B8 ?? ?? ?? ?? mov eax, ??
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
[C2 ?? ?? | C3] retn [??]
B8 ?? ?? ?? ?? mov eax, ??
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
[C2 ?? ?? | C3] retn [??]
B8 ?? ?? ?? ?? mov eax, ??
E8 ?? 00 00 00 call $+??
[C2 ?? ?? | C3] retn [??]
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 ?? ?? ?? ?? mov eax, ??
[33 C9 | B9 ?? ?? ?? ??] [xor ecx, ecx | mov ecx, ??]
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
[C2 ?? ?? | C3] retn [??]
B8 ?? ?? ?? ?? mov eax, ??
[33 C9 | B9 ?? ?? ?? ??] [xor ecx, ecx | mov ecx, ??]
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
[C2 ?? ?? | C3] retn [??]
B8 ?? ?? ?? ?? mov eax, ??
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
[C2 ?? ?? | C3] retn [??]
B8 ?? ?? ?? ?? mov eax, ??
BA ?? ?? ?? ?? mov edx, ??
FF D2 call edx
[C2 ?? ?? | C3] retn [??]
4C 8B D1 mov r10, rcx
B8 ?? ?? ?? ?? mov eax, ??
0F 05 syscall
C3 retn
There are always portrayed stubs for 3 functions:
- NtOpenFile (function with arguments + zero index to the wow64cpu translation table)
- NtFsControlFile (function with arguments + index to the wow64cpu translation table)
- NtTestAlert (function without arguments)
B8 74 00 00 00 mov eax, 74h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C2 18 00 retn 18h
B8 54 00 00 00 mov eax, 54h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C2 28 00 retn 28h
B8 03 01 00 00 mov eax, 103h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF D2 call edx
C3 retn
B8 74 00 00 00 mov eax, 74h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 54 00 00 00 mov eax, 54h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 03 01 00 00 mov eax, 103h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
B8 B3 00 00 00 mov eax, 0B3h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 86 00 00 00 mov eax, 86h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 74 01 00 00 mov eax, 174h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
B8 B3 00 00 00 mov eax, 0B3h ; NtOpenFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 18 00 retn 18h
B8 86 00 00 00 mov eax, 86h ; NtFsControlFile
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C2 28 00 retn 28h
B8 74 01 00 00 mov eax, 174h ; NtTestAlert
BA 00 03 FE 7F mov edx, 7FFE0300h
FF 12 call dword ptr [edx]
C3 retn
B8 E8 00 00 00 mov eax, 0E8h ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 15 01 00 00 mov eax, 115h ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 21 00 00 00 mov eax, 21h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 EB 00 00 00 mov eax, 0EBh ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 19 01 00 00 mov eax, 119h ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 21 00 00 00 mov eax, 21h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 EE 00 00 00 mov eax, 0EEh ; NtOpenFile
E8 03 00 00 00 call $+8
C2 18 00 retn 18h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 1E 01 00 00 mov eax, 11Eh ; NtFsControlFile
E8 03 00 00 00 call $+8
C2 28 00 retn 28h
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 22 00 00 00 mov eax, 22h ; NtTestAlert
E8 01 00 00 00 call $+6
C3 retn
8B D4 mov edx, esp
0F 34 sysenter
C3 retn
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 1B 01 00 00 mov eax, 11Bh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 28 00 retn 28h
B8 7E 01 00 00 mov eax, 17Eh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C3 retn
B8 30 00 00 00 mov eax, 30h ; NtOpenFile
33 C9 xor ecx, ecx
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 18 00 retn 18h
B8 36 00 00 00 mov eax, 36h ; NtFsControlFile
B9 1B 00 00 00 mov ecx, 1Bh
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C2 28 00 retn 28h
B8 7E 01 00 00 mov eax, 17Eh ; NtTestAlert
B9 02 00 00 00 mov ecx, 2
8D 54 24 04 lea edx, [esp+4]
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
83 C4 04 add esp, 4
C3 retn
B8 31 00 00 00 mov eax, 31h ; NtOpenFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 37 00 1B 00 mov eax, 1B0037h ; NtFsControlFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 96 01 02 00 mov eax, 20196h ; NtTestAlert
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
B8 32 00 00 00 mov eax, 32h ; NtOpenFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 18 00 retn 18h
B8 38 00 1B 00 mov eax, 1B0038h ; NtFsControlFile
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C2 28 00 retn 28h
B8 9B 01 02 00 mov eax, 2019Bh ; NtTestAlert
64 FF 15 C0 00 00 00 call large dword ptr fs:0C0h
C3 retn
B8 33 00 00 00 mov eax, 33h ; NtOpenFile
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C2 18 00 retn 18h
B8 39 00 1B 00 mov eax, 1B0039h ; NtFsControlFile
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C2 28 00 retn 28h
B8 A3 01 02 00 mov eax, 201A3h ; NtTestAlert
BA B0 D5 2F 4B mov edx, offset _Wow64SystemServiceCall@0 ; Wow64SystemServiceCall()
FF D2 call edx ; Wow64SystemServiceCall() ; Wow64SystemServiceCall()
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 1B 01 00 00 mov eax, 11Bh
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 7E 01 00 00 mov eax, 17Eh
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 30 00 00 00 mov eax, 30h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 36 00 00 00 mov eax, 36h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 7E 01 00 00 mov eax, 17Eh
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 31 00 00 00 mov eax, 31h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 37 00 00 00 mov eax, 37h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 96 01 00 00 mov eax, 196h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 32 00 00 00 mov eax, 32h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 38 00 00 00 mov eax, 38h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 9B 01 00 00 mov eax, 19Bh
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtOpenFile
B8 33 00 00 00 mov eax, 33h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtFsControlFile
B8 39 00 00 00 mov eax, 39h
0F 05 syscall
C3 retn
4C 8B D1 mov r10, rcx ; NtTestAlert
B8 A3 01 00 00 mov eax, 1A3h
0F 05 syscall
C3 retn