You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1614 lines
42 KiB
1614 lines
42 KiB
#undef RtlMoveMemory
|
|
#undef RtlCopyMemory
|
|
#undef RtlFillMemory
|
|
#undef RtlZeroMemory
|
|
NAME ntoskrnl.exe
|
|
|
|
EXPORTS
|
|
CcCanIWrite
|
|
CcCopyRead
|
|
CcCopyWrite
|
|
CcDeferWrite
|
|
CcFastCopyRead
|
|
CcFastCopyWrite
|
|
CcFastMdlReadWait CONSTANT // Data - use pointer for access
|
|
CcFastReadNotPossible CONSTANT // Data - use pointer for access
|
|
CcFastReadWait CONSTANT // Data - use pointer for access
|
|
CcFlushCache
|
|
CcGetDirtyPages
|
|
CcGetFileObjectFromBcb
|
|
CcGetFileObjectFromSectionPtrs
|
|
CcGetFlushedValidData
|
|
CcGetLsnForFileObject
|
|
CcInitializeCacheMap
|
|
CcIsThereDirtyData
|
|
CcMapData
|
|
CcMdlRead
|
|
CcMdlReadComplete
|
|
CcMdlWriteAbort
|
|
CcMdlWriteComplete
|
|
CcPinMappedData
|
|
CcPinRead
|
|
CcPrepareMdlWrite
|
|
CcPreparePinWrite
|
|
CcPurgeCacheSection
|
|
CcRemapBcb
|
|
CcRepinBcb
|
|
CcScheduleReadAhead
|
|
CcSetAdditionalCacheAttributes
|
|
CcSetBcbOwnerPointer
|
|
CcSetDirtyPageThreshold
|
|
CcSetDirtyPinnedData
|
|
CcSetFileSizes
|
|
CcSetLogHandleForFile
|
|
CcSetReadAheadGranularity
|
|
CcUninitializeCacheMap
|
|
CcUnpinData
|
|
CcUnpinDataForThread
|
|
CcUnpinRepinnedBcb
|
|
CcWaitForCurrentLazyWriterActivity
|
|
CcZeroData
|
|
CmRegisterCallback
|
|
CmUnRegisterCallback
|
|
DbgBreakPoint
|
|
DbgBreakPointWithStatus
|
|
DbgCommandString
|
|
DbgLoadImageSymbols
|
|
DbgPrint
|
|
DbgPrintEx
|
|
vDbgPrintEx
|
|
vDbgPrintExWithPrefix
|
|
DbgPrintReturnControlC
|
|
DbgPrompt
|
|
DbgQueryDebugFilterState
|
|
DbgSetDebugFilterState
|
|
ExAcquireFastMutexUnsafe
|
|
ExAcquireResourceExclusiveLite
|
|
ExAcquireResourceSharedLite
|
|
ExAcquireSharedStarveExclusive
|
|
ExAcquireSharedWaitForExclusive
|
|
ExAcquireRundownProtection=ExfAcquireRundownProtection
|
|
ExAcquireRundownProtectionEx
|
|
ExReleaseRundownProtection=ExfReleaseRundownProtection
|
|
ExReleaseRundownProtectionEx
|
|
ExWaitForRundownProtectionRelease=ExfWaitForRundownProtectionRelease
|
|
ExInitializeRundownProtection=ExfInitializeRundownProtection
|
|
ExReInitializeRundownProtection=ExfReInitializeRundownProtection
|
|
ExRundownCompleted=ExfRundownCompleted
|
|
ExfAcquirePushLockExclusive
|
|
ExfAcquirePushLockShared
|
|
ExfReleasePushLock
|
|
ExfUnblockPushLock
|
|
ExAllocatePool
|
|
ExAllocatePoolWithQuota
|
|
ExAllocatePoolWithQuotaTag
|
|
ExAllocatePoolWithTag
|
|
ExAllocatePoolWithTagPriority
|
|
ExConvertExclusiveToSharedLite
|
|
ExCreateCallback
|
|
ExDeleteNPagedLookasideList
|
|
ExDeletePagedLookasideList
|
|
ExDeleteResourceLite
|
|
ExDesktopObjectType CONSTANT // Data - use pointer for access
|
|
ExDisableResourceBoostLite
|
|
ExEnumHandleTable
|
|
ExEventObjectType CONSTANT // Data - use pointer for access
|
|
ExExtendZone
|
|
ExFreePool
|
|
ExFreePoolWithTag
|
|
ExGetCurrentProcessorCounts
|
|
ExGetCurrentProcessorCpuUsage
|
|
ExGetExclusiveWaiterCount
|
|
ExGetPreviousMode
|
|
ExGetSharedWaiterCount
|
|
ExInitializeNPagedLookasideList
|
|
ExInitializePagedLookasideList
|
|
ExInitializeResourceLite
|
|
ExInitializeZone
|
|
ExInterlockedAddLargeInteger
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
ExInterlockedAddLargeStatistic
|
|
|
|
#endif
|
|
|
|
ExInterlockedAddUlong
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
ExInterlockedDecrementLong
|
|
ExInterlockedExchangeUlong
|
|
|
|
#endif
|
|
|
|
ExInterlockedExtendZone
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
ExInterlockedIncrementLong
|
|
|
|
#endif
|
|
|
|
ExInterlockedInsertHeadList
|
|
ExInterlockedInsertTailList
|
|
ExInterlockedPopEntryList
|
|
ExInterlockedPushEntryList
|
|
ExInterlockedRemoveHeadList
|
|
ExIsProcessorFeaturePresent
|
|
ExIsResourceAcquiredExclusiveLite
|
|
ExIsResourceAcquiredSharedLite
|
|
ExLocalTimeToSystemTime
|
|
ExNotifyCallback
|
|
ExQueryPoolBlockSize
|
|
ExQueueWorkItem
|
|
ExRaiseAccessViolation
|
|
ExRaiseDatatypeMisalignment
|
|
ExRaiseHardError
|
|
|
|
#if defined(_AMD64_) || defined(_IA64_)
|
|
|
|
ExRaiseException = RtlRaiseException
|
|
ExRaiseStatus = RtlRaiseStatus
|
|
|
|
#else
|
|
|
|
ExRaiseException
|
|
ExRaiseStatus
|
|
|
|
#endif
|
|
|
|
ExRegisterCallback
|
|
ExReinitializeResourceLite
|
|
ExReleaseFastMutexUnsafe
|
|
ExReleaseResourceForThreadLite
|
|
ExReleaseResourceLite
|
|
ExSemaphoreObjectType CONSTANT // Data - use pointer for access
|
|
ExSetResourceOwnerPointer
|
|
ExSetTimerResolution
|
|
ExSystemExceptionFilter
|
|
ExSystemTimeToLocalTime
|
|
// ExTryToAcquireFastMutexUnsafe
|
|
ExUnregisterCallback
|
|
ExUuidCreate
|
|
ExVerifySuite
|
|
ExWindowStationObjectType CONSTANT // Data - use pointer for access
|
|
FsRtlAcquireFileExclusive
|
|
FsRtlAddBaseMcbEntry
|
|
FsRtlAddLargeMcbEntry
|
|
FsRtlAddMcbEntry
|
|
FsRtlAddToTunnelCache
|
|
FsRtlAllocateFileLock
|
|
FsRtlAllocatePool
|
|
FsRtlAllocatePoolWithQuota
|
|
FsRtlAllocatePoolWithQuotaTag
|
|
FsRtlAllocatePoolWithTag
|
|
FsRtlAllocateResource
|
|
FsRtlAreNamesEqual
|
|
FsRtlBalanceReads
|
|
FsRtlCheckLockForReadAccess
|
|
FsRtlCheckLockForWriteAccess
|
|
FsRtlCheckOplock
|
|
FsRtlCopyRead
|
|
FsRtlCopyWrite
|
|
FsRtlCurrentBatchOplock
|
|
FsRtlDeleteKeyFromTunnelCache
|
|
FsRtlDeleteTunnelCache
|
|
FsRtlDeregisterUncProvider
|
|
FsRtlDissectDbcs
|
|
FsRtlDissectName
|
|
FsRtlDoesDbcsContainWildCards
|
|
FsRtlDoesNameContainWildCards
|
|
FsRtlFastCheckLockForRead
|
|
FsRtlFastCheckLockForWrite
|
|
FsRtlFastUnlockAll
|
|
FsRtlFastUnlockAllByKey
|
|
FsRtlFastUnlockSingle
|
|
FsRtlFindInTunnelCache
|
|
FsRtlFreeFileLock
|
|
FsRtlGetFileSize
|
|
FsRtlGetNextBaseMcbEntry
|
|
FsRtlGetNextFileLock
|
|
FsRtlGetNextLargeMcbEntry
|
|
FsRtlGetNextMcbEntry
|
|
FsRtlIncrementCcFastReadNotPossible
|
|
FsRtlIncrementCcFastReadNoWait
|
|
FsRtlIncrementCcFastReadResourceMiss
|
|
FsRtlIncrementCcFastReadWait
|
|
FsRtlInitializeBaseMcb
|
|
FsRtlInitializeFileLock
|
|
FsRtlInitializeLargeMcb
|
|
FsRtlInitializeMcb
|
|
FsRtlInitializeOplock
|
|
FsRtlInitializeTunnelCache
|
|
FsRtlInsertPerStreamContext
|
|
FsRtlInsertPerFileObjectContext
|
|
FsRtlIsDbcsInExpression
|
|
FsRtlIsFatDbcsLegal
|
|
FsRtlIsHpfsDbcsLegal
|
|
FsRtlIsNameInExpression
|
|
FsRtlIsNtstatusExpected
|
|
FsRtlIsPagingFile
|
|
FsRtlIsTotalDeviceFailure
|
|
FsRtlLegalAnsiCharacterArray CONSTANT // Data - use pointer for access
|
|
FsRtlLookupBaseMcbEntry
|
|
FsRtlLookupLargeMcbEntry
|
|
FsRtlLookupLastBaseMcbEntry
|
|
FsRtlLookupLastBaseMcbEntryAndIndex
|
|
FsRtlLookupLastLargeMcbEntry
|
|
FsRtlLookupLastLargeMcbEntryAndIndex
|
|
FsRtlLookupLastMcbEntry
|
|
FsRtlLookupMcbEntry
|
|
FsRtlLookupPerStreamContextInternal
|
|
FsRtlLookupPerFileObjectContext
|
|
FsRtlMdlRead
|
|
FsRtlMdlReadComplete
|
|
FsRtlMdlReadCompleteDev
|
|
FsRtlMdlReadDev
|
|
FsRtlMdlWriteComplete
|
|
FsRtlMdlWriteCompleteDev
|
|
FsRtlNormalizeNtstatus
|
|
FsRtlNotifyChangeDirectory
|
|
FsRtlNotifyCleanup
|
|
FsRtlNotifyFullChangeDirectory
|
|
FsRtlNotifyFullReportChange
|
|
FsRtlNotifyFilterChangeDirectory
|
|
FsRtlNotifyFilterReportChange
|
|
FsRtlNotifyInitializeSync
|
|
FsRtlNotifyReportChange
|
|
FsRtlNotifyUninitializeSync
|
|
FsRtlNotifyVolumeEvent
|
|
FsRtlNumberOfRunsInBaseMcb
|
|
FsRtlNumberOfRunsInLargeMcb
|
|
FsRtlNumberOfRunsInMcb
|
|
FsRtlOplockFsctrl
|
|
FsRtlOplockIsFastIoPossible
|
|
FsRtlPostPagingFileStackOverflow
|
|
FsRtlPostStackOverflow
|
|
FsRtlPrepareMdlWrite
|
|
FsRtlPrepareMdlWriteDev
|
|
FsRtlPrivateLock
|
|
FsRtlProcessFileLock
|
|
FsRtlRegisterUncProvider
|
|
FsRtlRegisterFileSystemFilterCallbacks
|
|
FsRtlReleaseFile
|
|
FsRtlRemovePerStreamContext
|
|
FsRtlRemovePerFileObjectContext
|
|
FsRtlRemoveBaseMcbEntry
|
|
FsRtlRemoveLargeMcbEntry
|
|
FsRtlRemoveMcbEntry
|
|
FsRtlResetBaseMcb
|
|
FsRtlResetLargeMcb
|
|
FsRtlSplitBaseMcb
|
|
FsRtlSplitLargeMcb
|
|
FsRtlSyncVolumes
|
|
FsRtlTeardownPerStreamContexts
|
|
FsRtlTruncateBaseMcb
|
|
FsRtlTruncateLargeMcb
|
|
FsRtlTruncateMcb
|
|
FsRtlUninitializeBaseMcb
|
|
FsRtlUninitializeFileLock
|
|
FsRtlUninitializeLargeMcb
|
|
FsRtlUninitializeMcb
|
|
FsRtlUninitializeOplock
|
|
HalDispatchTable CONSTANT // Data - use pointer for access
|
|
HalExamineMBR
|
|
HalPrivateDispatchTable CONSTANT // Data - use pointer for access
|
|
HeadlessDispatch
|
|
InbvCheckDisplayOwnership
|
|
InbvNotifyDisplayOwnershipLost
|
|
InbvAcquireDisplayOwnership
|
|
InbvDisplayString
|
|
InbvEnableBootDriver
|
|
InbvEnableDisplayString
|
|
InbvInstallDisplayStringFilter
|
|
InbvIsBootDriverInstalled
|
|
InbvResetDisplay
|
|
InbvSetScrollRegion
|
|
InbvSetTextColor
|
|
InbvSolidColorFill
|
|
InitSafeBootMode CONSTANT // Data - use pointer for access
|
|
IoAcquireCancelSpinLock
|
|
IoAcquireRemoveLockEx
|
|
IoAcquireVpbSpinLock
|
|
IoAdapterObjectType CONSTANT // Data - use pointer for access
|
|
IoAllocateAdapterChannel
|
|
IoAllocateController
|
|
IoAllocateDriverObjectExtension
|
|
IoAllocateErrorLogEntry
|
|
IoAllocateIrp
|
|
IoAllocateMdl
|
|
IoAllocateWorkItem
|
|
IoAssignDriveLetters
|
|
IoAssignResources
|
|
IoAttachDevice
|
|
IoAttachDeviceByPointer
|
|
IoAttachDeviceToDeviceStack
|
|
IoAttachDeviceToDeviceStackSafe
|
|
IoBuildAsynchronousFsdRequest
|
|
IoBuildDeviceIoControlRequest
|
|
IoBuildPartialMdl
|
|
IoBuildSynchronousFsdRequest
|
|
IoCallDriver
|
|
IoCancelIrp
|
|
IoCancelFileOpen
|
|
IoCheckDesiredAccess
|
|
IoCheckEaBufferValidity
|
|
IoCheckFunctionAccess
|
|
IoCheckQuerySetFileInformation
|
|
IoCheckQuerySetVolumeInformation
|
|
IoCheckQuotaBufferValidity
|
|
IoCheckShareAccess
|
|
IoCompleteRequest
|
|
IoConnectInterrupt
|
|
IoCreateController
|
|
IoCreateDevice
|
|
IoCreateDisk
|
|
IoCreateDriver
|
|
IoCreateFile
|
|
IoCreateFileSpecifyDeviceObjectHint
|
|
IoCreateNotificationEvent
|
|
IoCreateStreamFileObject
|
|
IoCreateStreamFileObjectEx
|
|
IoCreateStreamFileObjectLite
|
|
IoCreateSymbolicLink
|
|
IoCreateSynchronizationEvent
|
|
IoCreateUnprotectedSymbolicLink
|
|
IoCsqInitialize
|
|
IoCsqInitializeEx
|
|
IoCsqInsertIrp
|
|
IoCsqInsertIrpEx
|
|
IoCsqRemoveIrp
|
|
IoCsqRemoveNextIrp
|
|
IoDeleteController
|
|
IoDeleteDevice
|
|
IoDeleteDriver
|
|
IoDeleteSymbolicLink
|
|
IoDetachDevice
|
|
IoDeviceHandlerObjectSize CONSTANT // Data - use pointer for access
|
|
IoDeviceHandlerObjectType CONSTANT // Data - use pointer for access
|
|
IoDeviceObjectType CONSTANT // Data - use pointer for access
|
|
IoDisconnectInterrupt
|
|
IoDriverObjectType CONSTANT // Data - use pointer for access
|
|
IoEnqueueIrp
|
|
IoFastQueryNetworkAttributes
|
|
IoFileObjectType CONSTANT // Data - use pointer for access
|
|
IoForwardIrpSynchronously
|
|
IoForwardAndCatchIrp=IoForwardIrpSynchronously
|
|
IoFreeController
|
|
IoFreeErrorLogEntry
|
|
IoFreeIrp
|
|
IoFreeMdl
|
|
IoFreeWorkItem
|
|
IoGetAttachedDevice
|
|
IoGetAttachedDeviceReference
|
|
IoGetBaseFileSystemDeviceObject
|
|
IoGetBootDiskInformation
|
|
IoGetConfigurationInformation
|
|
IoGetCurrentProcess
|
|
IoGetDeviceInterfaceAlias
|
|
IoGetDeviceInterfaces
|
|
IoGetDeviceObjectPointer
|
|
IoGetDeviceProperty
|
|
IoGetDeviceToVerify
|
|
IoEnumerateDeviceObjectList
|
|
IoGetDeviceAttachmentBaseRef
|
|
IoGetDiskDeviceObject
|
|
IoGetPagingIoPriority
|
|
IoGetLowerDeviceObject
|
|
IoGetDmaAdapter
|
|
IoGetDriverObjectExtension
|
|
IoGetFileObjectGenericMapping
|
|
IoGetInitialStack
|
|
IoGetRelatedDeviceObject
|
|
IoGetRequestorProcess
|
|
IoGetRequestorProcessId
|
|
IoGetRequestorSessionId
|
|
IoGetStackLimits=RtlpGetStackLimits
|
|
IoGetTopLevelIrp
|
|
IoInitializeIrp
|
|
IoInitializeRemoveLockEx
|
|
IoInitializeTimer
|
|
IoInvalidateDeviceRelations
|
|
IoInvalidateDeviceState
|
|
IoIsFileOriginRemote
|
|
IoIsOperationSynchronous
|
|
IoIsSystemThread
|
|
IoIsValidNameGraftingBuffer
|
|
IoIsWdmVersionAvailable
|
|
#if defined(_WIN64)
|
|
IoIs32bitProcess
|
|
#endif
|
|
IoMakeAssociatedIrp
|
|
IoOpenDeviceInterfaceRegistryKey
|
|
IoOpenDeviceRegistryKey
|
|
IoPageRead
|
|
IoQueryDeviceDescription
|
|
IoQueryFileDosDeviceName
|
|
IoQueryFileInformation
|
|
IoQueryVolumeInformation
|
|
IoQueueThreadIrp
|
|
IoQueueWorkItem
|
|
IoRaiseHardError
|
|
IoRaiseInformationalHardError
|
|
IoReadDiskSignature
|
|
IoReadOperationCount CONSTANT // Data - use pointer for access
|
|
IoReadPartitionTable
|
|
IoReadPartitionTableEx
|
|
IoReadTransferCount CONSTANT // Data - use pointer for access
|
|
IoRegisterBootDriverReinitialization
|
|
IoRegisterDeviceInterface
|
|
IoRegisterDriverReinitialization
|
|
IoRegisterFileSystem
|
|
IoRegisterFsRegistrationChange
|
|
IoRegisterLastChanceShutdownNotification
|
|
IoRegisterPlugPlayNotification
|
|
IoRegisterShutdownNotification
|
|
IoReleaseCancelSpinLock
|
|
IoReleaseRemoveLockEx
|
|
IoReleaseRemoveLockAndWaitEx
|
|
IoReleaseVpbSpinLock
|
|
IoReuseIrp
|
|
IoRemoveShareAccess
|
|
IoReportDetectedDevice
|
|
IoReportHalResourceUsage
|
|
IoReportResourceUsage
|
|
IoReportResourceForDetection
|
|
IoReportTargetDeviceChange
|
|
IoReportTargetDeviceChangeAsynchronous
|
|
IoRequestDeviceEject
|
|
IoPnPDeliverServicePowerNotification
|
|
IoSetCompletionRoutineEx
|
|
IoSetDeviceInterfaceState
|
|
IoSetDeviceToVerify
|
|
IoSetHardErrorOrVerifyDevice
|
|
IoSetInformation
|
|
IoSetIoCompletion
|
|
IoSetPartitionInformation
|
|
IoSetPartitionInformationEx
|
|
IoSetShareAccess
|
|
IoSetStartIoAttributes
|
|
IoSetThreadHardErrorMode
|
|
IoSetTopLevelIrp
|
|
IoSetSystemPartition
|
|
IoSetFileOrigin
|
|
#if defined(REMOTE_BOOT)
|
|
IoStartCscForTextmodeSetup
|
|
#endif // defined(REMOTE_BOOT)
|
|
IoStartNextPacket
|
|
IoStartNextPacketByKey
|
|
IoStartPacket
|
|
IoStartTimer
|
|
IoStatisticsLock CONSTANT // Data - use pointer for access
|
|
IoStopTimer
|
|
IoSynchronousInvalidateDeviceRelations
|
|
IoSynchronousPageWrite
|
|
IoThreadToProcess
|
|
IoUnregisterFileSystem
|
|
IoUnregisterFsRegistrationChange
|
|
IoUnregisterPlugPlayNotification
|
|
IoUnregisterShutdownNotification
|
|
IoValidateDeviceIoControlAccess
|
|
IoUpdateShareAccess
|
|
IoVerifyVolume
|
|
IoVerifyPartitionTable
|
|
IoVolumeDeviceToDosName
|
|
IoWMIAllocateInstanceIds
|
|
IoWMIDeviceObjectToInstanceName
|
|
#if defined(_WIN64)
|
|
IoWMIDeviceObjectToProviderId
|
|
#endif
|
|
IoWMIExecuteMethod
|
|
IoWMIHandleToInstanceName
|
|
IoWMIOpenBlock
|
|
IoWMIRegistrationControl
|
|
IoWMIQueryAllData
|
|
IoWMIQueryAllDataMultiple
|
|
IoWMIQuerySingleInstance
|
|
IoWMIQuerySingleInstanceMultiple
|
|
IoWMISetNotificationCallback
|
|
IoWMISetSingleInstance
|
|
IoWMISetSingleItem
|
|
IoWMISuggestInstanceName
|
|
IoWMIWriteEvent
|
|
IoWriteErrorLogEntry
|
|
IoWriteOperationCount CONSTANT // Data - use pointer for access
|
|
IoWritePartitionTable
|
|
IoWritePartitionTableEx
|
|
IoWriteTransferCount CONSTANT // Data - use pointer for access
|
|
IofCallDriver
|
|
IofCompleteRequest
|
|
KdDebuggerEnabled CONSTANT // Data - use pointer for access
|
|
KdDebuggerNotPresent CONSTANT // Data - use pointer for access
|
|
KdDisableDebugger
|
|
KdEnableDebugger
|
|
KdEnteredDebugger CONSTANT // Data - use pointer for access
|
|
KdPollBreakIn
|
|
KdPowerTransition
|
|
KdRefreshDebuggerNotPresent
|
|
|
|
//
|
|
// Spin lock functions
|
|
//
|
|
|
|
#if defined(_X86_)
|
|
KeInitializeSpinLock
|
|
#endif
|
|
#if defined(_IA64_)
|
|
KeInitializeSpinLock PRIVATE
|
|
#endif
|
|
|
|
KeAcquireInterruptSpinLock
|
|
KeReleaseInterruptSpinLock
|
|
|
|
#if defined(_WIN64)
|
|
|
|
KeAcquireQueuedSpinLock
|
|
KeReleaseQueuedSpinLock
|
|
KeTryToAcquireQueuedSpinLock
|
|
KeAcquireInStackQueuedSpinLock
|
|
KeReleaseInStackQueuedSpinLock
|
|
|
|
#endif
|
|
|
|
KeAcquireInStackQueuedSpinLockAtDpcLevel
|
|
KeReleaseInStackQueuedSpinLockFromDpcLevel
|
|
KeAcquireInStackQueuedSpinLockForDpc
|
|
KeReleaseInStackQueuedSpinLockForDpc
|
|
KeAcquireSpinLockAtDpcLevel
|
|
KeReleaseSpinLockFromDpcLevel
|
|
KeAcquireSpinLockForDpc
|
|
KeReleaseSpinLockForDpc
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
KiAcquireSpinLock
|
|
KiReleaseSpinLock
|
|
|
|
#endif
|
|
|
|
KeTestSpinLock
|
|
KeAddSystemServiceTable
|
|
KeAreApcsDisabled
|
|
KeAttachProcess
|
|
KeStackAttachProcess
|
|
KeBugCheck
|
|
KeBugCheckEx
|
|
KeCancelTimer
|
|
KeClearEvent
|
|
KeConnectInterrupt
|
|
KeDelayExecutionThread
|
|
KeDeregisterBugCheckCallback
|
|
KeDeregisterBugCheckReasonCallback
|
|
KeDeregisterNmiCallback
|
|
KeDetachProcess
|
|
KeUnstackDetachProcess
|
|
KeDisconnectInterrupt
|
|
KeEnterCriticalRegion
|
|
KeEnterKernelDebugger
|
|
KeFindConfigurationEntry
|
|
KeFindConfigurationNextEntry
|
|
KeFlushEntireTb
|
|
KeFlushQueuedDpcs
|
|
KeGenericCallDpc
|
|
KeGetRecommendedSharedDataAlignment
|
|
KeInitializeApc
|
|
KeInitializeDeviceQueue
|
|
KeInitializeDpc
|
|
KeInitializeThreadedDpc
|
|
KeInitializeEvent
|
|
KeInitializeInterrupt
|
|
KeInitializeMutant
|
|
KeInitializeMutex
|
|
KeInitializeQueue
|
|
KeInitializeSemaphore
|
|
KeInitializeTimer
|
|
KeInitializeTimerEx
|
|
KeInsertByKeyDeviceQueue
|
|
KeInsertDeviceQueue
|
|
KeInsertHeadQueue
|
|
KeInsertQueue
|
|
KeInsertQueueApc
|
|
KeInsertQueueDpc
|
|
KeIpiGenericCall
|
|
KeIsAttachedProcess
|
|
KeLeaveCriticalRegion
|
|
KeLoaderBlock CONSTANT // Data - use pointer for access
|
|
KeNumberProcessors DATA
|
|
#if !defined(_AMD64_)
|
|
KeProfileInterrupt
|
|
#endif
|
|
KeProfileInterruptWithSource
|
|
KePulseEvent
|
|
KeQueryActiveProcessors
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
KeQueryInterruptTime
|
|
KeQuerySystemTime
|
|
|
|
#endif
|
|
|
|
KeQueryPriorityThread
|
|
KeQueryRuntimeThread
|
|
KeQueryTimeIncrement
|
|
KeRaiseUserException
|
|
KeReadStateEvent
|
|
KeReadStateMutant
|
|
KeReadStateMutex=KeReadStateMutant
|
|
KeReadStateQueue
|
|
KeReadStateSemaphore
|
|
KeReadStateTimer
|
|
KeRegisterBugCheckCallback
|
|
KeRegisterBugCheckReasonCallback
|
|
KeRegisterNmiCallback
|
|
KeReleaseMutant
|
|
KeReleaseMutex
|
|
KeReleaseSemaphore
|
|
KeRemoveByKeyDeviceQueue
|
|
KeRemoveByKeyDeviceQueueIfBusy
|
|
KeRemoveDeviceQueue
|
|
KeRemoveEntryDeviceQueue
|
|
KeRemoveQueue
|
|
KeRemoveQueueDpc
|
|
KeRemoveSystemServiceTable
|
|
KeResetEvent
|
|
KeRevertToUserAffinityThread
|
|
KeRundownQueue
|
|
KeSaveStateForHibernate
|
|
KeServiceDescriptorTable CONSTANT // Data - use pointer for access
|
|
KeSetAffinityThread
|
|
KeSetBasePriorityThread
|
|
KeSetDmaIoCoherency
|
|
KeSetEvent
|
|
KeSetEventBoostPriority
|
|
KeSetIdealProcessorThread
|
|
KeSetImportanceDpc
|
|
KeSetKernelStackSwapEnable
|
|
KeSetPriorityThread
|
|
KeSetSystemAffinityThread
|
|
KeSetTargetProcessorDpc
|
|
KeSetTimeIncrement
|
|
KeSetTimer
|
|
KeSetTimerEx
|
|
KeSignalCallDpcDone
|
|
KeSignalCallDpcSynchronize
|
|
KeSynchronizeExecution
|
|
KeTerminateThread
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
KeTickCount CONSTANT // Data - use pointer for access
|
|
KeQueryTickCount
|
|
|
|
#endif
|
|
|
|
KeUpdateRunTime
|
|
KeUpdateSystemTime
|
|
KeUserModeCallback
|
|
KeWaitForMultipleObjects
|
|
KeWaitForMutexObject=KeWaitForSingleObject
|
|
KeWaitForSingleObject
|
|
KiBugCheckData CONSTANT // Data - use pointer for access
|
|
KiEnableTimerWatchdog CONSTANT // Data - use pointer for access
|
|
KiCheckForKernelApcDelivery
|
|
LdrAccessResource
|
|
LdrEnumResources
|
|
LdrFindResourceDirectory_U
|
|
LdrFindResource_U
|
|
LpcPortObjectType CONSTANT // Data - use pointer for access
|
|
LpcRequestPort
|
|
LpcRequestWaitReplyPort
|
|
LsaCallAuthenticationPackage
|
|
LsaDeregisterLogonProcess
|
|
LsaFreeReturnBuffer
|
|
LsaLogonUser
|
|
LsaLookupAuthenticationPackage
|
|
LsaRegisterLogonProcess
|
|
#ifdef MEMPRINT
|
|
MemPrint
|
|
MemPrintInitialize
|
|
#endif
|
|
MmIsIoSpaceActive
|
|
MmIsVerifierEnabled
|
|
MmAddVerifierThunks
|
|
MmAdvanceMdl
|
|
Mm64BitPhysicalAddress CONSTANT // Data - use pointer for access
|
|
MmAddPhysicalMemory
|
|
MmAdjustWorkingSetSize
|
|
MmAllocateContiguousMemory
|
|
MmAllocateContiguousMemorySpecifyCache
|
|
MmAllocateNonCachedMemory
|
|
MmAllocatePagesForMdl
|
|
MmBuildMdlForNonPagedPool
|
|
MmCanFileBeTruncated
|
|
MmCreateMdl
|
|
MmCreateMirror
|
|
MmCreateSection
|
|
MmDisableModifiedWriteOfSection
|
|
MmFlushImageSection
|
|
MmForceSectionClosed
|
|
MmFreeContiguousMemory
|
|
MmFreeContiguousMemorySpecifyCache
|
|
MmFreeNonCachedMemory
|
|
MmFreePagesFromMdl
|
|
MmGetPhysicalAddress
|
|
MmGetPhysicalMemoryRanges
|
|
MmGetSystemRoutineAddress
|
|
MmGetVirtualForPhysical
|
|
MmGrowKernelStack
|
|
MmIsAddressValid
|
|
MmIsDriverVerifying
|
|
MmIsNonPagedSystemAddressValid
|
|
MmIsRecursiveIoFault
|
|
MmIsThisAnNtAsSystem
|
|
MmLockPagableDataSection
|
|
MmLockPagableSectionByHandle
|
|
MmMapIoSpace
|
|
MmMapLockedPages
|
|
MmMapLockedPagesSpecifyCache
|
|
MmAllocateMappingAddress
|
|
MmFreeMappingAddress
|
|
MmMapLockedPagesWithReservedMapping
|
|
MmUnmapReservedMapping
|
|
MmMapMemoryDumpMdl
|
|
MmMapUserAddressesToPage
|
|
MmMapVideoDisplay
|
|
MmMapViewOfSection
|
|
MmMapViewInSessionSpace
|
|
MmMapViewInSystemSpace
|
|
MmCommitSessionMappedView
|
|
MmMarkPhysicalMemoryAsBad
|
|
MmMarkPhysicalMemoryAsGood
|
|
MmPageEntireDriver
|
|
MmPrefetchPages
|
|
MmProbeAndLockPages
|
|
MmProbeAndLockSelectedPages
|
|
MmProbeAndLockProcessPages
|
|
MmProtectMdlSystemAddress
|
|
MmQuerySystemSize
|
|
MmRemovePhysicalMemory
|
|
MmResetDriverPaging
|
|
MmSectionObjectType CONSTANT
|
|
MmSecureVirtualMemory
|
|
MmSetAddressRangeModified
|
|
MmSetBankedSection
|
|
MmSizeOfMdl
|
|
MmTrimAllSystemPagableMemory
|
|
MmUnlockPagableImageSection
|
|
MmUnlockPages
|
|
MmUnmapIoSpace
|
|
MmUnmapLockedPages
|
|
MmUnmapVideoDisplay
|
|
MmUnmapViewOfSection
|
|
MmUnmapViewInSystemSpace
|
|
MmUnmapViewInSessionSpace
|
|
MmUnsecureVirtualMemory
|
|
NlsAnsiCodePage CONSTANT // Data - use pointer for access
|
|
NlsOemCodePage CONSTANT // Data - use pointer for access
|
|
NlsLeadByteInfo CONSTANT // Data - use pointer for access
|
|
NlsOemLeadByteInfo CONSTANT // Data - use pointer for access
|
|
NlsMbCodePageTag CONSTANT // Data - use pointer for access
|
|
NlsMbOemCodePageTag CONSTANT // Data - use pointer for access
|
|
NtAddAtom
|
|
NtAdjustPrivilegesToken
|
|
NtAllocateLocallyUniqueId
|
|
NtAllocateUuids
|
|
NtAllocateVirtualMemory
|
|
NtBuildNumber CONSTANT
|
|
NtClose
|
|
NtConnectPort
|
|
NtCreateEvent
|
|
NtCreateFile
|
|
NtCreateSection
|
|
NtDeleteAtom
|
|
NtDeleteFile
|
|
NtDeviceIoControlFile
|
|
NtDuplicateObject
|
|
NtDuplicateToken
|
|
NtFindAtom
|
|
NtFreeVirtualMemory
|
|
NtFsControlFile
|
|
NtGlobalFlag CONSTANT // Data - use pointer for access
|
|
NtLockFile
|
|
NtMakePermanentObject
|
|
NtMapViewOfSection
|
|
NtNotifyChangeDirectoryFile
|
|
NtOpenFile
|
|
NtOpenProcess
|
|
NtOpenProcessToken
|
|
NtOpenProcessTokenEx
|
|
NtOpenThread
|
|
NtOpenThreadToken
|
|
NtOpenThreadTokenEx
|
|
NtQueryDirectoryFile
|
|
NtQueryEaFile
|
|
NtQueryInformationAtom
|
|
NtQueryInformationFile
|
|
NtQueryInformationProcess
|
|
NtQueryInformationThread
|
|
NtQueryInformationToken
|
|
NtQueryQuotaInformationFile
|
|
NtQuerySecurityObject
|
|
NtQuerySystemInformation
|
|
NtQueryVolumeInformationFile
|
|
NtReadFile
|
|
NtRequestPort
|
|
NtRequestWaitReplyPort
|
|
NtSetEaFile
|
|
NtSetEvent
|
|
NtSetInformationFile
|
|
NtSetInformationProcess
|
|
NtSetInformationThread
|
|
NtSetQuotaInformationFile
|
|
NtSetVolumeInformationFile
|
|
NtSetSecurityObject
|
|
NtShutdownSystem
|
|
NtTraceEvent
|
|
NtUnlockFile
|
|
NtVdmControl
|
|
NtWaitForSingleObject
|
|
NtWriteFile
|
|
ObAssignSecurity
|
|
ObCheckCreateObjectAccess
|
|
ObCheckObjectAccess
|
|
ObCreateObject
|
|
ObCreateObjectType
|
|
ObDeleteCapturedInsertInfo
|
|
ObDereferenceObject
|
|
ObfDereferenceObject
|
|
ObFindHandleForObject
|
|
ObGetObjectSecurity
|
|
ObInsertObject
|
|
ObLogSecurityDescriptor
|
|
ObReferenceSecurityDescriptor
|
|
ObDereferenceSecurityDescriptor
|
|
ObMakeTemporaryObject
|
|
ObOpenObjectByName
|
|
ObOpenObjectByPointer
|
|
ObQueryObjectAuditingByHandle
|
|
ObQueryNameString
|
|
ObReferenceObjectByHandle
|
|
ObReferenceObjectByName
|
|
ObReferenceObjectByPointer
|
|
ObReleaseObjectSecurity
|
|
ObSetSecurityDescriptorInfo
|
|
ObSetSecurityObjectByPointer
|
|
ObfReferenceObject
|
|
ObSetHandleAttributes
|
|
ObCloseHandle
|
|
PfxFindPrefix
|
|
PfxInitialize
|
|
PfxInsertPrefix
|
|
PfxRemovePrefix
|
|
PoCallDriver
|
|
PoCancelDeviceNotify
|
|
PoQueueShutdownWorkItem
|
|
PoRegisterDeviceForIdleDetection
|
|
PoRegisterDeviceNotify
|
|
PoRegisterSystemState
|
|
PoRequestPowerIrp
|
|
PoRequestShutdownEvent
|
|
PoSetHiberRange
|
|
PoSetPowerState
|
|
PoSetSystemState
|
|
PoStartNextPowerIrp
|
|
PoShutdownBugCheck
|
|
PoUnregisterSystemState
|
|
ProbeForRead
|
|
ProbeForWrite
|
|
PsAssignImpersonationToken
|
|
PsChargePoolQuota
|
|
PsChargeProcessPoolQuota
|
|
PsChargeProcessNonPagedPoolQuota
|
|
PsChargeProcessPagedPoolQuota
|
|
PsCreateSystemProcess
|
|
PsCreateSystemThread
|
|
PsDisableImpersonation
|
|
PsGetCurrentProcess
|
|
PsGetContextThread
|
|
PsSetContextThread
|
|
PsGetCurrentProcessId
|
|
PsGetCurrentProcessSessionId
|
|
PsGetCurrentThread
|
|
PsGetCurrentThreadId
|
|
PsGetCurrentThreadStackBase
|
|
PsGetCurrentThreadStackLimit
|
|
PsGetCurrentThreadPreviousMode
|
|
PsGetJobLock
|
|
PsGetJobSessionId
|
|
PsGetJobUIRestrictionsClass
|
|
PsGetProcessCreateTimeQuadPart
|
|
PsGetProcessDebugPort
|
|
PsGetProcessExitProcessCalled
|
|
PsGetProcessExitStatus
|
|
PsGetProcessExitTime
|
|
PsGetProcessId
|
|
PsGetProcessImageFileName
|
|
PsGetProcessInheritedFromUniqueProcessId
|
|
PsGetProcessJob
|
|
PsGetProcessPeb
|
|
PsGetProcessPriorityClass
|
|
PsGetProcessSectionBaseAddress
|
|
PsGetProcessSecurityPort
|
|
PsGetProcessSessionId
|
|
PsGetProcessSessionIdEx
|
|
PsGetProcessWin32WindowStation
|
|
PsGetProcessWin32Process
|
|
#ifdef _WIN64
|
|
PsGetProcessWow64Process
|
|
#endif
|
|
PsGetThreadId
|
|
PsGetThreadFreezeCount
|
|
PsGetThreadHardErrorsAreDisabled
|
|
PsGetThreadProcess
|
|
PsGetThreadProcessId
|
|
PsGetThreadSessionId
|
|
PsGetThreadTeb
|
|
PsGetThreadWin32Thread
|
|
PsGetVersion
|
|
PsImpersonateClient
|
|
PsInitialSystemProcess CONSTANT
|
|
PsIsProcessBeingDebugged
|
|
PsIsThreadTerminating
|
|
PsIsSystemThread
|
|
PsIsThreadImpersonating
|
|
PsJobType CONSTANT
|
|
PsEstablishWin32Callouts
|
|
PsLookupProcessThreadByCid
|
|
PsLookupProcessByProcessId
|
|
PsLookupThreadByThreadId
|
|
PsProcessType CONSTANT
|
|
PsReferenceImpersonationToken
|
|
PsReferencePrimaryToken
|
|
PsDereferenceImpersonationToken
|
|
PsDereferencePrimaryToken
|
|
PsRestoreImpersonation
|
|
PsReturnPoolQuota
|
|
PsReturnProcessNonPagedPoolQuota
|
|
PsReturnProcessPagedPoolQuota
|
|
PsRevertToSelf
|
|
PsRevertThreadToSelf
|
|
PsSetCreateProcessNotifyRoutine
|
|
PsSetCreateThreadNotifyRoutine
|
|
PsRemoveCreateThreadNotifyRoutine
|
|
PsSetJobUIRestrictionsClass
|
|
PsSetLegoNotifyRoutine
|
|
PsSetLoadImageNotifyRoutine
|
|
PsRemoveLoadImageNotifyRoutine
|
|
PsSetProcessPriorityClass
|
|
PsSetProcessPriorityByClass
|
|
PsSetProcessSecurityPort
|
|
PsSetProcessWin32Process
|
|
PsSetProcessWindowStation
|
|
PsSetThreadHardErrorsAreDisabled
|
|
PsSetThreadWin32Thread
|
|
PsTerminateSystemThread
|
|
PsThreadType CONSTANT
|
|
RtlAbsoluteToSelfRelativeSD
|
|
RtlAddAccessAllowedAce
|
|
RtlAddAccessAllowedAceEx
|
|
RtlAddAce
|
|
RtlAddAtomToAtomTable
|
|
RtlAddRange
|
|
RtlAllocateHeap
|
|
RtlAnsiCharToUnicodeChar
|
|
RtlAnsiStringToUnicodeSize=RtlxAnsiStringToUnicodeSize
|
|
RtlAnsiStringToUnicodeString
|
|
RtlAppendAsciizToString
|
|
RtlAppendStringToString
|
|
RtlAppendUnicodeStringToString
|
|
RtlAppendUnicodeToString
|
|
RtlAreAllAccessesGranted
|
|
RtlAreAnyAccessesGranted
|
|
RtlAreBitsClear
|
|
RtlAreBitsSet
|
|
RtlAssert
|
|
RtlCaptureStackBackTrace
|
|
RtlCharToInteger
|
|
RtlCheckRegistryKey
|
|
RtlClearAllBits
|
|
RtlClearBit
|
|
RtlClearBits
|
|
RtlCompareMemory
|
|
RtlCompareMemoryUlong
|
|
RtlCompareString
|
|
RtlCompareUnicodeString
|
|
RtlCompressBuffer
|
|
RtlCompressChunks
|
|
#if !defined(_WIN64)
|
|
RtlConvertLongToLargeInteger = __RtlConvertLongToLargeInteger
|
|
RtlConvertUlongToLargeInteger = __RtlConvertUlongToLargeInteger
|
|
#endif
|
|
RtlConvertSidToUnicodeString
|
|
RtlCopyLuid
|
|
RtlCopyRangeList
|
|
RtlCopySid
|
|
RtlCopyString
|
|
RtlCopyUnicodeString
|
|
RtlCreateAcl
|
|
RtlCreateAtomTable
|
|
RtlCreateHeap
|
|
RtlCreateRegistryKey
|
|
RtlCreateSecurityDescriptor
|
|
RtlCreateSystemVolumeInformationFolder
|
|
RtlCreateUnicodeString
|
|
RtlCustomCPToUnicodeN
|
|
RtlDecompressBuffer
|
|
RtlDecompressChunks
|
|
RtlDecompressFragment
|
|
RtlDelete
|
|
RtlDeleteAce
|
|
RtlDeleteAtomFromAtomTable
|
|
RtlDeleteElementGenericTable
|
|
RtlDeleteElementGenericTableAvl
|
|
RtlDeleteNoSplay
|
|
RtlDeleteOwnersRanges
|
|
RtlDeleteRange
|
|
RtlDeleteRegistryValue
|
|
RtlDescribeChunk
|
|
RtlDestroyAtomTable
|
|
RtlDestroyHeap
|
|
RtlDowncaseUnicodeString
|
|
RtlEmptyAtomTable
|
|
#ifndef _WIN64
|
|
RtlEnlargedIntegerMultiply = _RtlEnlargedIntegerMultiply
|
|
RtlEnlargedUnsignedDivide = _RtlEnlargedUnsignedDivide
|
|
RtlEnlargedUnsignedMultiply = _RtlEnlargedUnsignedMultiply
|
|
#endif
|
|
RtlEnumerateGenericTable
|
|
RtlEnumerateGenericTableAvl
|
|
RtlEnumerateGenericTableLikeADirectory
|
|
RtlEnumerateGenericTableWithoutSplaying
|
|
RtlEnumerateGenericTableWithoutSplayingAvl
|
|
RtlEqualLuid
|
|
RtlEqualSid
|
|
RtlEqualString
|
|
RtlEqualUnicodeString
|
|
|
|
#if !defined(_WIN64)
|
|
|
|
RtlExtendedIntegerMultiply
|
|
RtlExtendedLargeIntegerDivide
|
|
|
|
#endif
|
|
|
|
#if defined(_X86_) || defined(_IA64_)
|
|
|
|
RtlExtendedMagicDivide
|
|
|
|
#endif
|
|
|
|
RtlFillMemory
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
RtlFillMemoryUlong
|
|
|
|
#endif
|
|
|
|
RtlFindClearBits
|
|
RtlFindClearBitsAndSet
|
|
RtlFindClearRuns
|
|
RtlFindFirstRunClear
|
|
RtlFindLastBackwardRunClear
|
|
RtlFindLeastSignificantBit
|
|
RtlFindLongestRunClear
|
|
RtlFindMessage
|
|
RtlFindMostSignificantBit
|
|
RtlFindNextForwardRunClear
|
|
RtlFindRange
|
|
RtlFindSetBits
|
|
RtlFindSetBitsAndClear
|
|
RtlFindUnicodePrefix
|
|
RtlFormatCurrentUserKeyPath
|
|
RtlFreeAnsiString
|
|
RtlFreeHeap
|
|
RtlFreeOemString
|
|
RtlFreeRangeList
|
|
RtlFreeUnicodeString
|
|
RtlGUIDFromString
|
|
RtlGenerate8dot3Name
|
|
RtlGetAce
|
|
RtlGetCallersAddress
|
|
RtlGetCompressionWorkSpaceSize
|
|
RtlGetDaclSecurityDescriptor
|
|
RtlGetDefaultCodePage
|
|
RtlGetElementGenericTable
|
|
RtlGetElementGenericTableAvl
|
|
RtlGetFirstRange
|
|
RtlGetGroupSecurityDescriptor
|
|
RtlGetNextRange
|
|
RtlGetNtGlobalFlags
|
|
RtlGetOwnerSecurityDescriptor
|
|
RtlGetSaclSecurityDescriptor
|
|
RtlGetVersion
|
|
RtlHashUnicodeString
|
|
RtlImageNtHeader
|
|
RtlImageDirectoryEntryToData
|
|
RtlInitAnsiString
|
|
RtlInitAnsiStringEx
|
|
RtlInitCodePageTable
|
|
RtlInitString
|
|
RtlInitUnicodeString
|
|
RtlInitUnicodeStringEx
|
|
RtlInitializeBitMap
|
|
RtlInitializeGenericTable
|
|
RtlInitializeGenericTableAvl
|
|
RtlInitializeRangeList
|
|
RtlInitializeSid
|
|
RtlInitializeUnicodePrefix
|
|
RtlInsertElementGenericTable
|
|
RtlInsertElementGenericTableAvl
|
|
RtlInsertElementGenericTableFull
|
|
RtlInsertElementGenericTableFullAvl
|
|
RtlInsertUnicodePrefix
|
|
RtlInt64ToUnicodeString
|
|
RtlIntegerToChar
|
|
RtlIntegerToUnicode
|
|
RtlIntegerToUnicodeString
|
|
RtlInvertRangeList
|
|
RtlIpv4AddressToStringA
|
|
RtlIpv4AddressToStringW
|
|
RtlIpv4AddressToStringExA
|
|
RtlIpv4AddressToStringExW
|
|
RtlIpv4StringToAddressA
|
|
RtlIpv4StringToAddressW
|
|
RtlIpv4StringToAddressExA
|
|
RtlIpv4StringToAddressExW
|
|
RtlIpv6AddressToStringA
|
|
RtlIpv6AddressToStringW
|
|
RtlIpv6AddressToStringExA
|
|
RtlIpv6AddressToStringExW
|
|
RtlIpv6StringToAddressA
|
|
RtlIpv6StringToAddressW
|
|
RtlIpv6StringToAddressExA
|
|
RtlIpv6StringToAddressExW
|
|
RtlIsGenericTableEmpty
|
|
RtlIsGenericTableEmptyAvl
|
|
RtlIsNameLegalDOS8Dot3
|
|
RtlIsRangeAvailable
|
|
RtlIsValidOemCharacter
|
|
#if !defined(_WIN64)
|
|
RtlLargeIntegerAdd
|
|
RtlLargeIntegerArithmeticShift
|
|
RtlLargeIntegerDivide
|
|
RtlLargeIntegerNegate
|
|
RtlLargeIntegerShiftLeft
|
|
RtlLargeIntegerShiftRight
|
|
RtlLargeIntegerSubtract
|
|
#endif
|
|
RtlLengthRequiredSid
|
|
RtlLengthSecurityDescriptor
|
|
RtlLengthSid
|
|
RtlLookupAtomInAtomTable
|
|
RtlLookupElementGenericTable
|
|
RtlLookupElementGenericTableAvl
|
|
RtlLookupElementGenericTableFull
|
|
RtlLookupElementGenericTableFullAvl
|
|
RtlMapGenericMask
|
|
RtlMapSecurityErrorToNtStatus
|
|
RtlMergeRangeLists
|
|
#if !defined(_M_IA64)
|
|
RtlMoveMemory
|
|
#endif
|
|
RtlMultiByteToUnicodeN
|
|
RtlMultiByteToUnicodeSize
|
|
RtlNextUnicodePrefix
|
|
RtlNtStatusToDosError
|
|
RtlNtStatusToDosErrorNoTeb
|
|
RtlNumberGenericTableElements
|
|
RtlNumberGenericTableElementsAvl
|
|
RtlNumberOfClearBits
|
|
RtlNumberOfSetBits
|
|
RtlOemStringToCountedUnicodeString
|
|
RtlOemStringToUnicodeSize=RtlxOemStringToUnicodeSize
|
|
RtlOemStringToUnicodeString
|
|
RtlOemToUnicodeN
|
|
RtlPinAtomInAtomTable
|
|
RtlPrefetchMemoryNonTemporal
|
|
RtlPrefixString
|
|
RtlPrefixUnicodeString
|
|
RtlQueryAtomInAtomTable
|
|
RtlQueryRegistryValues
|
|
RtlQueryTimeZoneInformation
|
|
RtlRaiseException
|
|
RtlRandom
|
|
RtlRandomEx
|
|
RtlRealPredecessor
|
|
RtlRealSuccessor
|
|
RtlRemoveUnicodePrefix
|
|
RtlReserveChunk
|
|
RtlSecondsSince1970ToTime
|
|
RtlSecondsSince1980ToTime
|
|
RtlSelfRelativeToAbsoluteSD
|
|
RtlSelfRelativeToAbsoluteSD2
|
|
RtlSetAllBits
|
|
RtlSetBit
|
|
RtlSetBits
|
|
RtlSetDaclSecurityDescriptor
|
|
RtlSetGroupSecurityDescriptor
|
|
RtlSetOwnerSecurityDescriptor
|
|
RtlSetSaclSecurityDescriptor
|
|
RtlSetTimeZoneInformation
|
|
RtlSizeHeap
|
|
RtlSplay
|
|
RtlStringFromGUID
|
|
RtlSubAuthorityCountSid
|
|
RtlSubAuthoritySid
|
|
RtlSubtreePredecessor
|
|
RtlSubtreeSuccessor
|
|
RtlTestBit
|
|
RtlTimeFieldsToTime
|
|
RtlTimeToSecondsSince1970
|
|
RtlTimeToSecondsSince1980
|
|
RtlTimeToTimeFields
|
|
RtlTimeToElapsedTimeFields
|
|
RtlTraceDatabaseCreate
|
|
RtlTraceDatabaseDestroy
|
|
RtlTraceDatabaseValidate
|
|
RtlTraceDatabaseAdd
|
|
RtlTraceDatabaseFind
|
|
RtlTraceDatabaseEnumerate
|
|
RtlTraceDatabaseLock
|
|
RtlTraceDatabaseUnlock
|
|
RtlLockBootStatusData
|
|
RtlUnlockBootStatusData
|
|
RtlGetSetBootStatusData
|
|
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
RtlUlongByteSwap
|
|
RtlUlonglongByteSwap
|
|
|
|
#endif
|
|
|
|
RtlUnicodeStringToAnsiSize=RtlxUnicodeStringToAnsiSize
|
|
RtlUnicodeStringToAnsiString
|
|
RtlUnicodeStringToCountedOemString
|
|
RtlUnicodeStringToInteger
|
|
RtlUnicodeStringToOemSize=RtlxUnicodeStringToOemSize
|
|
RtlUnicodeStringToOemString
|
|
RtlUnicodeToCustomCPN
|
|
RtlUnicodeToMultiByteN
|
|
RtlUnicodeToMultiByteSize
|
|
RtlUnicodeToOemN
|
|
RtlUnwind
|
|
RtlUpcaseUnicodeChar
|
|
RtlUpcaseUnicodeString
|
|
RtlUpcaseUnicodeStringToAnsiString
|
|
RtlUpcaseUnicodeStringToCountedOemString
|
|
RtlUpcaseUnicodeStringToOemString
|
|
RtlUpcaseUnicodeToCustomCPN
|
|
RtlUpcaseUnicodeToMultiByteN
|
|
RtlUpcaseUnicodeToOemN
|
|
RtlUpperChar
|
|
RtlUpperString
|
|
|
|
#if !defined(_AMD64_)
|
|
|
|
RtlUshortByteSwap
|
|
|
|
#endif
|
|
|
|
RtlValidSecurityDescriptor
|
|
RtlValidRelativeSecurityDescriptor
|
|
RtlValidSid
|
|
RtlVerifyVersionInfo
|
|
RtlVolumeDeviceToDosName=IoVolumeDeviceToDosName
|
|
RtlWalkFrameChain
|
|
RtlWriteRegistryValue
|
|
RtlZeroHeap
|
|
RtlZeroMemory
|
|
RtlxAnsiStringToUnicodeSize
|
|
RtlxOemStringToUnicodeSize
|
|
RtlxUnicodeStringToAnsiSize
|
|
RtlxUnicodeStringToOemSize
|
|
SeAccessCheck
|
|
SeAppendPrivileges
|
|
SeAssignSecurity
|
|
SeAssignSecurityEx
|
|
SeAuditingFileEvents
|
|
SeAuditingFileEventsWithContext
|
|
SeAuditingFileOrGlobalEvents
|
|
SeAuditingHardLinkEvents
|
|
SeAuditingHardLinkEventsWithContext
|
|
SeAuditHardLinkCreation
|
|
SeCaptureSecurityDescriptor
|
|
SeCaptureSubjectContext
|
|
SeCloseObjectAuditAlarm
|
|
SeCreateAccessState
|
|
SeCreateClientSecurity
|
|
SeCreateClientSecurityFromSubjectContext
|
|
SeDeassignSecurity
|
|
SeDeleteAccessState
|
|
SeDeleteObjectAuditAlarm
|
|
//
|
|
// Pointer to structure containing security
|
|
// exports
|
|
//
|
|
|
|
//
|
|
// Use SeEnableAccessToExports() before
|
|
// using (see se.h)
|
|
SeExports DATA
|
|
SeFilterToken
|
|
SeFreePrivileges
|
|
SeImpersonateClient
|
|
SeImpersonateClientEx
|
|
SeLockSubjectContext
|
|
SeMarkLogonSessionForTerminationNotification
|
|
SeOpenObjectAuditAlarm
|
|
SeOpenObjectForDeleteAuditAlarm
|
|
SePrivilegeCheck
|
|
SePrivilegeObjectAuditAlarm
|
|
// System default DACLs
|
|
//
|
|
// SePublicDefaultDacl - is for protecting things so that
|
|
// normal users can use it.
|
|
SePublicDefaultDacl CONSTANT
|
|
SeQueryAuthenticationIdToken
|
|
SeQueryInformationToken
|
|
SeQuerySecurityDescriptorInfo
|
|
SeQuerySessionIdToken
|
|
SeRegisterLogonSessionTerminatedRoutine
|
|
SeReleaseSecurityDescriptor
|
|
SeReleaseSubjectContext
|
|
SeSetAccessStateGenericMapping
|
|
SeSetSecurityDescriptorInfo
|
|
SeSetSecurityDescriptorInfoEx
|
|
SeSinglePrivilegeCheck
|
|
// SeSystemDefaultDacl - is for protecting things so that
|
|
// only the system (and administrators) can get to it.
|
|
SeSystemDefaultDacl CONSTANT
|
|
SeTokenImpersonationLevel
|
|
SeTokenIsAdmin
|
|
SeTokenIsRestricted
|
|
SeTokenObjectType CONSTANT // Data - use pointer for access
|
|
SeTokenType
|
|
SeUnlockSubjectContext
|
|
SeUnregisterLogonSessionTerminatedRoutine
|
|
SeValidSecurityDescriptor
|
|
VerSetConditionMask
|
|
VfFailDeviceNode
|
|
VfFailDriver
|
|
VfFailSystemBIOS
|
|
VfIsVerificationEnabled
|
|
WmiFlushTrace
|
|
WmiGetClock
|
|
WmiQueryTrace
|
|
WmiQueryTraceInformation
|
|
WmiStartTrace
|
|
WmiStopTrace
|
|
WmiTraceFastEvent
|
|
WmiTraceMessage
|
|
WmiTraceMessageVa
|
|
WmiUpdateTrace
|
|
ZwAccessCheckAndAuditAlarm
|
|
ZwAddBootEntry
|
|
ZwAddDriverEntry
|
|
ZwAdjustPrivilegesToken
|
|
ZwAlertThread
|
|
ZwAllocateVirtualMemory
|
|
ZwAssignProcessToJobObject
|
|
ZwCancelIoFile
|
|
ZwCancelTimer
|
|
ZwClearEvent
|
|
ZwClose
|
|
ZwCloseObjectAuditAlarm
|
|
ZwConnectPort
|
|
ZwCreateDirectoryObject
|
|
ZwCreateEvent
|
|
ZwCreateFile
|
|
ZwCreateJobObject
|
|
ZwCreateKey
|
|
ZwCreateSection
|
|
ZwCreateSymbolicLinkObject
|
|
ZwCreateTimer
|
|
ZwDeleteBootEntry
|
|
ZwDeleteDriverEntry
|
|
ZwDeleteFile
|
|
ZwDeleteKey
|
|
ZwDeleteValueKey
|
|
ZwDeviceIoControlFile
|
|
ZwDisplayString
|
|
ZwDuplicateObject
|
|
ZwDuplicateToken
|
|
ZwEnumerateBootEntries
|
|
ZwEnumerateDriverEntries
|
|
ZwEnumerateKey
|
|
ZwEnumerateValueKey
|
|
ZwFlushInstructionCache
|
|
ZwFlushKey
|
|
ZwFlushVirtualMemory
|
|
ZwFreeVirtualMemory
|
|
ZwFsControlFile
|
|
ZwInitiatePowerAction
|
|
ZwIsProcessInJob
|
|
ZwLoadDriver
|
|
ZwLoadKey
|
|
ZwMakeTemporaryObject
|
|
ZwMapViewOfSection
|
|
ZwModifyBootEntry
|
|
ZwModifyDriverEntry
|
|
ZwNotifyChangeKey
|
|
ZwOpenDirectoryObject
|
|
ZwOpenEvent
|
|
ZwOpenFile
|
|
ZwOpenJobObject
|
|
ZwOpenKey
|
|
ZwOpenProcess
|
|
ZwOpenProcessToken
|
|
ZwOpenProcessTokenEx
|
|
ZwOpenSection
|
|
ZwOpenSymbolicLinkObject
|
|
ZwOpenThread
|
|
ZwOpenThreadToken
|
|
ZwOpenThreadTokenEx
|
|
ZwOpenTimer
|
|
ZwPowerInformation
|
|
ZwPulseEvent
|
|
ZwQueryBootEntryOrder
|
|
ZwQueryBootOptions
|
|
ZwQueryDefaultLocale
|
|
ZwQueryDefaultUILanguage
|
|
ZwQueryDriverEntryOrder
|
|
ZwQueryInstallUILanguage
|
|
ZwQueryDirectoryFile
|
|
ZwQueryDirectoryObject
|
|
ZwQueryEaFile
|
|
ZwQueryFullAttributesFile
|
|
ZwQueryInformationFile
|
|
ZwQueryInformationJobObject
|
|
ZwQueryInformationProcess
|
|
ZwQueryInformationThread
|
|
ZwQueryInformationToken
|
|
ZwQueryInformationToken
|
|
ZwQueryKey
|
|
ZwQueryObject
|
|
ZwQuerySection
|
|
ZwQuerySecurityObject
|
|
ZwQuerySymbolicLinkObject
|
|
ZwQuerySystemInformation
|
|
ZwQueryValueKey
|
|
ZwQueryVolumeInformationFile
|
|
ZwReadFile
|
|
ZwReplaceKey
|
|
ZwRequestWaitReplyPort
|
|
ZwResetEvent
|
|
ZwRestoreKey
|
|
ZwSaveKey
|
|
ZwSaveKeyEx
|
|
ZwSetBootEntryOrder
|
|
ZwSetBootOptions
|
|
ZwSetDefaultLocale
|
|
ZwSetDefaultUILanguage
|
|
ZwSetDriverEntryOrder
|
|
ZwSetEaFile
|
|
ZwSetEvent
|
|
ZwSetInformationFile
|
|
ZwSetInformationJobObject
|
|
ZwSetInformationObject
|
|
ZwSetInformationProcess
|
|
ZwSetInformationThread
|
|
ZwSetSecurityObject
|
|
ZwSetSystemInformation
|
|
ZwSetSystemTime
|
|
ZwSetTimer
|
|
ZwSetValueKey
|
|
ZwSetVolumeInformationFile
|
|
ZwTerminateJobObject
|
|
ZwTerminateProcess
|
|
ZwTranslateFilePath
|
|
ZwUnloadDriver
|
|
ZwUnloadKey
|
|
ZwUnmapViewOfSection
|
|
ZwWaitForMultipleObjects
|
|
ZwWaitForSingleObject
|
|
ZwWriteFile
|
|
ZwYieldExecution
|
|
|
|
|
|
//
|
|
// ntcrt.lib
|
|
//
|
|
|
|
#if defined(_X86_)
|
|
_alloca_probe
|
|
#elif defined(_IA64_)
|
|
__alloca_probe
|
|
#endif
|
|
_itoa
|
|
_itow
|
|
_purecall
|
|
_snprintf
|
|
_snwprintf
|
|
_stricmp
|
|
_strlwr
|
|
_strnicmp
|
|
_strnset
|
|
_strrev
|
|
_strset
|
|
_strupr
|
|
_vsnprintf
|
|
_vsnwprintf
|
|
_wcsicmp
|
|
_wcslwr
|
|
_wcsnicmp
|
|
_wcsnset
|
|
_wcsrev
|
|
_wcsupr
|
|
isdigit
|
|
islower
|
|
isprint
|
|
isspace
|
|
isupper
|
|
isxdigit
|
|
mbstowcs
|
|
mbtowc
|
|
memchr
|
|
qsort
|
|
rand
|
|
sprintf
|
|
srand
|
|
strcat
|
|
strchr
|
|
strcmp
|
|
strcpy
|
|
strlen
|
|
strncat
|
|
strncmp
|
|
strncpy
|
|
strrchr
|
|
strspn
|
|
strstr
|
|
swprintf
|
|
tolower
|
|
towlower
|
|
toupper
|
|
towupper
|
|
vsprintf
|
|
wcscat
|
|
wcschr
|
|
wcscmp
|
|
wcscpy
|
|
wcscspn
|
|
wcslen
|
|
wcsncat
|
|
wcsncmp
|
|
wcsncpy
|
|
wcsrchr
|
|
wcsspn
|
|
wcsstr
|
|
wcstombs
|
|
wctomb
|
|
|
|
//
|
|
// Hack-o-rama to support the stupid ATI miniport driver.
|
|
// Get rid of these if we can someday.
|
|
//
|
|
atol
|
|
atoi
|
|
|
|
//
|
|
// Export Kernel Icecap probe functions so drivers can be traced
|
|
//
|
|
|
|
#ifdef _CAPKERN
|
|
#ifdef IA64
|
|
_CAP_Start_Profiling
|
|
_CAP_End_Profiling
|
|
#else
|
|
__CAP_Start_Profiling@8
|
|
__CAP_End_Profiling@4
|
|
CAP_Log_NInt
|
|
CAP_Log_NInt_Clothed
|
|
#endif
|
|
#endif
|
|
|
|
//
|
|
// Export CreateLiveDump function to use in videoprt.sys EA recovery
|
|
//
|
|
KeCapturePersistentThreadState
|
|
|