequestData_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWriteRequestData_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWriteRequestData_SystemCall_6_0_6002 jmp NtWriteRequestData_SystemCall_Unknown NtWriteRequestData_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWriteRequestData_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWriteRequestData_SystemCall_6_1_7601 jmp NtWriteRequestData_SystemCall_Unknown NtWriteRequestData_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWriteRequestData_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWriteRequestData_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWriteRequestData_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWriteRequestData_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWriteRequestData_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWriteRequestData_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWriteRequestData_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWriteRequestData_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWriteRequestData_SystemCall_10_0_18363 jmp NtWriteRequestData_SystemCall_Unknown NtWriteRequestData_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0054h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0055h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0056h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0057h jmp NtWriteRequestData_Epilogue NtWriteRequestData_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWriteRequestData_Epilogue: mov r10, rcx syscall ret NtWriteRequestData ENDP NtWriteVirtualMemory PROC mov rax, gs:[60h] ; Load PEB into RAX. NtWriteVirtualMemory_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtWriteVirtualMemory_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtWriteVirtualMemory_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtWriteVirtualMemory_Check_10_0_XXXX jmp NtWriteVirtualMemory_SystemCall_Unknown NtWriteVirtualMemory_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtWriteVirtualMemory_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtWriteVirtualMemory_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteVirtualMemory_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtWriteVirtualMemory_SystemCall_6_3_XXXX jmp NtWriteVirtualMemory_SystemCall_Unknown NtWriteVirtualMemory_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtWriteVirtualMemory_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtWriteVirtualMemory_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtWriteVirtualMemory_SystemCall_6_0_6002 jmp NtWriteVirtualMemory_SystemCall_Unknown NtWriteVirtualMemory_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtWriteVirtualMemory_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtWriteVirtualMemory_SystemCall_6_1_7601 jmp NtWriteVirtualMemory_SystemCall_Unknown NtWriteVirtualMemory_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtWriteVirtualMemory_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtWriteVirtualMemory_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtWriteVirtualMemory_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtWriteVirtualMemory_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtWriteVirtualMemory_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtWriteVirtualMemory_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtWriteVirtualMemory_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtWriteVirtualMemory_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtWriteVirtualMemory_SystemCall_10_0_18363 jmp NtWriteVirtualMemory_SystemCall_Unknown NtWriteVirtualMemory_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0037h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0038h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0039h jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 003ah jmp NtWriteVirtualMemory_Epilogue NtWriteVirtualMemory_SystemCall_Unknown: ; Unknown/unsupported version. ret NtWriteVirtualMemory_Epilogue: mov r10, rcx syscall ret NtWriteVirtualMemory ENDP NtYieldExecution PROC mov rax, gs:[60h] ; Load PEB into RAX. NtYieldExecution_Check_X_X_XXXX: ; Check major version. cmp dword ptr [rax+118h], 5 je NtYieldExecution_SystemCall_5_X_XXXX cmp dword ptr [rax+118h], 6 je NtYieldExecution_Check_6_X_XXXX cmp dword ptr [rax+118h], 10 je NtYieldExecution_Check_10_0_XXXX jmp NtYieldExecution_SystemCall_Unknown NtYieldExecution_Check_6_X_XXXX: ; Check minor version for Windows Vista/7/8. cmp dword ptr [rax+11ch], 0 je NtYieldExecution_Check_6_0_XXXX cmp dword ptr [rax+11ch], 1 je NtYieldExecution_Check_6_1_XXXX cmp dword ptr [rax+11ch], 2 je NtYieldExecution_SystemCall_6_2_XXXX cmp dword ptr [rax+11ch], 2 je NtYieldExecution_SystemCall_6_3_XXXX jmp NtYieldExecution_SystemCall_Unknown NtYieldExecution_Check_6_0_XXXX: ; Check build number for Windows Vista. cmp dword ptr [rax+120h], 6000 je NtYieldExecution_SystemCall_6_0_6000 cmp dword ptr [rax+120h], 6001 je NtYieldExecution_SystemCall_6_0_6001 cmp dword ptr [rax+120h], 6002 je NtYieldExecution_SystemCall_6_0_6002 jmp NtYieldExecution_SystemCall_Unknown NtYieldExecution_Check_6_1_XXXX: ; Check build number for Windows 7. cmp dword ptr [rax+120h], 7600 je NtYieldExecution_SystemCall_6_1_7600 cmp dword ptr [rax+120h], 7601 je NtYieldExecution_SystemCall_6_1_7601 jmp NtYieldExecution_SystemCall_Unknown NtYieldExecution_Check_10_0_XXXX: ; Check build number for Windows 10. cmp dword ptr [rax+120h], 10240 je NtYieldExecution_SystemCall_10_0_10240 cmp dword ptr [rax+120h], 10586 je NtYieldExecution_SystemCall_10_0_10586 cmp dword ptr [rax+120h], 14393 je NtYieldExecution_SystemCall_10_0_14393 cmp dword ptr [rax+120h], 15063 je NtYieldExecution_SystemCall_10_0_15063 cmp dword ptr [rax+120h], 16299 je NtYieldExecution_SystemCall_10_0_16299 cmp dword ptr [rax+120h], 17134 je NtYieldExecution_SystemCall_10_0_17134 cmp dword ptr [rax+120h], 17763 je NtYieldExecution_SystemCall_10_0_17763 cmp dword ptr [rax+120h], 18362 je NtYieldExecution_SystemCall_10_0_18362 cmp dword ptr [rax+120h], 18363 je NtYieldExecution_SystemCall_10_0_18363 jmp NtYieldExecution_SystemCall_Unknown NtYieldExecution_SystemCall_5_X_XXXX: ; Windows XP and Server 2003 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_0_6000: ; Windows Vista SP0 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_0_6001: ; Windows Vista SP1 and Server 2008 SP0 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_0_6002: ; Windows Vista SP2 and Server 2008 SP2 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_1_7600: ; Windows 7 SP0 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_1_7601: ; Windows 7 SP1 and Server 2008 R2 SP0 mov eax, 0043h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_2_XXXX: ; Windows 8 and Server 2012 mov eax, 0044h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_6_3_XXXX: ; Windows 8.1 and Server 2012 R2 mov eax, 0045h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_10240: ; Windows 10.0.10240 (1507) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_10586: ; Windows 10.0.10586 (1511) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_14393: ; Windows 10.0.14393 (1607) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_15063: ; Windows 10.0.15063 (1703) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_16299: ; Windows 10.0.16299 (1709) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_17134: ; Windows 10.0.17134 (1803) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_17763: ; Windows 10.0.17763 (1809) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_18362: ; Windows 10.0.18362 (1903) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_10_0_18363: ; Windows 10.0.18363 (1909) mov eax, 0046h jmp NtYieldExecution_Epilogue NtYieldExecution_SystemCall_Unknown: ; Unknown/unsupported version. ret NtYieldExecution_Epilogue: mov r10, rcx syscall ret NtYieldExecution ENDP end