参考:http://x86.renejeschke.de/html/file_module_x86_id_313.html
http://msdn.microsoft.com/en-us/library/windows/hardware/ff553516(v=vs.85).aspx
http://en.wikipedia.org/wiki/Model-specific_register
rdmsr ( 0x00000174 ) = 0x00000000 ~ 0x00000008
rdmsr ( 0x00000175 ) = 0x00000000 ~ 0xf7a1a000
rdmsr ( 0x00000176 ) = 0x00000000 ~ 0x8053dad0
kd> dg 0
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0000 00000000 00000000 <Reserved> 0 Nb By Np Nl 00000000
kd> dg 0x08
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0008 00000000 ffffffff Code RE Ac 0 Bg Pg P Nl 00000c9b
kd> dg 0x13
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0013 00000000 ffffffff Data RW Ac 0 Bg Pg P Nl 00000c93
kd> dg 0x18
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0018 00000000 ffffffff Code RE Ac 3 Bg Pg P Nl 00000cfb
kd> dg 0x23
P Si Gr Pr Lo
Sel Base Limit Type l ze an es ng Flags
---- -------- -------- ---------- - -- -- -- -- --------
0023 00000000 ffffffff Data RW Ac 3 Bg Pg P Nl 00000cf3
因此,sysenter_cs就是内核的代码段。
列举内核中全部的driver
kd> !drivers
The !drivers command is no longer supported.
Please use the 'lm t n' command.
Consult the debugger documentation for the supported 'lm' command options.
The WinDbg "Modules" window can also be used to display timestamps.
The "Modules" window supports sorting on name or timestamp values
kd> lm t n
nt!KiFastCallEntry:
8053dad0 b923000000 mov ecx,23h
8053dad5 6a30 push 30h
8053dad7 0fa1 pop fs
8053dad9 8ed9 mov ds,cx
8053dadb 8ec1 mov es,cx
8053dadd 8b0d40f0dfff mov ecx,dword ptr ds:[0FFDFF040h]
8053dae3 8b6104 mov esp,dword ptr [ecx+4]
8053dae6 6a23 push 23h
8053dae8 52 push edx
8053dae9 9c pushfd
8053daea 6a02 push 2
8053daec 83c208 add edx,8
8053daef 9d popfd
8053daf0 804c240102 or byte ptr [esp+1],2
8053daf5 6a1b push 1Bh
8053daf7 ff350403dfff push dword ptr ds:[0FFDF0304h]
8053dafd 6a00 push 0
8053daff 55 push ebp
8053db00 53 push ebx
8053db01 56 push esi
8053db02 57 push edi
8053db03 8b1d1cf0dfff mov ebx,dword ptr ds:[0FFDFF01Ch]
8053db09 6a3b push 3Bh
8053db0b 8bb324010000 mov esi,dword ptr [ebx+124h]
8053db11 ff33 push dword ptr [ebx]
8053db13 c703ffffffff mov dword ptr [ebx],0FFFFFFFFh
8053db19 8b6e18 mov ebp,dword ptr [esi+18h]
8053db1c 6a01 push 1
8053db1e 83ec48 sub esp,48h
8053db21 81ed9c020000 sub ebp,29Ch
8053db27 c6864001000001 mov byte ptr [esi+140h],1
8053db2e 3bec cmp ebp,esp
8053db30 759a jne nt!KiFastCallEntry2+0x47 (8053dacc)
kd> u nt!KiSystemService L20
nt!KiSystemService:
8053da11 6a00 push 0
8053da13 55 push ebp
8053da14 53 push ebx
8053da15 56 push esi
8053da16 57 push edi
8053da17 0fa0 push fs
8053da19 bb30000000 mov ebx,30h
8053da1e 668ee3 mov fs,bx
8053da21 ff3500f0dfff push dword ptr ds:[0FFDFF000h]
8053da27 c70500f0dfffffffffff mov dword ptr ds:[0FFDFF000h],0FFFFFFFFh
8053da31 8b3524f1dfff mov esi,dword ptr ds:[0FFDFF124h]
8053da37 ffb640010000 push dword ptr [esi+140h]
8053da3d 83ec48 sub esp,48h
8053da40 8b5c246c mov ebx,dword ptr [esp+6Ch]
8053da44 83e301 and ebx,1
8053da47 889e40010000 mov byte ptr [esi+140h],bl
8053da4d 8bec mov ebp,esp
8053da4f 8b9e34010000 mov ebx,dword ptr [esi+134h]
8053da55 895d3c mov dword ptr [ebp+3Ch],ebx
8053da58 89ae34010000 mov dword ptr [esi+134h],ebp
8053da5e fc cld
8053da5f 8b5d60 mov ebx,dword ptr [ebp+60h]
8053da62 8b7d68 mov edi,dword ptr [ebp+68h]
8053da65 89550c mov dword ptr [ebp+0Ch],edx
8053da68 c74508000ddbba mov dword ptr [ebp+8],0BADB0D00h
8053da6f 895d00 mov dword ptr [ebp],ebx
8053da72 897d04 mov dword ptr [ebp+4],edi
8053da75 f6462cff test byte ptr [esi+2Ch],0FFh
8053da79 0f858dfeffff jne nt!Dr_kss_a (8053d90c)
8053da7f fb sti
8053da80 e9d8000000 jmp nt!KiFastCallEntry+0x8d (8053db5d)
nt!KiFastCallEntry2:
kd> !idt 2e
Dumping IDT:
2e: 8053da11 nt!KiSystemService
daniel@daniel-mint ~/windbg $ awk '{printf("[% 8x]: \t\t[%s --> %s] \t\t%s\n", NR, $1, $2, $3)}' kiservicetable
[ 1]: [80502354 --> 80599a66] nt!NtAcceptConnectPort
[ 2]: [80502358 --> 805e6cce] nt!NtAccessCheck
[ 3]: [8050235c --> 805ea514] nt!NtAccessCheckAndAuditAlarm
[ 4]: [80502360 --> 805e6d00] nt!NtAccessCheckByType
[ 5]: [80502364 --> 805ea54e] nt!NtAccessCheckByTypeAndAuditAlarm
[ 6]: [80502368 --> 805e6d36] nt!NtAccessCheckByTypeResultList
[ 7]: [8050236c --> 805ea592] nt!NtAccessCheckByTypeResultListAndAuditAlarm
[ 8]: [80502370 --> 805ea5d6] nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle
[ 9]: [80502374 --> 8060bc40] nt!NtAddAtom
[ a]: [80502378 --> 8060c984] nt!NtAddBootEntry
[ b]: [8050237c --> 805e2066] nt!NtAdjustGroupsToken
[ c]: [80502380 --> 805e1cbe] nt!NtAdjustPrivilegesToken
[ d]: [80502384 --> 805caccc] nt!NtAlertResumeThread
[ e]: [80502388 --> 805cac7c] nt!NtAlertThread
[ f]: [8050238c --> 8060c266] nt!NtAllocateLocallyUniqueId
[ 10]: [80502390 --> 805ab654] nt!NtAllocateUserPhysicalPages
[ 11]: [80502394 --> 8060b87e] nt!NtAllocateUuids
[ 12]: [80502398 --> 8059dedc] nt!NtAllocateVirtualMemory
[ 13]: [8050239c --> 805a5aa6] nt!NtAreMappedFilesTheSame
[ 14]: [805023a0 --> 805cc7aa] nt!NtAssignProcessToJobObject
[ 15]: [805023a4 --> 80500020] nt!NtCallbackReturn
[ 16]: [805023a8 --> 805be3e2] nt!NtModifyBootEntry
[ 17]: [805023ac --> 8056c0c6] nt!NtCancelIoFile
[ 18]: [805023b0 --> 80535596] nt!NtCancelTimer
[ 19]: [805023b4 --> 80604f36] nt!NtClearEvent
[ 1a]: [805023b8 --> 805b1ce0] nt!NtClose
[ 1b]: [805023bc --> 805eaa4e] nt!NtCloseObjectAuditAlarm
[ 1c]: [805023c0 --> 80619dfe] nt!NtCompactKeys
[ 1d]: [805023c4 --> 805eef40] nt!NtCompareTokens
[ 1e]: [805023c8 --> 8059a154] nt!NtCompleteConnectPort
[ 1f]: [805023cc --> 8061a052] nt!NtCompressKey
[ 20]: [805023d0 --> 80599a06] nt!NtConnectPort
[ 21]: [805023d4 --> 80541390] nt!NtContinue
[ 22]: [805023d8 --> 806381da] nt!NtCreateDebugObject
[ 23]: [805023dc --> 805b3bdc] nt!NtCreateDirectoryObject
[ 24]: [805023e0 --> 80604f86] nt!NtCreateEvent
[ 25]: [805023e4 --> 8060d1fa] nt!NtCreateEventPair
[ 26]: [805023e8 --> 8056e62e] nt!NtCreateFile
[ 27]: [805023ec --> 8056e00c] nt!NtCreateIoCompletion
[ 28]: [805023f0 --> 805cb76e] nt!NtCreateJobObject
[ 29]: [805023f4 --> 805cb4a6] nt!NtCreateJobSet
[ 2a]: [805023f8 --> 8061a22e] nt!NtCreateKey
[ 2b]: [805023fc --> 8056e73c] nt!NtCreateMailslotFile
[ 2c]: [80502400 --> 8060d5f2] nt!NtCreateMutant
[ 2d]: [80502404 --> 8056e668] nt!NtCreateNamedPipeFile
[ 2e]: [80502408 --> 805a0ec6] nt!NtCreatePagingFile
[ 2f]: [8050240c --> 8059a522] nt!NtCreatePort
[ 30]: [80502410 --> 805c7332] nt!NtCreateProcess
[ 31]: [80502414 --> 805c727c] nt!NtCreateProcessEx
[ 32]: [80502418 --> 8060da12] nt!NtCreateProfile
[ 33]: [8050241c --> 805a080a] nt!NtCreateSection
[ 34]: [80502420 --> 8060af9c] nt!NtCreateSemaphore
[ 35]: [80502424 --> 805ba9e4] nt!NtCreateSymbolicLinkObject
[ 36]: [80502428 --> 805c711a] nt!NtCreateThread
[ 37]: [8050242c --> 8060cec2] nt!NtCreateTimer
[ 38]: [80502430 --> 805ef2e8] nt!NtCreateToken
[ 39]: [80502434 --> 8059a546] nt!NtCreateWaitablePort
[ 3a]: [80502438 --> 806392b6] nt!NtDebugActiveProcess
[ 3b]: [8050243c --> 80639406] nt!NtDebugContinue
[ 3c]: [80502440 --> 8060c8d4] nt!NtDelayExecution
[ 3d]: [80502444 --> 8060c0f6] nt!NtDeleteAtom
[ 3e]: [80502448 --> 805be3e2] nt!NtModifyBootEntry
[ 3f]: [8050244c --> 8056c20c] nt!NtDeleteFile
[ 40]: [80502450 --> 8061a6be] nt!NtDeleteKey
[ 41]: [80502454 --> 805eab5a] nt!NtDeleteObjectAuditAlarm
[ 42]: [80502458 --> 8061a88e] nt!NtDeleteValueKey
[ 43]: [8050245c --> 8056e7f4] nt!NtDeviceIoControlFile
[ 44]: [80502460 --> 80608f10] nt!NtDisplayString
[ 45]: [80502464 --> 805b37bc] nt!NtDuplicateObject
[ 46]: [80502468 --> 805e2f04] nt!NtDuplicateToken
[ 47]: [8050246c --> 8060c984] nt!NtAddBootEntry
[ 48]: [80502470 --> 8061aa6e] nt!NtEnumerateKey
[ 49]: [80502474 --> 8060c976] nt!NtEnumerateSystemEnvironmentValuesEx
[ 4a]: [80502478 --> 8061acd8] nt!NtEnumerateValueKey
[ 4b]: [8050247c --> 805a91cc] nt!NtExtendSection
[ 4c]: [80502480 --> 805e30b0] nt!NtFilterToken
[ 4d]: [80502484 --> 8060beaa] nt!NtFindAtom
[ 4e]: [80502488 --> 8056c2d8] nt!NtFlushBuffersFile
[ 4f]: [8050248c --> 805abede] nt!NtFlushInstructionCache
[ 50]: [80502490 --> 8061af42] nt!NtFlushKey
[ 51]: [80502494 --> 805a1bd6] nt!NtFlushVirtualMemory
[ 52]: [80502498 --> 805abe80] nt!NtFlushWriteBuffer
[ 53]: [8050249c --> 805ab9f0] nt!NtFreeUserPhysicalPages
[ 54]: [805024a0 --> 805a84a6] nt!NtFreeVirtualMemory
[ 55]: [805024a4 --> 8056e828] nt!NtFsControlFile
[ 56]: [805024a8 --> 805c7644] nt!NtGetContextThread
[ 57]: [805024ac --> 805be404] nt!NtGetDevicePowerState
[ 58]: [805024b0 --> 8058e83c] nt!NtGetPlugPlayEvent
[ 59]: [805024b4 --> 8051df7e] nt!NtGetWriteWatch
[ 5a]: [805024b8 --> 805eec34] nt!NtImpersonateAnonymousToken
[ 5b]: [805024bc --> 8059a5b0] nt!NtImpersonateClientOfPort
[ 5c]: [805024c0 --> 805cd942] nt!NtImpersonateThread
[ 5d]: [805024c4 --> 80618206] nt!NtInitializeRegistry
[ 5e]: [805024c8 --> 805be1dc] nt!NtInitiatePowerAction
[ 5f]: [805024cc --> 805cb36a] nt!NtIsProcessInJob
[ 60]: [805024d0 --> 805be3f0] nt!NtIsSystemResumeAutomatic
[ 61]: [805024d4 --> 8059a7bc] nt!NtListenPort
[ 62]: [805024d8 --> 80579848] nt!NtLoadDriver
[ 63]: [805024dc --> 8061bf5e] nt!NtLoadKey
[ 64]: [805024e0 --> 8061bba8] nt!NtLoadKey2
[ 65]: [805024e4 --> 8056e85c] nt!NtLockFile
[ 66]: [805024e8 --> 80609472] nt!NtLockProductActivationKeys
[ 67]: [805024ec --> 8061a0fe] nt!NtLockRegistryKey
[ 68]: [805024f0 --> 805abfe6] nt!NtLockVirtualMemory
[ 69]: [805024f4 --> 805b505c] nt!NtMakePermanentObject
[ 6a]: [805024f8 --> 805b1d84] nt!NtMakeTemporaryObject
[ 6b]: [805024fc --> 805aa948] nt!NtMapUserPhysicalPages
[ 6c]: [80502500 --> 805aaf20] nt!NtMapUserPhysicalPagesScatter
[ 6d]: [80502504 --> 805a7526] nt!NtMapViewOfSection
[ 6e]: [80502508 --> 805be3e2] nt!NtModifyBootEntry
[ 6f]: [8050250c --> 8056f48c] nt!NtNotifyChangeDirectoryFile
[ 70]: [80502510 --> 8061bf28] nt!NtNotifyChangeKey
[ 71]: [80502514 --> 8061b044] nt!NtNotifyChangeMultipleKeys
[ 72]: [80502518 --> 805b3cae] nt!NtOpenDirectoryObject
[ 73]: [8050251c --> 80605086] nt!NtOpenEvent
[ 74]: [80502520 --> 8060d2d2] nt!NtOpenEventPair
[ 75]: [80502524 --> 8056f74c] nt!NtOpenFile
[ 76]: [80502528 --> 8056e0e4] nt!NtOpenIoCompletion
[ 77]: [8050252c --> 805cb8f4] nt!NtOpenJobObject
[ 78]: [80502530 --> 8061b5c4] nt!NtOpenKey
[ 79]: [80502534 --> 8060d6ca] nt!NtOpenMutant
[ 7a]: [80502538 --> 805ea61c] nt!NtOpenObjectAuditAlarm
[ 7b]: [8050253c --> 805c11c2] nt!NtOpenProcess
[ 7c]: [80502540 --> 805e38fc] nt!NtOpenProcessToken
[ 7d]: [80502544 --> 805e3502] nt!NtOpenProcessTokenEx
[ 7e]: [80502548 --> 8059f840] nt!NtOpenSection
[ 7f]: [8050254c --> 8060b096] nt!NtOpenSemaphore
[ 80]: [80502550 --> 805babca] nt!NtOpenSymbolicLinkObject
[ 81]: [80502554 --> 805c144e] nt!NtOpenThread
[ 82]: [80502558 --> 805e391a] nt!NtOpenThreadToken
[ 83]: [8050255c --> 805e3672] nt!NtOpenThreadTokenEx
[ 84]: [80502560 --> 8060cfe4] nt!NtOpenTimer
[ 85]: [80502564 --> 8063b4a8] nt!NtPlugPlayControl
[ 86]: [80502568 --> 805bf272] nt!NtPowerInformation
[ 87]: [8050256c --> 805edce6] nt!NtPrivilegeCheck
[ 88]: [80502570 --> 805e992e] nt!NtPrivilegeObjectAuditAlarm
[ 89]: [80502574 --> 805e9b1a] nt!NtPrivilegedServiceAuditAlarm
[ 8a]: [80502578 --> 805adaae] nt!NtProtectVirtualMemory
[ 8b]: [8050257c --> 8060513e] nt!NtPulseEvent
[ 8c]: [80502580 --> 8056c4be] nt!NtQueryAttributesFile
[ 8d]: [80502584 --> 8060c984] nt!NtAddBootEntry
[ 8e]: [80502588 --> 8060c984] nt!NtAddBootEntry
[ 8f]: [8050258c --> 8053c5be] nt!NtQueryDebugFilterState
[ 90]: [80502590 --> 80606caa] nt!NtQueryDefaultLocale
[ 91]: [80502594 --> 8060790a] nt!NtQueryDefaultUILanguage
[ 92]: [80502598 --> 8056f426] nt!NtQueryDirectoryFile
[ 93]: [8050259c --> 805b3d4e] nt!NtQueryDirectoryObject
[ 94]: [805025a0 --> 8056f77c] nt!NtQueryEaFile
[ 95]: [805025a4 --> 80605206] nt!NtQueryEvent
[ 96]: [805025a8 --> 8056c5f6] nt!NtQueryFullAttributesFile
[ 97]: [805025ac --> 8060c11e] nt!NtQueryInformationAtom
[ 98]: [805025b0 --> 8056fff8] nt!NtQueryInformationFile
[ 99]: [805025b4 --> 805cbdc6] nt!NtQueryInformationJobObject
[ 9a]: [805025b8 --> 8059a81a] nt!NtQueryInformationPort
[ 9b]: [805025bc --> 805c2b28] nt!NtQueryInformationProcess
[ 9c]: [805025c0 --> 805c16f4] nt!NtQueryInformationThread
[ 9d]: [805025c4 --> 805e39fa] nt!NtQueryInformationToken
[ 9e]: [805025c8 --> 806070a8] nt!NtQueryInstallUILanguage
[ 9f]: [805025cc --> 8060de94] nt!NtQueryIntervalProfile
[ a0]: [805025d0 --> 8056e18c] nt!NtQueryIoCompletion
[ a1]: [805025d4 --> 8061b8e8] nt!NtQueryKey
[ a2]: [805025d8 --> 806193fc] nt!NtQueryMultipleValueKey
[ a3]: [805025dc --> 8060d772] nt!NtQueryMutant
[ a4]: [805025e0 --> 805ba0a4] nt!NtQueryObject
[ a5]: [805025e4 --> 80619a62] nt!NtQueryOpenSubKeys
[ a6]: [805025e8 --> 8060df22] nt!NtQueryPerformanceCounter
[ a7]: [805025ec --> 80570e42] nt!NtQueryQuotaInformationFile
[ a8]: [805025f0 --> 805adc70] nt!NtQuerySection
[ a9]: [805025f4 --> 805b5a28] nt!NtQuerySecurityObject
[ aa]: [805025f8 --> 8060b14e] nt!NtQuerySemaphore
[ ab]: [805025fc --> 805bac6a] nt!NtQuerySymbolicLinkObject
[ ac]: [80502600 --> 8060c9a0] nt!NtQuerySystemEnvironmentValue
[ ad]: [80502604 --> 8060c968] nt!NtSetSystemEnvironmentValueEx
[ ae]: [80502608 --> 8060798a] nt!NtQuerySystemInformation
[ af]: [8050260c --> 80609826] nt!NtQuerySystemTime
[ b0]: [80502610 --> 8060d09c] nt!NtQueryTimer
[ b1]: [80502614 --> 806090de] nt!NtQueryTimerResolution
[ b2]: [80502618 --> 806182e8] nt!NtQueryValueKey
[ b3]: [8050261c --> 805ae2f6] nt!NtQueryVirtualMemory
[ b4]: [80502620 --> 80571332] nt!NtQueryVolumeInformationFile
[ b5]: [80502624 --> 805c7390] nt!NtQueueApcThread
[ b6]: [80502628 --> 805413d8] nt!NtRaiseException
[ b7]: [8050262c --> 8060adc0] nt!NtRaiseHardError
[ b8]: [80502630 --> 80571afa] nt!NtReadFile
[ b9]: [80502634 --> 80572088] nt!NtReadFileScatter
[ ba]: [80502638 --> 8059b2a2] nt!NtReadRequestData
[ bb]: [8050263c --> 805a97b8] nt!NtReadVirtualMemory
[ bc]: [80502640 --> 805c88c6] nt!NtRegisterThreadTerminatePort
[ bd]: [80502644 --> 8060d8aa] nt!NtReleaseMutant
[ be]: [80502648 --> 8060b27e] nt!NtReleaseSemaphore
[ bf]: [8050264c --> 8056e484] nt!NtRemoveIoCompletion
[ c0]: [80502650 --> 80639386] nt!NtRemoveProcessDebug
[ c1]: [80502654 --> 80619c54] nt!NtRenameKey
[ c2]: [80502658 --> 8061be0e] nt!NtReplaceKey
[ c3]: [8050265c --> 8059a922] nt!NtReplyPort
[ c4]: [80502660 --> 8059b8ea] nt!NtReplyWaitReceivePort
[ c5]: [80502664 --> 8059b2f2] nt!NtReplyWaitReceivePortEx
[ c6]: [80502668 --> 8059ac0c] nt!NtReplyWaitReplyPort
[ c7]: [8050266c --> 805be374] nt!NtRequestDeviceWakeup
[ c8]: [80502670 --> 80597e80] nt!NtRequestPort
[ c9]: [80502674 --> 805981ac] nt!NtRequestWaitReplyPort
[ ca]: [80502678 --> 805be182] nt!NtRequestWakeupLatency
[ cb]: [8050267c --> 80605318] nt!NtResetEvent
[ cc]: [80502680 --> 8051e45e] nt!NtResetWriteWatch
[ cd]: [80502684 --> 80618636] nt!NtRestoreKey
[ ce]: [80502688 --> 805cac26] nt!NtResumeProcess
[ cf]: [8050268c --> 805cab08] nt!NtResumeThread
[ d0]: [80502690 --> 806186d8] nt!NtSaveKey
[ d1]: [80502694 --> 80618768] nt!NtSaveKeyEx
[ d2]: [80502698 --> 80618834] nt!NtSaveMergedKeys
[ d3]: [8050269c --> 8059919a] nt!NtSecureConnectPort
[ d4]: [805026a0 --> 8060c984] nt!NtAddBootEntry
[ d5]: [805026a4 --> 8060c984] nt!NtAddBootEntry
[ d6]: [805026a8 --> 805c7854] nt!NtSetContextThread
[ d7]: [805026ac --> 8063c03e] nt!NtSetDebugFilterState
[ d8]: [805026b0 --> 8060ac6a] nt!NtSetDefaultHardErrorPort
[ d9]: [805026b4 --> 80606dfa] nt!NtSetDefaultLocale
[ da]: [805026b8 --> 8060766c] nt!NtSetDefaultUILanguage
[ db]: [805026bc --> 8056fc98] nt!NtSetEaFile
[ dc]: [805026c0 --> 806053d8] nt!NtSetEvent
[ dd]: [805026c4 --> 806054a2] nt!NtSetEventBoostPriority
[ de]: [805026c8 --> 8060d58e] nt!NtSetHighEventPair
[ df]: [805026cc --> 8060d4be] nt!NtSetHighWaitLowEventPair
[ e0]: [805026d0 --> 80638d50] nt!NtSetInformationDebugObject
[ e1]: [805026d4 --> 805705fc] nt!NtSetInformationFile
[ e2]: [805026d8 --> 805ccad6] nt!NtSetInformationJobObject
[ e3]: [805026dc --> 80618fc8] nt!NtSetInformationKey
[ e4]: [805026e0 --> 805b94e8] nt!NtSetInformationObject
[ e5]: [805026e4 --> 805c3c80] nt!NtSetInformationProcess
[ e6]: [805026e8 --> 805c1c40] nt!NtSetInformationThread
[ e7]: [805026ec --> 805f0062] nt!NtSetInformationToken
[ e8]: [805026f0 --> 8060d9f6] nt!NtSetIntervalProfile
[ e9]: [805026f4 --> 8056e422] nt!NtSetIoCompletion
[ ea]: [805026f8 --> 805c9a52] nt!NtSetLdtEntries
[ eb]: [805026fc --> 8060d52a] nt!NtSetLowEventPair
[ ec]: [80502700 --> 8060d452] nt!NtSetLowWaitHighEventPair
[ ed]: [80502704 --> 80570e20] nt!NtSetQuotaInformationFile
[ ee]: [80502708 --> 805b595c] nt!NtSetSecurityObject
[ ef]: [8050270c --> 8060cc24] nt!NtSetSystemEnvironmentValue
[ f0]: [80502710 --> 8060c968] nt!NtSetSystemEnvironmentValueEx
[ f1]: [80502714 --> 80605cd8] nt!NtSetSystemInformation
[ f2]: [80502718 --> 806485f6] nt!NtSetSystemPowerState
[ f3]: [8050271c --> 8060a3e6] nt!NtSetSystemTime
[ f4]: [80502720 --> 805be096] nt!NtSetThreadExecutionState
[ f5]: [80502724 --> 805356d2] nt!NtSetTimer
[ f6]: [80502728 --> 806098b8] nt!NtSetTimerResolution
[ f7]: [8050272c --> 8060b734] nt!NtSetUuidSeed
[ f8]: [80502730 --> 806188ee] nt!NtSetValueKey
[ f9]: [80502734 --> 80571756] nt!NtSetVolumeInformationFile
[ fa]: [80502738 --> 80608ed4] nt!NtShutdownSystem
[ fb]: [8050273c --> 80523210] nt!NtSignalAndWaitForSingleObject
[ fc]: [80502740 --> 8060dc40] nt!NtStartProfile
[ fd]: [80502744 --> 8060ddea] nt!NtStopProfile
[ fe]: [80502748 --> 805cabd0] nt!NtSuspendProcess
[ ff]: [8050274c --> 805caa42] nt!NtSuspendThread
[ 100]: [80502750 --> 8060e00e] nt!NtSystemDebugControl
[ 101]: [80502754 --> 805cd640] nt!NtTerminateJobObject
[ 102]: [80502758 --> 805c8b10] nt!NtTerminateProcess
[ 103]: [8050275c --> 805c8d0a] nt!NtTerminateThread
[ 104]: [80502760 --> 805cad90] nt!NtTestAlert
[ 105]: [80502764 --> 80531db0] nt!NtTraceEvent
[ 106]: [80502768 --> 8060c992] nt!NtTranslateFilePath
[ 107]: [8050276c --> 805799dc] nt!NtUnloadDriver
[ 108]: [80502770 --> 80618bb6] nt!NtUnloadKey
[ 109]: [80502774 --> 80618da4] nt!NtUnloadKeyEx
[ 10a]: [80502778 --> 8056ec08] nt!NtUnlockFile
[ 10b]: [8050277c --> 805ac574] nt!NtUnlockVirtualMemory
[ 10c]: [80502780 --> 805a833c] nt!NtUnmapViewOfSection
[ 10d]: [80502784 --> 805f141a] nt!NtVdmControl
[ 10e]: [80502788 --> 80638ab8] nt!NtWaitForDebugEvent
[ 10f]: [8050278c --> 805b6094] nt!NtWaitForMultipleObjects
[ 110]: [80502790 --> 805b5faa] nt!NtWaitForSingleObject
[ 111]: [80502794 --> 8060d3ee] nt!NtWaitHighEventPair
[ 112]: [80502798 --> 8060d38a] nt!NtWaitLowEventPair
[ 113]: [8050279c --> 80572598] nt!NtWriteFile
[ 114]: [805027a0 --> 80572ba8] nt!NtWriteFileGather
[ 115]: [805027a4 --> 8059b2ca] nt!NtWriteRequestData
[ 116]: [805027a8 --> 805a98c2] nt!NtWriteVirtualMemory
[ 117]: [805027ac --> 805029f4] nt!NtYieldExecution
[ 118]: [805027b0 --> 8060e466] nt!NtCreateKeyedEvent
[ 119]: [805027b4 --> 8060e550] nt!NtOpenKeyedEvent
[ 11a]: [805027b8 --> 8060e602] nt!NtReleaseKeyedEvent
[ 11b]: [805027bc --> 8060e88e] nt!NtWaitForKeyedEvent
[ 11c]: [805027c0 --> 805c16c4] nt!NtQueryPortInformationProcess
可见, KeServiceDescriptorTable的前四项是对KiServiceTable的描述【start_addr, start_index, end_addr, end_index】
//
// System Service Table Descriptor
//
typedef struct _KSERVICE_TABLE_DESCRIPTOR
{
PULONG_PTR Base;
PULONG Count;
ULONG Limit;
#if defined(_IA64_)
LONG TableBaseGpOffset;
#endif
PUCHAR Number;
} KSERVICE_TABLE_DESCRIPTOR, *PKSERVICE_TABLE_DESCRIPTOR;
//
// Exported System Service Descriptor Tables
//
extern KSERVICE_TABLE_DESCRIPTOR NTSYSAPI KeServiceDescriptorTable[SSDT_MAX_ENTRIES];
extern KSERVICE_TABLE_DESCRIPTOR NTSYSAPI KeServiceDescriptorTableShadow[SSDT_MAX_ENTRIES];
//
// Maximum System Descriptor Table Entries
//
#define SSDT_MAX_ENTRIES 2
因此KeServiceDescriptorTable与KeServiceDescriptorTableShadow其实是上述结构体KSERVICE_TABLE_DESCRIPTOR的数组,每个数组里面都只有两项。
kd> dds nt!KeServiceDescriptorTable L8
80553580 80502354 nt!KiServiceTable
80553584 00000000
80553588 0000011c
8055358c 805027c8 nt!KiArgumentTable
80553590 00000000
80553594 00000000
80553598 00000000
8055359c 00000000
kd> dds nt!KeServiceDescriptorTableShadow L8
80553540 80502354 nt!KiServiceTable
80553544 00000000
80553548 0000011c
8055354c 805027c8 nt!KiArgumentTable
80553550 bf999400 win32k!W32pServiceTable
80553554 00000000
80553558 0000029b
8055355c bf99a110 win32k!W32pArgumentTable
而真正的System Service Routine的列表在KiServiceTable和W32pServiceTable中。
[ 1]: [bf999400 --> bf9357a3] win32k!NtGdiAbortDoc
[ 2]: [bf999404 --> bf947361] win32k!NtGdiAbortPath
[ 3]: [bf999408 --> bf896625] win32k!NtGdiAddFontResourceW
[ 4]: [bf99940c --> bf93ef25] win32k!NtGdiAddRemoteFontToDC
[ 5]: [bf999410 --> bf948978] win32k!NtGdiAddFontMemResourceEx
[ 6]: [bf999414 --> bf935a37] win32k!NtGdiRemoveMergeFont
[ 7]: [bf999418 --> bf935adc] win32k!NtGdiAddRemoteMMInstanceToDC
[ 8]: [bf99941c --> bf83b65f] win32k!NtGdiAlphaBlend
[ 9]: [bf999420 --> bf94829f] win32k!NtGdiAngleArc
[ a]: [bf999424 --> bf934242] win32k!NtGdiAnyLinkedFonts
[ b]: [bf999428 --> bf948897] win32k!NtGdiFontIsLinked
[ c]: [bf99942c --> bf90eea2] win32k!NtGdiArcInternal
[ d]: [bf999430 --> bf900833] win32k!NtGdiBeginPath
[ e]: [bf999434 --> bf80a178] win32k!NtGdiBitBlt
[ f]: [bf999438 --> bf948769] win32k!NtGdiCancelDC
[ 10]: [bf99943c --> bf949f65] win32k!NtGdiCheckBitmapBits
[ 11]: [bf999440 --> bf8ff130] win32k!NtGdiCloseFigure
[ 12]: [bf999444 --> bf89d4eb] win32k!NtGdiClearBitmapAttributes
[ 13]: [bf999448 --> bf948847] win32k!NtGdiClearBrushAttributes
[ 14]: [bf99944c --> bf94a098] win32k!NtGdiColorCorrectPalette
[ 15]: [bf999450 --> bf8210bb] win32k!NtGdiCombineRgn
[ 16]: [bf999454 --> bf8dcd15] win32k!NtGdiCombineTransform
[ 17]: [bf999458 --> bf88374b] win32k!NtGdiComputeXformCoefficients
[ 18]: [bf99945c --> bf87d210] win32k!NtGdiConsoleTextOut
[ 19]: [bf999460 --> bf9100dd] win32k!NtGdiConvertMetafileRect
[ 1a]: [bf999464 --> bf80e427] win32k!NtGdiCreateBitmap
[ 1b]: [bf999468 --> bf8dc9bd] win32k!NtGdiCreateClientObj
[ 1c]: [bf99946c --> bf949d5d] win32k!NtGdiCreateColorSpace
[ 1d]: [bf999470 --> bf94ac5c] win32k!NtGdiCreateColorTransform
[ 1e]: [bf999474 --> bf80fc96] win32k!NtGdiCreateCompatibleBitmap
[ 1f]: [bf999478 --> bf80d0f2] win32k!NtGdiCreateCompatibleDC
[ 20]: [bf99947c --> bf8d1699] win32k!NtGdiCreateDIBBrush
[ 21]: [bf999480 --> bf838921] win32k!NtGdiCreateDIBitmapInternal
[ 22]: [bf999484 --> bf82dac0] win32k!NtGdiCreateDIBSection
[ 23]: [bf999488 --> bf9386bb] win32k!NtGdiCreateEllipticRgn
[ 24]: [bf99948c --> bf84b5aa] win32k!NtGdiCreateHalftonePalette
[ 25]: [bf999490 --> bf94bce8] win32k!NtGdiCreateHatchBrushInternal
[ 26]: [bf999494 --> bf8e6517] win32k!NtGdiCreateMetafileDC
[ 27]: [bf999498 --> bf88235e] win32k!NtGdiCreatePaletteInternal
[ 28]: [bf99949c --> bf8687e1] win32k!NtGdiCreatePatternBrushInternal
[ 29]: [bf9994a0 --> bf84f1ec] win32k!NtGdiCreatePen
[ 2a]: [bf9994a4 --> bf8408ce] win32k!NtGdiCreateRectRgn
[ 2b]: [bf9994a8 --> bf88cb87] win32k!NtGdiCreateRoundRectRgn
[ 2c]: [bf9994ac --> bf90ffe2] win32k!NtGdiCreateServerMetaFile
[ 2d]: [bf9994b0 --> bf81a08f] win32k!NtGdiCreateSolidBrush
[ 2e]: [bf9994b4 --> bf9338ae] win32k!NtGdiD3dContextCreate
[ 2f]: [bf9994b8 --> bf9338c1] win32k!NtGdiD3dContextDestroy
[ 30]: [bf9994bc --> bf9338d4] win32k!NtGdiD3dContextDestroyAll
[ 31]: [bf9994c0 --> bf9338e7] win32k!NtGdiD3dValidateTextureStageState
[ 32]: [bf9994c4 --> bf9338fa] win32k!NtGdiD3dDrawPrimitives2
[ 33]: [bf9994c8 --> bf93390d] win32k!NtGdiDdGetDriverState
[ 34]: [bf9994cc --> bf933783] win32k!NtGdiDdAddAttachedSurface
[ 35]: [bf9994d0 --> bf9339cd] win32k!NtGdiDdAlphaBlt
[ 36]: [bf9994d4 --> bf907cf2] win32k!NtGdiDdAttachSurface
[ 37]: [bf9994d8 --> bf933978] win32k!NtGdiDdBeginMoCompFrame
[ 38]: [bf9994dc --> bf907d05] win32k!NtGdiDdBlt
[ 39]: [bf9994e0 --> bf907adf] win32k!NtGdiDdCanCreateSurface
[ 3a]: [bf9994e4 --> bf933885] win32k!NtGdiDdCanCreateD3DBuffer
[ 3b]: [bf9994e8 --> bf933796] win32k!NtGdiDdColorControl
[ 3c]: [bf9994ec --> bf8edd93] win32k!NtGdiDdCreateDirectDrawObject
[ 3d]: [bf9994f0 --> bf8edda6] win32k!NtGdiDdCreateSurface
[ 3e]: [bf9994f4 --> bf93386f] win32k!NtGdiDdCreateD3DBuffer
[ 3f]: [bf9994f8 --> bf907b1e] win32k!NtGdiDdCreateMoComp
[ 40]: [bf9994fc --> bf90815d] win32k!NtGdiDdCreateSurfaceObject
[ 41]: [bf999500 --> bf8edfef] win32k!NtGdiDdDeleteDirectDrawObject
[ 42]: [bf999504 --> bf907cc6] win32k!NtGdiDdDeleteSurfaceObject
[ 43]: [bf999508 --> bf907af2] win32k!NtGdiDdDestroyMoComp
[ 44]: [bf99950c --> bf8edfd9] win32k!NtGdiDdDestroySurface
[ 45]: [bf999510 --> bf933898] win32k!NtGdiDdDestroyD3DBuffer
[ 46]: [bf999514 --> bf93398b] win32k!NtGdiDdEndMoCompFrame
[ 47]: [bf999518 --> bf908203] win32k!NtGdiDdFlip
[ 48]: [bf99951c --> bf90890e] win32k!NtGdiDdFlipToGDISurface
[ 49]: [bf999520 --> bf907cdc] win32k!NtGdiDdGetAvailDriverMemory
[ 4a]: [bf999524 --> bf9337a9] win32k!NtGdiDdGetBltStatus
[ 4b]: [bf999528 --> bf907a4a] win32k!NtGdiDdGetDC
[ 4c]: [bf99952c --> bf907a89] win32k!NtGdiDdGetDriverInfo
[ 4d]: [bf999530 --> bf933817] win32k!NtGdiDdGetDxHandle
[ 4e]: [bf999534 --> bf9337bf] win32k!NtGdiDdGetFlipStatus
[ 4f]: [bf999538 --> bf933962] win32k!NtGdiDdGetInternalMoCompInfo
[ 50]: [bf99953c --> bf93394c] win32k!NtGdiDdGetMoCompBuffInfo
[ 51]: [bf999540 --> bf907b08] win32k!NtGdiDdGetMoCompGuids
[ 52]: [bf999544 --> bf933936] win32k!NtGdiDdGetMoCompFormats
[ 53]: [bf999548 --> bf908a14] win32k!NtGdiDdGetScanLine
[ 54]: [bf99954c --> bf8e42af] win32k!NtGdiDdLock
[ 55]: [bf999550 --> bf933843] win32k!NtGdiDdLockD3D
[ 56]: [bf999554 --> bf8edd32] win32k!NtGdiDdQueryDirectDrawObject
[ 57]: [bf999558 --> bf9339b7] win32k!NtGdiDdQueryMoCompStatus
[ 58]: [bf99955c --> bf8edd6d] win32k!NtGdiDdReenableDirectDrawObject
[ 59]: [bf999560 --> bf907bbe] win32k!NtGdiDdReleaseDC
[ 5a]: [bf999564 --> bf9339a1] win32k!NtGdiDdRenderMoComp
[ 5b]: [bf999568 --> bf8e40f5] win32k!NtGdiDdResetVisrgn
[ 5c]: [bf99956c --> bf908219] win32k!NtGdiDdSetColorKey
[ 5d]: [bf999570 --> bf9337d5] win32k!NtGdiDdSetExclusiveMode
[ 5e]: [bf999574 --> bf93382d] win32k!NtGdiDdSetGammaRamp
[ 5f]: [bf999578 --> bf933920] win32k!NtGdiDdCreateSurfaceEx
[ 60]: [bf99957c --> bf9337eb] win32k!NtGdiDdSetOverlayPosition
[ 61]: [bf999580 --> bf907d92] win32k!NtGdiDdUnattachSurface
[ 62]: [bf999584 --> bf8e40a5] win32k!NtGdiDdUnlock
[ 63]: [bf999588 --> bf933859] win32k!NtGdiDdUnlockD3D
[ 64]: [bf99958c --> bf9081ed] win32k!NtGdiDdUpdateOverlay
[ 65]: [bf999590 --> bf933801] win32k!NtGdiDdWaitForVerticalBlank
[ 66]: [bf999594 --> bf9339e0] win32k!NtGdiDvpCanCreateVideoPort
[ 67]: [bf999598 --> bf9339f6] win32k!NtGdiDvpColorControl
[ 68]: [bf99959c --> bf933a0c] win32k!NtGdiDvpCreateVideoPort
[ 69]: [bf9995a0 --> bf933a22] win32k!NtGdiDvpDestroyVideoPort
[ 6a]: [bf9995a4 --> bf933a38] win32k!NtGdiDvpFlipVideoPort
[ 6b]: [bf9995a8 --> bf933a4e] win32k!NtGdiDvpGetVideoPortBandwidth
[ 6c]: [bf9995ac --> bf933a64] win32k!NtGdiDvpGetVideoPortField
[ 6d]: [bf9995b0 --> bf933a7a] win32k!NtGdiDvpGetVideoPortFlipStatus
[ 6e]: [bf9995b4 --> bf933a90] win32k!NtGdiDvpGetVideoPortInputFormats
[ 6f]: [bf9995b8 --> bf933aa6] win32k!NtGdiDvpGetVideoPortLine
[ 70]: [bf9995bc --> bf933abc] win32k!NtGdiDvpGetVideoPortOutputFormats
[ 71]: [bf9995c0 --> bf933ad2] win32k!NtGdiDvpGetVideoPortConnectInfo
[ 72]: [bf9995c4 --> bf933ae8] win32k!NtGdiDvpGetVideoSignalStatus
[ 73]: [bf9995c8 --> bf933afe] win32k!NtGdiDvpUpdateVideoPort
[ 74]: [bf9995cc --> bf933b14] win32k!NtGdiDvpWaitForVideoPortSync
[ 75]: [bf9995d0 --> bf933b2a] win32k!NtGdiDvpAcquireNotification
[ 76]: [bf9995d4 --> bf933b40] win32k!NtGdiDvpReleaseNotification
[ 77]: [bf9995d8 --> bf933770] win32k!NtGdiDxgGenericThunk
[ 78]: [bf9995dc --> bf8dcadf] win32k!NtGdiDeleteClientObj
[ 79]: [bf9995e0 --> bf949d50] win32k!NtGdiDeleteColorSpace
[ 7a]: [bf9995e4 --> bf94af18] win32k!NtGdiDeleteColorTransform
[ 7b]: [bf9995e8 --> bf80fb23] win32k!NtGdiDeleteObjectApp
[ 7c]: [bf9995ec --> bf94944e] win32k!NtGdiDescribePixelFormat
[ 7d]: [bf9995f0 --> bf8faebb] win32k!NtGdiGetPerBandInfo
[ 7e]: [bf9995f4 --> bf8fc502] win32k!NtGdiDoBanding
[ 7f]: [bf9995f8 --> bf843898] win32k!NtGdiDoPalette
[ 80]: [bf9995fc --> bf9482e9] win32k!NtGdiDrawEscape
[ 81]: [bf999600 --> bf8d41b0] win32k!NtGdiEllipse
[ 82]: [bf999604 --> bf89bbe3] win32k!NtGdiEnableEudc
[ 83]: [bf999608 --> bf8fbe4b] win32k!NtGdiEndDoc
[ 84]: [bf99960c --> bf9052ee] win32k!NtGdiEndPage
[ 85]: [bf999610 --> bf9008d3] win32k!NtGdiEndPath
[ 86]: [bf999614 --> bf88768a] win32k!NtGdiEnumFontChunk
[ 87]: [bf999618 --> bf887609] win32k!NtGdiEnumFontClose
[ 88]: [bf99961c --> bf886c98] win32k!NtGdiEnumFontOpen
[ 89]: [bf999620 --> bf8d19a1] win32k!NtGdiEnumObjects
[ 8a]: [bf999624 --> bf9387b6] win32k!NtGdiEqualRgn
[ 8b]: [bf999628 --> bf94f4f3] win32k!NtGdiEudcLoadUnloadLink
[ 8c]: [bf99962c --> bf82d2c1] win32k!NtGdiExcludeClipRect
[ 8d]: [bf999630 --> bf8c9d87] win32k!NtGdiExtCreatePen
[ 8e]: [bf999634 --> bf840c15] win32k!NtGdiExtCreateRegion
[ 8f]: [bf999638 --> bf8bfb6c] win32k!NtGdiExtEscape
[ 90]: [bf99963c --> bf950311] win32k!NtGdiExtFloodFill
[ 91]: [bf999640 --> bf82c1c7] win32k!NtGdiExtGetObjectW
[ 92]: [bf999644 --> bf80f2e7] win32k!NtGdiExtSelectClipRgn
[ 93]: [bf999648 --> bf82928c] win32k!NtGdiExtTextOutW
[ 94]: [bf99964c --> bf947486] win32k!NtGdiFillPath
[ 95]: [bf999650 --> bf875583] win32k!NtGdiFillRgn
[ 96]: [bf999654 --> bf9473eb] win32k!NtGdiFlattenPath
[ 97]: [bf999658 --> bf80c24f] win32k!NtGdiFlushUserBatch
[ 98]: [bf99965c --> bf807a02] win32k!NtGdiFlush
[ 99]: [bf999660 --> bf94932e] win32k!NtGdiForceUFIMapping
[ 9a]: [bf999664 --> bf88cdf9] win32k!NtGdiFrameRgn
[ 9b]: [bf999668 --> bf93b48f] win32k!NtGdiFullscreenControl
[ 9c]: [bf99966c --> bf8c9058] win32k!NtGdiGetAndSetDCDword
[ 9d]: [bf999670 --> bf816afe] win32k!NtGdiGetAppClipBox
[ 9e]: [bf999674 --> bf875a76] win32k!NtGdiGetBitmapBits
[ 9f]: [bf999678 --> bf949250] win32k!NtGdiGetBitmapDimension
[ a0]: [bf99967c --> bf8bd5dd] win32k!NtGdiGetBoundsRect
[ a1]: [bf999680 --> bf8f91ba] win32k!NtGdiGetCharABCWidthsW
[ a2]: [bf999684 --> bf9479f4] win32k!NtGdiGetCharacterPlacementW
[ a3]: [bf999688 --> bf80f8b3] win32k!NtGdiGetCharSet
[ a4]: [bf99968c --> bf8eb49e] win32k!NtGdiGetCharWidthW
[ a5]: [bf999690 --> bf882e1c] win32k!NtGdiGetCharWidthInfo
[ a6]: [bf999694 --> bf94860b] win32k!NtGdiGetColorAdjustment
[ a7]: [bf999698 --> bf950bc6] win32k!NtGdiGetColorSpaceforBitmap
[ a8]: [bf99969c --> bf82c494] win32k!NtGdiGetDCDword
[ a9]: [bf9996a0 --> bf836294] win32k!NtGdiGetDCforBitmap
[ aa]: [bf9996a4 --> bf82c321] win32k!NtGdiGetDCObject
[ ab]: [bf9996a8 --> bf8c5409] win32k!NtGdiGetDCPoint
[ ac]: [bf9996ac --> bf948807] win32k!NtGdiGetDeviceCaps
[ ad]: [bf9996b0 --> bf94a2ef] win32k!NtGdiGetDeviceGammaRamp
[ ae]: [bf9996b4 --> bf8fa227] win32k!NtGdiGetDeviceCapsAll
[ af]: [bf9996b8 --> bf84567d] win32k!NtGdiGetDIBitsInternal
[ b0]: [bf9996bc --> bf951b29] win32k!NtGdiGetETM
[ b1]: [bf9996c0 --> bf94cf95] win32k!NtGdiGetEudcTimeStampEx
[ b2]: [bf9996c4 --> bf8ecc8c] win32k!NtGdiGetFontData
[ b3]: [bf9996c8 --> bf948aa6] win32k!NtGdiGetFontResourceInfoInternalW
[ b4]: [bf9996cc --> bf949731] win32k!NtGdiGetGlyphIndicesW
[ b5]: [bf9996d0 --> bf9495d4] win32k!NtGdiGetGlyphIndicesWInternal
[ b6]: [bf9996d4 --> bf9483fc] win32k!NtGdiGetGlyphOutline
[ b7]: [bf9996d8 --> bf948501] win32k!NtGdiGetKerningPairs
[ b8]: [bf9996dc --> bf9357bb] win32k!NtGdiGetLinkedUFIs
[ b9]: [bf9996e0 --> bf8e657f] win32k!NtGdiGetMiterLimit
[ ba]: [bf9996e4 --> bf93e3b6] win32k!NtGdiGetMonitorID
[ bb]: [bf9996e8 --> bf82d417] win32k!NtGdiGetNearestColor
[ bc]: [bf9996ec --> bf94bd6e] win32k!NtGdiGetNearestPaletteIndex
[ bd]: [bf9996f0 --> bf948592] win32k!NtGdiGetObjectBitmapHandle
[ be]: [bf9996f4 --> bf8eab87] win32k!NtGdiGetOutlineTextMetricsInternalW
[ bf]: [bf9996f8 --> bf947853] win32k!NtGdiGetPath
[ c0]: [bf9996fc --> bf84666d] win32k!NtGdiGetPixel
[ c1]: [bf999700 --> bf80f2f7] win32k!NtGdiGetRandomRgn
[ c2]: [bf999704 --> bf8ed7ca] win32k!NtGdiGetRasterizerCaps
[ c3]: [bf999708 --> bf9497dc] win32k!NtGdiGetRealizationInfo
[ c4]: [bf99970c --> bf87f1b4] win32k!NtGdiGetRegionData
[ c5]: [bf999710 --> bf8c5353] win32k!NtGdiGetRgnBox
[ c6]: [bf999714 --> bf91023c] win32k!NtGdiGetServerMetaFileBits
[ c7]: [bf999718 --> bf890c97] win32k!NtGdiGetSpoolMessage
[ c8]: [bf99971c --> bf951ca6] win32k!NtGdiGetStats
[ c9]: [bf999720 --> bf81fa30] win32k!NtGdiGetStockObject
[ ca]: [bf999724 --> bf94eb87] win32k!NtGdiGetStringBitmapW
[ cb]: [bf999728 --> bf8f4c41] win32k!NtGdiGetSystemPaletteUse
[ cc]: [bf99972c --> bf837d45] win32k!NtGdiGetTextCharsetInfo
[ cd]: [bf999730 --> bf84ab72] win32k!NtGdiGetTextExtent
[ ce]: [bf999734 --> bf8d1207] win32k!NtGdiGetTextExtentExW
[ cf]: [bf999738 --> bf839de4] win32k!NtGdiGetTextFaceW
[ d0]: [bf99973c --> bf837ba3] win32k!NtGdiGetTextMetricsW
[ d1]: [bf999740 --> bf8bc64f] win32k!NtGdiGetTransform
[ d2]: [bf999744 --> bf948ced] win32k!NtGdiGetUFI
[ d3]: [bf999748 --> bf948db6] win32k!NtGdiGetEmbUFI
[ d4]: [bf99974c --> bf948e96] win32k!NtGdiGetUFIPathname
[ d5]: [bf999750 --> bf948c6e] win32k!NtGdiGetEmbedFonts
[ d6]: [bf999754 --> bf948c78] win32k!NtGdiChangeGhostFont
[ d7]: [bf999758 --> bf934aed] win32k!NtGdiAddEmbFontToDC
[ d8]: [bf99975c --> bf949755] win32k!NtGdiGetFontUnicodeRanges
[ d9]: [bf999760 --> bf838ff4] win32k!NtGdiGetWidthTable
[ da]: [bf999764 --> bf88e033] win32k!NtGdiGradientFill
[ db]: [bf999768 --> bf837891] win32k!NtGdiHfontCreate
[ dc]: [bf99976c --> bf94a8d3] win32k!NtGdiIcmBrushInfo
[ dd]: [bf999770 --> bf87c3bc] win32k!NtGdiInit
[ de]: [bf999774 --> bf89dc09] win32k!NtGdiInitSpool
[ df]: [bf999778 --> bf816627] win32k!NtGdiIntersectClipRect
[ e0]: [bf99977c --> bf8f8704] win32k!NtGdiInvertRgn
[ e1]: [bf999780 --> bf8c6c65] win32k!NtGdiLineTo
[ e2]: [bf999784 --> bf9494c8] win32k!NtGdiMakeFontDir
[ e3]: [bf999788 --> bf950bff] win32k!NtGdiMakeInfoDC
[ e4]: [bf99978c --> bf8386f2] win32k!NtGdiMaskBlt
[ e5]: [bf999790 --> bf8bc42c] win32k!NtGdiModifyWorldTransform
[ e6]: [bf999794 --> bf8e6752] win32k!NtGdiMonoBitmap
[ e7]: [bf999798 --> bf948799] win32k!NtGdiMoveTo
[ e8]: [bf99979c --> bf8fc39d] win32k!NtGdiOffsetClipRgn
[ e9]: [bf9997a0 --> bf8367a8] win32k!NtGdiOffsetRgn
[ ea]: [bf9997a4 --> bf838c10] win32k!NtGdiOpenDCW
[ eb]: [bf9997a8 --> bf8c49c1] win32k!NtGdiPatBlt
[ ec]: [bf9997ac --> bf82f42b] win32k!NtGdiPolyPatBlt
[ ed]: [bf9997b0 --> bf947560] win32k!NtGdiPathToRegion
[ ee]: [bf9997b4 --> bf94312d] win32k!NtGdiPlgBlt
[ ef]: [bf9997b8 --> bf947e87] win32k!NtGdiPolyDraw
[ f0]: [bf9997bc --> bf84ea6e] win32k!NtGdiPolyPolyDraw
[ f1]: [bf9997c0 --> bf947f84] win32k!NtGdiPolyTextOutW
[ f2]: [bf9997c4 --> bf948887] win32k!NtGdiPtInRegion
[ f3]: [bf9997c8 --> bf938958] win32k!NtGdiPtVisible
[ f4]: [bf9997cc --> bf9488a7] win32k!NtGdiQueryFonts
[ f5]: [bf9997d0 --> bf87c8cd] win32k!NtGdiQueryFontAssocInfo
[ f6]: [bf9997d4 --> bf8e3601] win32k!NtGdiRectangle
[ f7]: [bf9997d8 --> bf8ee042] win32k!NtGdiRectInRegion
[ f8]: [bf9997dc --> bf8351f2] win32k!NtGdiRectVisible
[ f9]: [bf9997e0 --> bf8d0ae2] win32k!NtGdiRemoveFontResourceW
[ fa]: [bf9997e4 --> bf948a8a] win32k!NtGdiRemoveFontMemResourceEx
[ fb]: [bf9997e8 --> bf8e3060] win32k!NtGdiResetDC
[ fc]: [bf9997ec --> bf94bfe2] win32k!NtGdiResizePalette
[ fd]: [bf9997f0 --> bf82e80f] win32k!NtGdiRestoreDC
[ fe]: [bf9997f4 --> bf90e07e] win32k!NtGdiRoundRect
[ ff]: [bf9997f8 --> bf82e81f] win32k!NtGdiSaveDC
[ 100]: [bf9997fc --> bf94131f] win32k!NtGdiScaleViewportExtEx
[ 101]: [bf999800 --> bf9491dc] win32k!NtGdiScaleWindowExtEx
[ 102]: [bf999804 --> bf808d86] win32k!GreSelectBitmap
[ 103]: [bf999808 --> bf948779] win32k!NtGdiSelectBrush
[ 104]: [bf99980c --> bf9009ce] win32k!NtGdiSelectClipPath
[ 105]: [bf999810 --> bf8210cb] win32k!NtGdiSelectFont
[ 106]: [bf999814 --> bf948789] win32k!NtGdiSelectPen
[ 107]: [bf999818 --> bf89d5f2] win32k!NtGdiSetBitmapAttributes
[ 108]: [bf99981c --> bf8c4309] win32k!NtGdiSetBitmapBits
[ 109]: [bf999820 --> bf9492ba] win32k!NtGdiSetBitmapDimension
[ 10a]: [bf999824 --> bf8bd9e4] win32k!NtGdiSetBoundsRect
[ 10b]: [bf999828 --> bf948827] win32k!NtGdiSetBrushAttributes
[ 10c]: [bf99982c --> bf8c43a7] win32k!NtGdiSetBrushOrg
[ 10d]: [bf999830 --> bf94866c] win32k!NtGdiSetColorAdjustment
[ 10e]: [bf999834 --> bf949e12] win32k!NtGdiSetColorSpace
[ 10f]: [bf999838 --> bf94a62b] win32k!NtGdiSetDeviceGammaRamp
[ 110]: [bf99983c --> bf82bbeb] win32k!NtGdiSetDIBitsToDeviceInternal
[ 111]: [bf999840 --> bf8b82ba] win32k!NtGdiSetFontEnumeration
[ 112]: [bf999844 --> bf8dce95] win32k!NtGdiSetFontXform
[ 113]: [bf999848 --> bf8c65a8] win32k!NtGdiSetIcmMode
[ 114]: [bf99984c --> bf8fabb9] win32k!NtGdiSetLinkedUFIs
[ 115]: [bf999850 --> bf94c26c] win32k!NtGdiSetMagicColors
[ 116]: [bf999854 --> bf8dcc14] win32k!NtGdiSetMetaRgn
[ 117]: [bf999858 --> bf8dcc36] win32k!NtGdiSetMiterLimit
[ 118]: [bf99985c --> bf9491cc] win32k!NtGdiGetDeviceWidth
[ 119]: [bf999860 --> bf9491bc] win32k!NtGdiMirrorWindowOrg
[ 11a]: [bf999864 --> bf82d1c9] win32k!NtGdiSetLayout
[ 11b]: [bf999868 --> bf8468af] win32k!NtGdiSetPixel
[ 11c]: [bf99986c --> bf952970] win32k!NtGdiSetPixelFormat
[ 11d]: [bf999870 --> bf948877] win32k!NtGdiSetRectRgn
[ 11e]: [bf999874 --> bf948817] win32k!NtGdiSetSystemPaletteUse
[ 11f]: [bf999878 --> bf951f36] win32k!NtGdiSetTextJustification
[ 120]: [bf99987c --> bf8992a6] win32k!NtGdiSetupPublicCFONT
[ 121]: [bf999880 --> bf8dca38] win32k!NtGdiSetVirtualResolution
[ 122]: [bf999884 --> bf8dcf06] win32k!NtGdiSetSizeDevice
[ 123]: [bf999888 --> bf9041c6] win32k!NtGdiStartDoc
[ 124]: [bf99988c --> bf90513f] win32k!NtGdiStartPage
[ 125]: [bf999890 --> bf881872] win32k!NtGdiStretchBlt
[ 126]: [bf999894 --> bf848dfd] win32k!NtGdiStretchDIBitsInternal
[ 127]: [bf999898 --> bf8ff549] win32k!NtGdiStrokeAndFillPath
[ 128]: [bf99989c --> bf947767] win32k!NtGdiStrokePath
[ 129]: [bf9998a0 --> bf952b18] win32k!NtGdiSwapBuffers
[ 12a]: [bf9998a4 --> bf8c4b54] win32k!NtGdiTransformPoints
[ 12b]: [bf9998a8 --> bf8bbdaf] win32k!NtGdiTransparentBlt
[ 12c]: [bf9998ac --> bf94939f] win32k!NtGdiUnloadPrinterDriver
[ 12d]: [bf9998b0 --> bf952dd6] win32k!NtGdiUnmapMemFont
[ 12e]: [bf9998b4 --> bf948867] win32k!NtGdiUnrealizeObject
[ 12f]: [bf9998b8 --> bf94c27c] win32k!NtGdiUpdateColors
[ 130]: [bf9998bc --> bf947648] win32k!NtGdiWidenPath
[ 131]: [bf9998c0 --> bf8855d0] win32k!NtUserActivateKeyboardLayout
[ 132]: [bf9998c4 --> bf88b0ee] win32k!NtUserAlterWindowStyle
[ 133]: [bf9998c8 --> bf9143f8] win32k!NtUserAssociateInputContext
[ 134]: [bf9998cc --> bf8f519c] win32k!NtUserAttachThreadInput
[ 135]: [bf9998d0 --> bf815a6d] win32k!NtUserBeginPaint
[ 136]: [bf9998d4 --> bf8f4c67] win32k!NtUserBitBltSysBmp
[ 137]: [bf9998d8 --> bf912d94] win32k!NtUserBlockInput
[ 138]: [bf9998dc --> bf91452f] win32k!NtUserBuildHimcList
[ 139]: [bf9998e0 --> bf8360b3] win32k!NtUserBuildHwndList
[ 13a]: [bf9998e4 --> bf86b9f4] win32k!NtUserBuildNameList
[ 13b]: [bf9998e8 --> bf912b57] win32k!NtUserBuildPropList
[ 13c]: [bf9998ec --> bf8c208c] win32k!NtUserCallHwnd
[ 13d]: [bf9998f0 --> bf8366ef] win32k!NtUserCallHwndLock
[ 13e]: [bf9998f4 --> bf89ac2c] win32k!NtUserCallHwndOpt
[ 13f]: [bf9998f8 --> bf8368e2] win32k!NtUserCallHwndParam
[ 140]: [bf9998fc --> bf828813] win32k!NtUserCallHwndParamLock
[ 141]: [bf999900 --> bf8f4b76] win32k!NtUserCallMsgFilter
[ 142]: [bf999904 --> bf8f655f] win32k!NtUserCallNextHookEx
[ 143]: [bf999908 --> bf8010df] win32k!NtUserCallNoParam
[ 144]: [bf99990c --> bf801097] win32k!NtUserCallOneParam
[ 145]: [bf999910 --> bf8368a2] win32k!NtUserCallTwoParam
[ 146]: [bf999914 --> bf8f974d] win32k!NtUserChangeClipboardChain
[ 147]: [bf999918 --> bf8b689c] win32k!NtUserChangeDisplaySettings
[ 148]: [bf99991c --> bf86c501] win32k!NtUserCheckImeHotKey
[ 149]: [bf999920 --> bf8cca4b] win32k!NtUserCheckMenuItem
[ 14a]: [bf999924 --> bf8940b7] win32k!NtUserChildWindowFromPointEx
[ 14b]: [bf999928 --> bf8fa9d9] win32k!NtUserClipCursor
[ 14c]: [bf99992c --> bf8f8609] win32k!NtUserCloseClipboard
[ 14d]: [bf999930 --> bf86b6cf] win32k!NtUserCloseDesktop
[ 14e]: [bf999934 --> bf86b791] win32k!NtUserCloseWindowStation
[ 14f]: [bf999938 --> bf87bdf0] win32k!NtUserConsoleControl
[ 150]: [bf99993c --> bf8ea9b4] win32k!NtUserConvertMemHandle
[ 151]: [bf999940 --> bf90d6b7] win32k!NtUserCopyAcceleratorTable
[ 152]: [bf999944 --> bf8f4c1b] win32k!NtUserCountClipboardFormats
[ 153]: [bf999948 --> bf84b4cf] win32k!NtUserCreateAcceleratorTable
[ 154]: [bf99994c --> bf8733b4] win32k!NtUserCreateCaret
[ 155]: [bf999950 --> bf89d1d8] win32k!NtUserCreateDesktop
[ 156]: [bf999954 --> bf91435e] win32k!NtUserCreateInputContext
[ 157]: [bf999958 --> bf8f9aa8] win32k!NtUserCreateLocalMemHandle
[ 158]: [bf99995c --> bf834af6] win32k!NtUserCreateWindowEx
[ 159]: [bf999960 --> bf89d949] win32k!NtUserCreateWindowStation
[ 15a]: [bf999964 --> bf911be1] win32k!NtUserDdeGetQualityOfService
[ 15b]: [bf999968 --> bf89b8dd] win32k!NtUserDdeInitialize
[ 15c]: [bf99996c --> bf911b11] win32k!NtUserDdeSetQualityOfService
[ 15d]: [bf999970 --> bf86c82e] win32k!NtUserDeferWindowPos
[ 15e]: [bf999974 --> bf86cbf4] win32k!NtUserDefSetText
[ 15f]: [bf999978 --> bf8737e0] win32k!NtUserDeleteMenu
[ 160]: [bf99997c --> bf8fa978] win32k!NtUserDestroyAcceleratorTable
[ 161]: [bf999980 --> bf835e37] win32k!NtUserDestroyCursor
[ 162]: [bf999984 --> bf9143ae] win32k!NtUserDestroyInputContext
[ 163]: [bf999988 --> bf845a1f] win32k!NtUserDestroyMenu
[ 164]: [bf99998c --> bf866c76] win32k!NtUserDestroyWindow
[ 165]: [bf999990 --> bf914b66] win32k!NtUserDisableThreadIme
[ 166]: [bf999994 --> bf80ed89] win32k!NtUserDispatchMessage
[ 167]: [bf999998 --> bf912c52] win32k!NtUserDragDetect
[ 168]: [bf99999c --> bf9110d5] win32k!NtUserDragObject
[ 169]: [bf9999a0 --> bf911db1] win32k!NtUserDrawAnimatedRects
[ 16a]: [bf9999a4 --> bf911e74] win32k!NtUserDrawCaption
[ 16b]: [bf9999a8 --> bf90b537] win32k!NtUserDrawCaptionTemp
[ 16c]: [bf9999ac --> bf83c221] win32k!NtUserDrawIconEx
[ 16d]: [bf9999b0 --> bf912e1f] win32k!NtUserDrawMenuBarTemp
[ 16e]: [bf9999b4 --> bf8ea639] win32k!NtUserEmptyClipboard
[ 16f]: [bf9999b8 --> bf8c550e] win32k!NtUserEnableMenuItem
[ 170]: [bf9999bc --> bf911a8c] win32k!NtUserEnableScrollBar
[ 171]: [bf9999c0 --> bf82cdb7] win32k!NtUserEndDeferWindowPosEx
[ 172]: [bf9999c4 --> bf911f1d] win32k!NtUserEndMenu
[ 173]: [bf9999c8 --> bf815724] win32k!NtUserEndPaint
[ 174]: [bf9999cc --> bf880b0c] win32k!NtUserEnumDisplayDevices
[ 175]: [bf9999d0 --> bf835801] win32k!NtUserEnumDisplayMonitors
[ 176]: [bf9999d4 --> bf8c0e17] win32k!NtUserEnumDisplaySettings
[ 177]: [bf9999d8 --> bf911362] win32k!NtUserEvent
[ 178]: [bf9999dc --> bf8f890a] win32k!NtUserExcludeUpdateRgn
[ 179]: [bf9999e0 --> bf8f4aad] win32k!NtUserFillWindow
[ 17a]: [bf9999e4 --> bf81b77e] win32k!NtUserFindExistingCursorIcon
[ 17b]: [bf9999e8 --> bf869562] win32k!NtUserFindWindowEx
[ 17c]: [bf9999ec --> bf914f55] win32k!NtUserFlashWindowEx
[ 17d]: [bf9999f0 --> bf8e885b] win32k!NtUserGetAltTabInfo
[ 17e]: [bf9999f4 --> bf82c9c9] win32k!NtUserGetAncestor
[ 17f]: [bf9999f8 --> bf914903] win32k!NtUserGetAppImeLevel
[ 180]: [bf9999fc --> bf87146d] win32k!NtUserGetAsyncKeyState
[ 181]: [bf999a00 --> bf834cd2] win32k!NtUserGetAtomName
[ 182]: [bf999a04 --> bf842297] win32k!NtUserGetCaretBlinkTime
[ 183]: [bf999a08 --> bf8c50b2] win32k!NtUserGetCaretPos
[ 184]: [bf999a0c --> bf843559] win32k!NtUserGetClassInfo
[ 185]: [bf999a10 --> bf82c6fa] win32k!NtUserGetClassName
[ 186]: [bf999a14 --> bf8f98e3] win32k!NtUserGetClipboardData
[ 187]: [bf999a18 --> bf8ee107] win32k!NtUserGetClipboardFormatName
[ 188]: [bf999a1c --> bf8ea72f] win32k!NtUserGetClipboardOwner
[ 189]: [bf999a20 --> bf8c4e6b] win32k!NtUserGetClipboardSequenceNumber
[ 18a]: [bf999a24 --> bf911f63] win32k!NtUserGetClipboardViewer
[ 18b]: [bf999a28 --> bf9119f4] win32k!NtUserGetClipCursor
[ 18c]: [bf999a2c --> bf91162a] win32k!NtUserGetComboBoxInfo
[ 18d]: [bf999a30 --> bf882d33] win32k!NtUserGetControlBrush
[ 18e]: [bf999a34 --> bf9075cb] win32k!NtUserGetControlColor
[ 18f]: [bf999a38 --> bf821662] win32k!NtUserGetCPD
[ 190]: [bf999a3c --> bf882fd2] win32k!NtUserGetCursorFrameInfo
[ 191]: [bf999a40 --> bf911747] win32k!NtUserGetCursorInfo
[ 192]: [bf999a44 --> bf804547] win32k!NtUserGetDC
[ 193]: [bf999a48 --> bf83a237] win32k!NtUserGetDCEx
[ 194]: [bf999a4c --> bf83b202] win32k!NtUserGetDoubleClickTime
[ 195]: [bf999a50 --> bf820d48] win32k!NtUserGetForegroundWindow
[ 196]: [bf999a54 --> bf91119e] win32k!NtUserGetGuiResources
[ 197]: [bf999a58 --> bf869f06] win32k!NtUserGetGUIThreadInfo
[ 198]: [bf999a5c --> bf842cc5] win32k!NtUserGetIconInfo
[ 199]: [bf999a60 --> bf842e15] win32k!NtUserGetIconSize
[ 19a]: [bf999a64 --> bf9147c1] win32k!NtUserGetImeHotKey
[ 19b]: [bf999a68 --> bf914631] win32k!NtUserGetImeInfoEx
[ 19c]: [bf999a6c --> bf9113f3] win32k!NtUserGetInternalWindowPos
[ 19d]: [bf999a70 --> bf835528] win32k!NtUserGetKeyboardLayoutList
[ 19e]: [bf999a74 --> bf8f5ff8] win32k!NtUserGetKeyboardLayoutName
[ 19f]: [bf999a78 --> bf87606e] win32k!NtUserGetKeyboardState
[ 1a0]: [bf999a7c --> bf90b884] win32k!NtUserGetKeyNameText
[ 1a1]: [bf999a80 --> bf820ff3] win32k!NtUserGetKeyState
[ 1a2]: [bf999a84 --> bf9116f3] win32k!NtUserGetListBoxInfo
[ 1a3]: [bf999a88 --> bf911844] win32k!NtUserGetMenuBarInfo
[ 1a4]: [bf999a8c --> bf911c9a] win32k!NtUserGetMenuIndex
[ 1a5]: [bf999a90 --> bf9127ce] win32k!NtUserGetMenuItemRect
[ 1a6]: [bf999a94 --> bf819fc9] win32k!NtUserGetMessage
[ 1a7]: [bf999a98 --> bf9124a9] win32k!NtUserGetMouseMovePointsEx
[ 1a8]: [bf999a9c --> bf81a241] win32k!NtUserGetObjectInformation
[ 1a9]: [bf999aa0 --> bf8f4bef] win32k!NtUserGetOpenClipboardWindow
[ 1aa]: [bf999aa4 --> bf911f8f] win32k!NtUserGetPriorityClipboardFormat
[ 1ab]: [bf999aa8 --> bf81a0ac] win32k!NtUserGetProcessWindowStation
[ 1ac]: [bf999aac --> bf9157d5] win32k!NtUserGetRawInputBuffer
[ 1ad]: [bf999ab0 --> bf9150d5] win32k!NtUserGetRawInputData
[ 1ae]: [bf999ab4 --> bf9152af] win32k!NtUserGetRawInputDeviceInfo
[ 1af]: [bf999ab8 --> bf9155a4] win32k!NtUserGetRawInputDeviceList
[ 1b0]: [bf999abc --> bf91579a] win32k!NtUserGetRegisteredRawInputDevices
[ 1b1]: [bf999ac0 --> bf84624e] win32k!NtUserGetScrollBarInfo
[ 1b2]: [bf999ac4 --> bf840ace] win32k!NtUserGetSystemMenu
[ 1b3]: [bf999ac8 --> bf81a4f7] win32k!NtUserGetThreadDesktop
[ 1b4]: [bf999acc --> bf823b41] win32k!NtUserGetThreadState
[ 1b5]: [bf999ad0 --> bf83a4c1] win32k!NtUserGetTitleBarInfo
[ 1b6]: [bf999ad4 --> bf83b02f] win32k!NtUserGetUpdateRect
[ 1b7]: [bf999ad8 --> bf8c51fa] win32k!NtUserGetUpdateRgn
[ 1b8]: [bf999adc --> bf803811] win32k!NtUserGetWindowDC
[ 1b9]: [bf999ae0 --> bf8f9b76] win32k!NtUserGetWindowPlacement
[ 1ba]: [bf999ae4 --> bf90da63] win32k!NtUserGetWOWClass
[ 1bb]: [bf999ae8 --> bf910fdf] win32k!NtUserHardErrorControl
[ 1bc]: [bf999aec --> bf82ce91] win32k!NtUserHideCaret
[ 1bd]: [bf999af0 --> bf912018] win32k!NtUserHiliteMenuItem
[ 1be]: [bf999af4 --> bf912dba] win32k!NtUserImpersonateDdeClientWindow
[ 1bf]: [bf999af8 --> bf8b1d7e] win32k!NtUserInitialize
[ 1c0]: [bf999afc --> bf8ac31e] win32k!NtUserInitializeClientPfnArrays
[ 1c1]: [bf999b00 --> bf9114d2] win32k!NtUserInitTask
[ 1c2]: [bf999b04 --> bf83a5bd] win32k!NtUserInternalGetWindowText
[ 1c3]: [bf999b08 --> bf814dbb] win32k!NtUserInvalidateRect
[ 1c4]: [bf999b0c --> bf8459c5] win32k!NtUserInvalidateRgn
[ 1c5]: [bf999b10 --> bf8c4e31] win32k!NtUserIsClipboardFormatAvailable
[ 1c6]: [bf999b14 --> bf80ea37] win32k!NtUserKillTimer
[ 1c7]: [bf999b18 --> bf891798] win32k!NtUserLoadKeyboardLayoutEx
[ 1c8]: [bf999b1c --> bf89d43a] win32k!NtUserLockWindowStation
[ 1c9]: [bf999b20 --> bf8cc992] win32k!NtUserLockWindowUpdate
[ 1ca]: [bf999b24 --> bf9110b8] win32k!NtUserLockWorkStation
[ 1cb]: [bf999b28 --> bf8c7e35] win32k!NtUserMapVirtualKeyEx
[ 1cc]: [bf999b2c --> bf9128a5] win32k!NtUserMenuItemFromPoint
[ 1cd]: [bf999b30 --> bf80efcd] win32k!NtUserMessageCall
[ 1ce]: [bf999b34 --> bf90f645] win32k!NtUserMinMaximize
[ 1cf]: [bf999b38 --> bf912168] win32k!NtUserMNDragLeave
[ 1d0]: [bf999b3c --> bf9120b8] win32k!NtUserMNDragOver
[ 1d1]: [bf999b40 --> bf8e3267] win32k!NtUserModifyUserStartupInfoFlags
[ 1d2]: [bf999b44 --> bf838ae5] win32k!NtUserMoveWindow
[ 1d3]: [bf999b48 --> bf914b01] win32k!NtUserNotifyIMEStatus
[ 1d4]: [bf999b4c --> bf87c3f2] win32k!NtUserNotifyProcessCreate
[ 1d5]: [bf999b50 --> bf8c54b9] win32k!NtUserNotifyWinEvent
[ 1d6]: [bf999b54 --> bf8f8586] win32k!NtUserOpenClipboard
[ 1d7]: [bf999b58 --> bf86b969] win32k!NtUserOpenDesktop
[ 1d8]: [bf999b5c --> bf899b89] win32k!NtUserOpenInputDesktop
[ 1d9]: [bf999b60 --> bf8f9dbe] win32k!NtUserOpenWindowStation
[ 1da]: [bf999b64 --> bf885886] win32k!NtUserPaintDesktop
[ 1db]: [bf999b68 --> bf803700] win32k!NtUserPeekMessage
[ 1dc]: [bf999b6c --> bf808b4d] win32k!NtUserPostMessage
[ 1dd]: [bf999b70 --> bf86bf40] win32k!NtUserPostThreadMessage
[ 1de]: [bf999b74 --> bf8b83bd] win32k!NtUserPrintWindow
[ 1df]: [bf999b78 --> bf87a14a] win32k!NtUserProcessConnect
[ 1e0]: [bf999b7c --> bf912937] win32k!NtUserQueryInformationThread
[ 1e1]: [bf999b80 --> bf9144ab] win32k!NtUserQueryInputContext
[ 1e2]: [bf999b84 --> bf912ce5] win32k!NtUserQuerySendMessage
[ 1e3]: [bf999b88 --> bf914c0a] win32k!NtUserQueryUserCounters
[ 1e4]: [bf999b8c --> bf803b9c] win32k!NtUserQueryWindow
[ 1e5]: [bf999b90 --> bf911806] win32k!NtUserRealChildWindowFromPoint
[ 1e6]: [bf999b94 --> bf899641] win32k!NtUserRealInternalGetMessage
[ 1e7]: [bf999b98 --> bf91270e] win32k!NtUserRealWaitMessageEx
[ 1e8]: [bf999b9c --> bf823d16] win32k!NtUserRedrawWindow
[ 1e9]: [bf999ba0 --> bf81f433] win32k!NtUserRegisterClassExWOW
[ 1ea]: [bf999ba4 --> bf89dd35] win32k!NtUserRegisterUserApiHook
[ 1eb]: [bf999ba8 --> bf8b7901] win32k!NtUserRegisterHotKey
[ 1ec]: [bf999bac --> bf9156ee] win32k!NtUserRegisterRawInputDevices
[ 1ed]: [bf999bb0 --> bf9115f6] win32k!NtUserRegisterTasklist
[ 1ee]: [bf999bb4 --> bf807b93] win32k!NtUserRegisterWindowMessage
[ 1ef]: [bf999bb8 --> bf8b82e5] win32k!NtUserRemoveMenu
[ 1f0]: [bf999bbc --> bf832c6e] win32k!NtUserRemoveProp
[ 1f1]: [bf999bc0 --> bf892189] win32k!NtUserResolveDesktop
[ 1f2]: [bf999bc4 --> bf9159e5] win32k!NtUserResolveDesktopForWOW
[ 1f3]: [bf999bc8 --> bf8460f5] win32k!NtUserSBGetParms
[ 1f4]: [bf999bcc --> bf879a5a] win32k!NtUserScrollDC
[ 1f5]: [bf999bd0 --> bf8e593a] win32k!NtUserScrollWindowEx
[ 1f6]: [bf999bd4 --> bf83856c] win32k!NtUserSelectPalette
[ 1f7]: [bf999bd8 --> bf8c33ab] win32k!NtUserSendInput
[ 1f8]: [bf999bdc --> bf8bacca] win32k!NtUserSetActiveWindow
[ 1f9]: [bf999be0 --> bf914898] win32k!NtUserSetAppImeLevel
[ 1fa]: [bf999be4 --> bf8724da] win32k!NtUserSetCapture
[ 1fb]: [bf999be8 --> bf845c62] win32k!NtUserSetClassLong
[ 1fc]: [bf999bec --> bf912185] win32k!NtUserSetClassWord
[ 1fd]: [bf999bf0 --> bf8ea8d8] win32k!NtUserSetClipboardData
[ 1fe]: [bf999bf4 --> bf8f9663] win32k!NtUserSetClipboardViewer
[ 1ff]: [bf999bf8 --> bf88636b] win32k!NtUserSetConsoleReserveKeys
[ 200]: [bf999bfc --> bf82126e] win32k!NtUserSetCursor
[ 201]: [bf999c00 --> bf912787] win32k!NtUserSetCursorContents
[ 202]: [bf999c04 --> bf842fa4] win32k!NtUserSetCursorIconData
[ 203]: [bf999c08 --> bf911d1d] win32k!NtUserSetDbgTag
[ 204]: [bf999c0c --> bf83a9b3] win32k!NtUserSetFocus
[ 205]: [bf999c10 --> bf8916c2] win32k!NtUserSetImeHotKey
[ 206]: [bf999c14 --> bf914716] win32k!NtUserSetImeInfoEx
[ 207]: [bf999c18 --> bf91496d] win32k!NtUserSetImeOwnerWindow
[ 208]: [bf999c1c --> bf87c056] win32k!NtUserSetInformationProcess
[ 209]: [bf999c20 --> bf886135] win32k!NtUserSetInformationThread
[ 20a]: [bf999c24 --> bf911913] win32k!NtUserSetInternalWindowPos
[ 20b]: [bf999c28 --> bf8f89ea] win32k!NtUserSetKeyboardState
[ 20c]: [bf999c2c --> bf8a5d53] win32k!NtUserSetLogonNotifyWindow
[ 20d]: [bf999c30 --> bf90b74a] win32k!NtUserSetMenu
[ 20e]: [bf999c34 --> bf911d40] win32k!NtUserSetMenuContextHelpId
[ 20f]: [bf999c38 --> bf8b827a] win32k!NtUserSetMenuDefaultItem
[ 210]: [bf999c3c --> bf911d7d] win32k!NtUserSetMenuFlagRtoL
[ 211]: [bf999c40 --> bf91102a] win32k!NtUserSetObjectInformation
[ 212]: [bf999c44 --> bf882afc] win32k!NtUserSetParent
[ 213]: [bf999c48 --> bf86bd5b] win32k!NtUserSetProcessWindowStation
[ 214]: [bf999c4c --> bf82847c] win32k!NtUserSetProp
[ 215]: [bf999c50 --> bf911cfa] win32k!NtUserSetRipFlags
[ 216]: [bf999c54 --> bf80e774] win32k!NtUserSetScrollInfo
[ 217]: [bf999c58 --> bf89a417] win32k!NtUserSetShellWindowEx
[ 218]: [bf999c5c --> bf9121c0] win32k!NtUserSetSysColors
[ 219]: [bf999c60 --> bf91274e] win32k!NtUserSetSystemCursor
[ 21a]: [bf999c64 --> bf8f61bb] win32k!NtUserSetSystemMenu
[ 21b]: [bf999c68 --> bf912cac] win32k!NtUserSetSystemTimer
[ 21c]: [bf999c6c --> bf86bdb3] win32k!NtUserSetThreadDesktop
[ 21d]: [bf999c70 --> bf914a80] win32k!NtUserSetThreadLayoutHandles
[ 21e]: [bf999c74 --> bf882cf7] win32k!NtUserSetThreadState
[ 21f]: [bf999c78 --> bf803aab] win32k!NtUserSetTimer
[ 220]: [bf999c7c --> bf882ba7] win32k!NtUserSetWindowFNID
[ 221]: [bf999c80 --> bf832d7e] win32k!NtUserSetWindowLong
[ 222]: [bf999c84 --> bf88d87b] win32k!NtUserSetWindowPlacement
[ 223]: [bf999c88 --> bf828223] win32k!NtUserSetWindowPos
[ 224]: [bf999c8c --> bf840823] win32k!NtUserSetWindowRgn
[ 225]: [bf999c90 --> bf88e300] win32k!NtUserSetWindowsHookAW
[ 226]: [bf999c94 --> bf8ba057] win32k!NtUserSetWindowsHookEx
[ 227]: [bf999c98 --> bf89d2d7] win32k!NtUserSetWindowStationUser
[ 228]: [bf999c9c --> bf8f8f9b] win32k!NtUserSetWindowWord
[ 229]: [bf999ca0 --> bf8edb64] win32k!NtUserSetWinEventHook
[ 22a]: [bf999ca4 --> bf82cef3] win32k!NtUserShowCaret
[ 22b]: [bf999ca8 --> bf8c5730] win32k!NtUserShowScrollBar
[ 22c]: [bf999cac --> bf83513b] win32k!NtUserShowWindow
[ 22d]: [bf999cb0 --> bf89207c] win32k!NtUserShowWindowAsync
[ 22e]: [bf999cb4 --> bf8e32d5] win32k!NtUserSoundSentry
[ 22f]: [bf999cb8 --> bf89a6ac] win32k!NtUserSwitchDesktop
[ 230]: [bf999cbc --> bf81e8e3] win32k!NtUserSystemParametersInfo
[ 231]: [bf999cc0 --> bf90dbee] win32k!NtUserTestForInteractiveUser
[ 232]: [bf999cc4 --> bf8f611c] win32k!NtUserThunkedMenuInfo
[ 233]: [bf999cc8 --> bf83fc0d] win32k!NtUserThunkedMenuItemInfo
[ 234]: [bf999ccc --> bf912559] win32k!NtUserToUnicodeEx
[ 235]: [bf999cd0 --> bf86c580] win32k!NtUserTrackMouseEvent
[ 236]: [bf999cd4 --> bf912376] win32k!NtUserTrackPopupMenuEx
[ 237]: [bf999cd8 --> bf83a728] win32k!NtUserCalcMenuBar
[ 238]: [bf999cdc --> bf8eef29] win32k!NtUserPaintMenuBar
[ 239]: [bf999ce0 --> bf8f81f3] win32k!NtUserTranslateAccelerator
[ 23a]: [bf999ce4 --> bf870be0] win32k!NtUserTranslateMessage
[ 23b]: [bf999ce8 --> bf8ba646] win32k!NtUserUnhookWindowsHookEx
[ 23c]: [bf999cec --> bf8edc3f] win32k!NtUserUnhookWinEvent
[ 23d]: [bf999cf0 --> bf912c24] win32k!NtUserUnloadKeyboardLayout
[ 23e]: [bf999cf4 --> bf8911ed] win32k!NtUserUnlockWindowStation
[ 23f]: [bf999cf8 --> bf81fd00] win32k!NtUserUnregisterClass
[ 240]: [bf999cfc --> bf89d748] win32k!NtUserUnregisterUserApiHook
[ 241]: [bf999d00 --> bf91246c] win32k!NtUserUnregisterHotKey
[ 242]: [bf999d04 --> bf91445b] win32k!NtUserUpdateInputContext
[ 243]: [bf999d08 --> bf9112cd] win32k!NtUserUpdateInstance
[ 244]: [bf999d0c --> bf874e3f] win32k!NtUserUpdateLayeredWindow
[ 245]: [bf999d10 --> bf915017] win32k!NtUserGetLayeredWindowAttributes
[ 246]: [bf999d14 --> bf845afb] win32k!NtUserSetLayeredWindowAttributes
[ 247]: [bf999d18 --> bf8a2f52] win32k!NtUserUpdatePerUserSystemParameters
[ 248]: [bf999d1c --> bf91297e] win32k!NtUserUserHandleGrantAccess
[ 249]: [bf999d20 --> bf8018ac] win32k!NtUserValidateHandleSecure
[ 24a]: [bf999d24 --> bf8f8bd9] win32k!NtUserValidateRect
[ 24b]: [bf999d28 --> bf807eba] win32k!NtUserValidateTimerCallback
[ 24c]: [bf999d2c --> bf8c3d69] win32k!NtUserVkKeyScanEx
[ 24d]: [bf999d30 --> bf90d432] win32k!NtUserWaitForInputIdle
[ 24e]: [bf999d34 --> bf90c444] win32k!NtUserWaitForMsgAndEvent
[ 24f]: [bf999d38 --> bf8037a7] win32k!NtUserWaitMessage
[ 250]: [bf999d3c --> bf911020] win32k!NtUserWin32PoolAllocationStats
[ 251]: [bf999d40 --> bf821530] win32k!NtUserWindowFromPoint
[ 252]: [bf999d44 --> bf90db86] win32k!NtUserYieldTask
[ 253]: [bf999d48 --> bf899f9e] win32k!NtUserRemoteConnect
[ 254]: [bf999d4c --> bf910ea7] win32k!NtUserRemoteRedrawRectangle
[ 255]: [bf999d50 --> bf910ef4] win32k!NtUserRemoteRedrawScreen
[ 256]: [bf999d54 --> bf910f48] win32k!NtUserRemoteStopScreenUpdates
[ 257]: [bf999d58 --> bf910f95] win32k!NtUserCtxDisplayIOCtl
[ 258]: [bf999d5c --> bf8fbcf2] win32k!NtGdiEngAssociateSurface
[ 259]: [bf999d60 --> bf8fc6a2] win32k!NtGdiEngCreateBitmap
[ 25a]: [bf999d64 --> bf8fbcbf] win32k!NtGdiEngCreateDeviceSurface
[ 25b]: [bf999d68 --> bf952de1] win32k!NtGdiEngCreateDeviceBitmap
[ 25c]: [bf999d6c --> bf8defe9] win32k!NtGdiEngCreatePalette
[ 25d]: [bf999d70 --> bf90635f] win32k!NtGdiEngComputeGlyphSet
[ 25e]: [bf999d74 --> bf952f37] win32k!NtGdiEngCopyBits
[ 25f]: [bf999d78 --> bf8dfb75] win32k!NtGdiEngDeletePalette
[ 260]: [bf999d7c --> bf8fbc45] win32k!NtGdiEngDeleteSurface
[ 261]: [bf999d80 --> bf953d9a] win32k!NtGdiEngEraseSurface
[ 262]: [bf999d84 --> bf8ffefb] win32k!NtGdiEngUnlockSurface
[ 263]: [bf999d88 --> bf8fc0f7] win32k!NtGdiEngLockSurface
[ 264]: [bf999d8c --> bf904ee3] win32k!NtGdiEngBitBlt
[ 265]: [bf999d90 --> bf9002d4] win32k!NtGdiEngStretchBlt
[ 266]: [bf999d94 --> bf95332f] win32k!NtGdiEngPlgBlt
[ 267]: [bf999d98 --> bf8fc798] win32k!NtGdiEngMarkBandingSurface
[ 268]: [bf999d9c --> bf8fd592] win32k!NtGdiEngStrokePath
[ 269]: [bf999da0 --> bf953526] win32k!NtGdiEngFillPath
[ 26a]: [bf999da4 --> bf8fe227] win32k!NtGdiEngStrokeAndFillPath
[ 26b]: [bf999da8 --> bf953691] win32k!NtGdiEngPaint
[ 26c]: [bf999dac --> bf9537ad] win32k!NtGdiEngLineTo
[ 26d]: [bf999db0 --> bf9538d6] win32k!NtGdiEngAlphaBlend
[ 26e]: [bf999db4 --> bf953a55] win32k!NtGdiEngGradientFill
[ 26f]: [bf999db8 --> bf953c2e] win32k!NtGdiEngTransparentBlt
[ 270]: [bf999dbc --> bf8fed98] win32k!NtGdiEngTextOut
[ 271]: [bf999dc0 --> bf9530d3] win32k!NtGdiEngStretchBltROP
[ 272]: [bf999dc4 --> bf95454c] win32k!NtGdiXLATEOBJ_cGetPalette
[ 273]: [bf999dc8 --> bf954608] win32k!NtGdiXLATEOBJ_iXlate
[ 274]: [bf999dcc --> bf9544fe] win32k!NtGdiXLATEOBJ_hGetColorTransform
[ 275]: [bf999dd0 --> bf8fda8f] win32k!NtGdiCLIPOBJ_bEnum
[ 276]: [bf999dd4 --> bf8fdb3c] win32k!NtGdiCLIPOBJ_cEnumStart
[ 277]: [bf999dd8 --> bf953e64] win32k!NtGdiCLIPOBJ_ppoGetPath
[ 278]: [bf999ddc --> bf953ea2] win32k!NtGdiEngDeletePath
[ 279]: [bf999de0 --> bf953edc] win32k!NtGdiEngCreateClip
[ 27a]: [bf999de4 --> bf953f0e] win32k!NtGdiEngDeleteClip
[ 27b]: [bf999de8 --> bf8fd0fa] win32k!NtGdiBRUSHOBJ_ulGetBrushColor
[ 27c]: [bf999dec --> bf953f48] win32k!NtGdiBRUSHOBJ_pvAllocRbrush
[ 27d]: [bf999df0 --> bf953f99] win32k!NtGdiBRUSHOBJ_pvGetRbrush
[ 27e]: [bf999df4 --> bf9063e5] win32k!NtGdiBRUSHOBJ_hGetColorTransform
[ 27f]: [bf999df8 --> bf905d2e] win32k!NtGdiXFORMOBJ_bApplyXform
[ 280]: [bf999dfc --> bf8fafef] win32k!NtGdiXFORMOBJ_iGetXform
[ 281]: [bf999e00 --> bf905eef] win32k!NtGdiFONTOBJ_vGetInfo
[ 282]: [bf999e04 --> bf8faf55] win32k!NtGdiFONTOBJ_pxoGetXform
[ 283]: [bf999e08 --> bf905993] win32k!NtGdiFONTOBJ_cGetGlyphs
[ 284]: [bf999e0c --> bf8fb160] win32k!NtGdiFONTOBJ_pifi
[ 285]: [bf999e10 --> bf9546c3] win32k!NtGdiFONTOBJ_pfdg
[ 286]: [bf999e14 --> bf9547ca] win32k!NtGdiFONTOBJ_pQueryGlyphAttrs
[ 287]: [bf999e18 --> bf95442e] win32k!NtGdiFONTOBJ_pvTrueTypeFontFile
[ 288]: [bf999e1c --> bf953fe7] win32k!NtGdiFONTOBJ_cGetAllGlyphHandles
[ 289]: [bf999e20 --> bf9548a2] win32k!NtGdiSTROBJ_bEnum
[ 28a]: [bf999e24 --> bf90611d] win32k!NtGdiSTROBJ_bEnumPositionsOnly
[ 28b]: [bf999e28 --> bf8fb273] win32k!NtGdiSTROBJ_bGetAdvanceWidths
[ 28c]: [bf999e2c --> bf90613b] win32k!NtGdiSTROBJ_vEnumStart
[ 28d]: [bf999e30 --> bf9540b2] win32k!NtGdiSTROBJ_dwGetCodePage
[ 28e]: [bf999e34 --> bf9541a3] win32k!NtGdiPATHOBJ_vGetBounds
[ 28f]: [bf999e38 --> bf9548c0] win32k!NtGdiPATHOBJ_bEnum
[ 290]: [bf999e3c --> bf954234] win32k!NtGdiPATHOBJ_vEnumStart
[ 291]: [bf999e40 --> bf954278] win32k!NtGdiPATHOBJ_vEnumStartClipLines
[ 292]: [bf999e44 --> bf954325] win32k!NtGdiPATHOBJ_bEnumClipLines
[ 293]: [bf999e48 --> bf952daf] win32k!NtGdiGetDhpdev
[ 294]: [bf999e4c --> bf95465a] win32k!NtGdiEngCheckAbort
[ 295]: [bf999e50 --> bf9057d8] win32k!NtGdiHT_Get8BPPFormatPalette
[ 296]: [bf999e54 --> bf952e23] win32k!NtGdiHT_Get8BPPMaskPalette
[ 297]: [bf999e58 --> bf9414e4] win32k!NtGdiUpdateTransform
[ 298]: [bf999e5c --> bf8dd701] win32k!NtGdiSetPUMPDOBJ
[ 299]: [bf999e60 --> bf954100] win32k!NtGdiBRUSHOBJ_DeleteRbrush
[ 29a]: [bf999e64 --> bf952dd6] win32k!NtGdiUnmapMemFont
[ 29b]: [bf999e68 --> bf8177ad] win32k!NtGdiDrawStream