Created
October 31, 2014 21:31
-
-
Save dgrif/0164950ae15cc6dc774f to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| system-call: NtOpenProcessToken, arguments: -1 0xffffffff 8 0x00000008 850248 0x000cf948 0 0x00000000, return-value: 0 0x00000000 | |
| system-call: NtQueryInformationToken, arguments: 76 0x0000004c 1 0x00000001 850312 0x000cf988 136 0x00000088, return-value: 0 0x00000000 | |
| system-call: NtOpenKey, arguments: 850228 0x000cf934 3 0x00000003 2009948416 0x77cd6100 2009949964 0x77cd670c, return-value: -1073741772 0xc0000034 | |
| system-call: NtOpenKey, arguments: 850244 0x000cf944 131097 0x00020019 2010727000 0x77d94258 2009949964 0x77cd670c, return-value: -1073741772 0xc0000034 | |
| system-call: NtOpenKey, arguments: 850256 0x000cf950 1 0x00000001 2009948448 0x77cd6120 2009949964 0x77cd670c, return-value: 0 0x00000000 | |
| system-call: NtQueryValueKey, arguments: 80 0x00000050 2009948440 0x77cd6118 2 0x00000002 850656 0x000cfae0, return-value: -1073741772 0xc0000034 | |
| system-call: NtClose, arguments: 80 0x00000050 2009949964 0x77cd670c 0 0x00000000 2130567168 0x7efde000, return-value: 0 0x00000000 | |
| system-call: NtOpenProcessTokenEx, arguments: -1 0xffffffff 8 0x00000008 512 0x00000200 850068 0x000cf894, return-value: 0 0x00000000 | |
| system-call: NtQueryInformationToken, arguments: 80 0x00000050 1 0x00000001 850072 0x000cf898 80 0x00000050, return-value: 0 0x00000000 | |
| system-call: NtClose, arguments: 80 0x00000050 -1073741772 0xc0000034 2009948440 0x77cd6118 36 0x00000024, return-value: 0 0x00000000 | |
| system-call: NtOpenKey, arguments: 850256 0x000cf950 1 0x00000001 850188 0x000cf90c 2009949964 0x77cd670c, return-value: -1073741772 0xc0000034 | |
| system-call: NtClose, arguments: 76 0x0000004c 2009949964 0x77cd670c 0 0x00000000 2130567168 0x7efde000, return-value: 0 0x00000000 | |
| system-call: NtProtectVirtualMemory, arguments: -1 0xffffffff 850696 0x000cfb08 850700 0x000cfb0c 4 0x00000004, return-value: 0 0x00000000 | |
| system-call: NtProtectVirtualMemory, arguments: -1 0xffffffff 850696 0x000cfb08 850700 0x000cfb0c 8 0x00000008, return-value: 0 0x00000000 | |
| system-call: NtQueryInformationProcess, arguments: -1 0xffffffff 34 0x00000022 851016 0x000cfc48 4 0x00000004, return-value: 0 0x00000000 | |
| system-call: NtSetInformationProcess, arguments: -1 0xffffffff 34 0x00000022 851016 0x000cfc48 4 0x00000004, return-value: 0 0x00000000 | |
| system-call: NtOpenProcessToken, arguments: -1 0xffffffff 8 0x00000008 850416 0x000cf9f0 0 0x00000000, return-value: 0 0x00000000 | |
| system-call: NtQueryInformationToken, arguments: 76 0x0000004c 10 0x0000000a 850420 0x000cf9f4 56 0x00000038, return-value: 0 0x00000000 | |
| system-call: NtClose, arguments: 76 0x0000004c 3229840 0x00314890 56 0x00000038 76 0x0000004c, return-value: 0 0x00000000 | |
| system-call: NtQueryValueKey, arguments: 0 0x00000000 849668 0x000cf704 2 0x00000002 849688 0x000cf718, return-value: -1073741816 0xc0000008 | |
| system-call: NtTestAlert, arguments: 2011502128 0x77e51630 0 0x00000000 0 0x00000000 2130567168 0x7efde000, return-value: 0 0x00000000 | |
| system-call: NtContinue, arguments: 851236 0x000cfd24 1 0x00000001 0 0x00000000 0 0x00000000, return-value: 4198400 0x00401000 | |
| system-call: NtCreateFile, arguments: 4202508 0x0040200c 2032127 0x001f01ff 4202520 0x00402018 4202500 0x00402004, return-value: 0 0x00000000 | |
| system-call: NtQueryInformationThread, arguments: -2 0xfffffffe 12 0x0000000c 851840 0x000cff80 4 0x00000004, return-value: 0 0x00000000 | |
| system-call: NtTerminateProcess, arguments: 0 0x00000000 0 0x00000000 0 0x00000000 0 0x00000000 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment