System Service Descriptor Table: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 08:27, 29 September 2015 edit 89.173.54.37 (talk) No edit summary ← Previous edit		Latest revision as of 22:44, 29 April 2024 edit undo GreenC bot (talk \| contribs) Bots 3,054,792 edits Move 1 url. Wayback Medic 2.5 per WP:URLREQ#symantec.com
(7 intermediate revisions by 7 users not shown)
Line 1: {{context\|date=August 2021}} The '''System Service Descriptor Table''' ('''SSDT''') is an internal [[dispatch table]] within [[Microsoft Windows]]. == Function == [[Hooking]] SSDT calls is often used as a technique in both Windows [[rootkit]]s and [[antivirus software]].<ref>{{Cite web\|url=http://www.symantec.com/connect/articles/windows-rootkits-2005-part-one\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=http://www.zdnet.co.uk/news/security-threats/2010/05/11/attack-defeats-most-antivirus-software-40088896/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> The SSDT maps syscalls to kernel function addresses. When a syscall is issued by a [[user space]] application, it contains the service index as parameter to indicate which syscall is called. The SSDT is then used to resolve the address of the corresponding function within ntoskrnl.exe. In modern Windows kernels, two SSDTs are used: One for generic routines (''KeServiceDescriptorTable'') and a second (''KeServiceDescriptorTableShadow'') for graphical routines. A parameter passed by the calling userspace application determines which SSDT shall be used. == Hooking == Modification of the SSDT allows to redirect syscalls to routines outside the kernel. These routines can be either used to hide the presence of software or to act as a backdoor to allow attackers permanent code execution with kernel privileges. For both reasons, [[hooking]] SSDT calls is often used as a technique in both Windows [[rootkit\|kernel mode rootkits]] and [[antivirus software]].<ref>{{Cite web\|url=https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a3624787-b8a3-42f6-b33a-3f30181c4ce6&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments\|title= Windows rootkits of 2005, part one\|work=Symantec\|year=2005}}</ref><ref name="ZDNET2010">{{Cite web\|url=https://www.zdnet.com/article/attack-defeats-most-antivirus-software/ \|year=2010\|title=Attack defeats 'most' antivirus software\|work=ZD Net UK}}</ref> In 2010, many computer security products which relied on hooking SSDT calls were shown to be vulnerable to [[Exploit (computer security)\|exploits]] using [[race condition]]s to attack the products' security checks.<ref name="ZDNET2010"/> == See also == * [[Windows API]] ~~==Structure of the SSDT==~~ * [[Native API]] ~~<source lang="cpp">~~ * [[Rootkit]] ~~typedef struct _KSERVICE_DESCRIPTOR_TABLE~~ { ~~PULONG ServiceTableBase;~~ ~~PULONG ServiceCounterTableBase;~~ ~~ULONG NumberOfServices;~~ ~~PUCHAR ParamTableBase;~~ ~~}KSERVICE_DESCRIPTOR_TABLE,*PKSERVICE_DESCRIPTOR_TABLE;~~ ~~</source>~~ ~~The pointer to this structure is '''KeServiceDescriptorTable''', exported by [[ntoskrnl.exe]].~~ ~~<source lang="asm">~~ ~~lkd> dds KiServiceTable l 191~~ ~~82ab8d9c 82cb4c28 nt!NtAcceptConnectPort~~ ~~82ab8da0 82afb40d nt!NtAccessCheck~~ ~~82ab8da4 82c44b68 nt!NtAccessCheckAndAuditAlarm~~ ~~82ab8da8 82a5f88a nt!NtAccessCheckByType~~ ~~82ab8dac 82cb64ff nt!NtAccessCheckByTypeAndAuditAlarm~~ ~~82ab8db0 82b383fa nt!NtAccessCheckByTypeResultList~~ ~~82ab8db4 82d26b05 nt!NtAccessCheckByTypeResultListAndAuditAlarm~~ ~~82ab8db8 82d26b4e nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle~~ ~~82ab8dbc 82c393bd nt!NtAddAtom~~ ~~82ab8dc0 82d40368 nt!NtAddBootEntry~~ ~~82ab8dc4 82d415c1 nt!NtAddDriverEntry~~ ~~82ab8dc8 82c2fb95 nt!NtAdjustGroupsToken~~ ~~82ab8dcc 82cc0b35 nt!NtAdjustPrivilegesToken~~ ~~82ab8dd0 82d19963 nt!NtAlertResumeThread~~ ~~82ab8dd4 82c6ca56 nt!NtAlertThread~~ ~~82ab8dd8 82c3c6cc nt!NtAllocateLocallyUniqueId~~ ~~82ab8ddc 82bd2928 nt!NtAllocateReserveObject~~ ~~82ab8de0 82d0b898 nt!NtAllocateUserPhysicalPages~~ ~~82ab8de4 82c2314e nt!NtAllocateUuids~~ ~~82ab8de8 82c65a62 nt!NtAllocateVirtualMemory~~ ~~82ab8dec 82cb1df1 nt!NtAlpcAcceptConnectPort~~ ~~82ab8df0 82c13238 nt!NtAlpcCancelMessage~~ ~~82ab8df4 82cb11fe nt!NtAlpcConnectPort~~ ~~82ab8df8 82c30c0c nt!NtAlpcCreatePort~~ ~~82ab8dfc 82cc25bc nt!NtAlpcCreatePortSection~~ ~~82ab8e00 82c3328f nt!NtAlpcCreateResourceReserve~~ ~~82ab8e04 82cc239c nt!NtAlpcCreateSectionView~~ ~~82ab8e08 82cbaafc nt!NtAlpcCreateSecurityContext~~ ~~82ab8e0c 82c450f0 nt!NtAlpcDeletePortSection~~ ~~82ab8e10 82d06657 nt!NtAlpcDeleteResourceReserve~~ ~~82ab8e14 82cb7ec9 nt!NtAlpcDeleteSectionView~~ ~~82ab8e18 82cc27ee nt!NtAlpcDeleteSecurityContext~~ ~~82ab8e1c 82c9b1fc nt!NtAlpcDisconnectPort~~ ~~82ab8e20 82cb5f2e nt!NtAlpcImpersonateClientOfPort~~ ~~82ab8e24 82c47d15 nt!NtAlpcOpenSenderProcess~~ ~~82ab8e28 82c3bcf3 nt!NtAlpcOpenSenderThread~~ ~~82ab8e2c 82c2db70 nt!NtAlpcQueryInformation~~ ~~82ab8e30 82c9ba83 nt!NtAlpcQueryInformationMessage~~ ~~82ab8e34 82d0677f nt!NtAlpcRevokeSecurityContext~~ ~~82ab8e38 82c8df0a nt!NtAlpcSendWaitReceivePort~~ ~~82ab8e3c 82c3b702 nt!NtAlpcSetInformation~~ ~~82ab8e40 82c4d21b nt!NtApphelpCacheControl~~ ~~82ab8e44 82c090e3 nt!NtAreMappedFilesTheSame~~ ~~82ab8e48 82c3aed1 nt!NtAssignProcessToJobObject~~ ~~82ab8e4c 82ab98bc nt!NtCallbackReturn~~ ~~82ab8e50 82c045c3 nt!NtCancelIoFile~~ ~~82ab8e54 82c38ce7 nt!NtCancelIoFileEx~~ ~~82ab8e58 82cf2fb0 nt!NtCancelSynchronousIoFile~~ ~~82ab8e5c 82a65d56 nt!NtCancelTimer~~ ~~82ab8e60 82c67b5f nt!NtClearEvent~~ ~~82ab8e64 82c8037a nt!NtClose~~ ~~82ab8e68 82cb642e nt!NtCloseObjectAuditAlarm~~ ~~82ab8e6c 82d2e412 nt!NtCommitComplete~~ ~~82ab8e70 82d2e132 nt!NtCommitEnlistment~~ ~~82ab8e74 82c0f9b9 nt!NtCommitTransaction~~ ~~82ab8e78 82cd8013 nt!NtCompactKeys~~ ~~82ab8e7c 82c36c9d nt!NtCompareTokens~~ ~~82ab8e80 82c3bce9 nt!NtCompleteConnectPort~~ ~~82ab8e84 82cd827f nt!NtCompressKey~~ ~~82ab8e88 82cb3d09 nt!NtConnectPort~~ ~~82ab8e8c 82a7bd0c nt!NtContinue~~ ~~82ab8e90 82ce8c79 nt!NtCreateDebugObject~~ ~~82ab8e94 82c3e505 nt!NtCreateDirectoryObject~~ ~~82ab8e98 82be0a55 nt!NtCreateEnlistment~~ ~~82ab8e9c 82c7c671 nt!NtCreateEvent~~ ~~82ab8ea0 82d46068 nt!NtCreateEventPair~~ ~~82ab8ea4 82c8b1e4 nt!NtCreateFile~~ ~~82ab8ea8 82c96667 nt!NtCreateIoCompletion~~ ~~82ab8eac 82c2d977 nt!NtCreateJobObject~~ ~~82ab8eb0 82d1b6de nt!NtCreateJobSet~~ ~~82ab8eb4 82c3ce2a nt!NtCreateKey~~ ~~82ab8eb8 82c4bd1e nt!NtCreateKeyedEvent~~ ~~82ab8ebc 82c0da36 nt!NtCreateKeyTransacted~~ ~~82ab8ec0 82c4132f nt!NtCreateMailslotFile~~ ~~82ab8ec4 82c4c196 nt!NtCreateMutant~~ ~~82ab8ec8 82cbc4f9 nt!NtCreateNamedPipeFile~~ ~~82ab8ecc 82bc8406 nt!NtCreatePagingFile~~ ~~82ab8ed0 82c2d75f nt!NtCreatePort~~ ~~82ab8ed4 82c0f57f nt!NtCreatePrivateNamespace~~ ~~82ab8ed8 82d17df9 nt!NtCreateProcess~~ ~~82ab8edc 82d17e44 nt!NtCreateProcessEx~~ ~~82ab8ee0 82d46afb nt!NtCreateProfile~~ ~~82ab8ee4 82d46ac1 nt!NtCreateProfileEx~~ ~~82ab8ee8 82be335f nt!NtCreateResourceManager~~ ~~82ab8eec 82c5ef2b nt!NtCreateSection~~ ~~82ab8ef0 82c4198d nt!NtCreateSemaphore~~ ~~82ab8ef4 82c3d7f5 nt!NtCreateSymbolicLinkObject~~ ~~82ab8ef8 82d17c02 nt!NtCreateThread~~ ~~82ab8efc 82cac124 nt!NtCreateThreadEx~~ ~~82ab8f00 82c3a304 nt!NtCreateTimer~~ ~~82ab8f04 82c40ac8 nt!NtCreateToken~~ ~~82ab8f08 82c0be62 nt!NtCreateTransaction~~ ~~82ab8f0c 82be316b nt!NtCreateTransactionManager~~ ~~82ab8f10 82caa056 nt!NtCreateUserProcess~~ ~~82ab8f14 82be0134 nt!NtCreateWaitablePort~~ ~~82ab8f18 82c4bf39 nt!NtCreateWorkerFactory~~ ~~82ab8f1c 82ce9b36 nt!NtDebugActiveProcess~~ ~~82ab8f20 82cea1f3 nt!NtDebugContinue~~ ~~82ab8f24 82c6496f nt!NtDelayExecution~~ ~~82ab8f28 82c2807b nt!NtDeleteAtom~~ ~~82ab8f2c 82d4039b nt!NtDeleteBootEntry~~ ~~82ab8f30 82d415f3 nt!NtDeleteDriverEntry~~ ~~82ab8f34 82bd46ad nt!NtDeleteFile~~ ~~82ab8f38 82c27911 nt!NtDeleteKey~~ ~~82ab8f3c 82cc69df nt!NtDeleteObjectAuditAlarm~~ ~~82ab8f40 82ccf6f6 nt!NtDeletePrivateNamespace~~ ~~82ab8f44 82c19328 nt!NtDeleteValueKey~~ ~~82ab8f48 82caf3ca nt!NtDeviceIoControlFile~~ ~~82ab8f4c 82d034da nt!NtDisableLastKnownGood~~ ~~82ab8f50 82d3e5ef nt!NtDisplayString~~ ~~82ab8f54 82b4f259 nt!NtDrawText~~ ~~82ab8f58 82c6d4f0 nt!NtDuplicateObject~~ ~~82ab8f5c 82ca7974 nt!NtDuplicateToken~~ ~~82ab8f60 82d035bb nt!NtEnableLastKnownGood~~ ~~82ab8f64 82d4059d nt!NtEnumerateBootEntries~~ ~~82ab8f68 82d417f3 nt!NtEnumerateDriverEntries~~ ~~82ab8f6c 82ca2a59 nt!NtEnumerateKey~~ ~~82ab8f70 82d4017b nt!NtEnumerateSystemEnvironmentValuesEx~~ ~~82ab8f74 82d2ef4c nt!NtEnumerateTransactionObject~~ ~~82ab8f78 82ca4ebf nt!NtEnumerateValueKey~~ ~~82ab8f7c 82d09a0f nt!NtExtendSection~~ ~~82ab8f80 82c20d81 nt!NtFilterToken~~ ~~82ab8f84 82c2c8ff nt!NtFindAtom~~ ~~82ab8f88 82c44117 nt!NtFlushBuffersFile~~ ~~82ab8f8c 82bd090f nt!NtFlushInstallUILanguage~~ ~~82ab8f90 82c3b4c2 nt!NtFlushInstructionCache~~ ~~82ab8f94 82c1a9cd nt!NtFlushKey~~ ~~82ab8f98 82a601b1 nt!NtFlushProcessWriteBuffers~~ ~~82ab8f9c 82c16130 nt!NtFlushVirtualMemory~~ ~~82ab8fa0 82d0c9b7 nt!NtFlushWriteBuffer~~ ~~82ab8fa4 82d0c039 nt!NtFreeUserPhysicalPages~~ ~~82ab8fa8 82af44db nt!NtFreeVirtualMemory~~ ~~82ab8fac 82b0e6fc nt!NtFreezeRegistry~~ ~~82ab8fb0 82d2f39a nt!NtFreezeTransactions~~ ~~82ab8fb4 82c916a2 nt!NtFsControlFile~~ ~~82ab8fb8 82cd0dc1 nt!NtGetContextThread~~ ~~82ab8fbc 82cd0d56 nt!NtGetCurrentProcessorNumber~~ ~~82ab8fc0 82d14e37 nt!NtGetDevicePowerState~~ ~~82ab8fc4 82c4cdaf nt!NtGetMUIRegistryInfo~~ ~~82ab8fc8 82d19b54 nt!NtGetNextProcess~~ ~~82ab8fcc 82cc8c0a nt!NtGetNextThread~~ ~~82ab8fd0 82c155c6 nt!NtGetNlsSectionPtr~~ ~~82ab8fd4 82d2f4f4 nt!NtGetNotificationResourceManager~~ ~~82ab8fd8 82bfae67 nt!NtGetPlugPlayEvent~~ ~~82ab8fdc 82b255c7 nt!NtGetWriteWatch~~ ~~82ab8fe0 82c317ca nt!NtImpersonateAnonymousToken~~ ~~82ab8fe4 82d057a1 nt!NtImpersonateClientOfPort~~ ~~82ab8fe8 82cb55fc nt!NtImpersonateThread~~ ~~82ab8fec 82c97f0d nt!NtInitializeNlsFiles~~ ~~82ab8ff0 82bd41ca nt!NtInitializeRegistry~~ ~~82ab8ff4 82ccb5c3 nt!NtInitiatePowerAction~~ ~~82ab8ff8 82ccccdd nt!NtIsProcessInJob~~ ~~82ab8ffc 82d14e1e nt!NtIsSystemResumeAutomatic~~ ~~82ab9000 82bcede9 nt!NtIsUILanguageComitted~~ ~~82ab9004 82bcbc75 nt!NtListenPort~~ ~~82ab9008 82c01b78 nt!NtLoadDriver~~ ~~82ab900c 82bcd426 nt!NtLoadKey~~ ~~82ab9010 82bbaa1c nt!NtLoadKey2~~ ~~82ab9014 82bdde72 nt!NtLoadKeyEx~~ ~~82ab9018 82c3f32b nt!NtLockFile~~ ~~82ab901c 82bb4026 nt!NtLockProductActivationKeys~~ ~~82ab9020 82baf6d5 nt!NtLockRegistryKey~~ ~~82ab9024 82a5f191 nt!NtLockVirtualMemory~~ ~~82ab9028 82c021b1 nt!NtMakePermanentObject~~ ~~82ab902c 82c47851 nt!NtMakeTemporaryObject~~ ~~82ab9030 82c4c35b nt!NtMapCMFModule~~ ~~82ab9034 82d0ab57 nt!NtMapUserPhysicalPages~~ ~~82ab9038 82d0b12d nt!NtMapUserPhysicalPagesScatter~~ ~~82ab903c 82c82394 nt!NtMapViewOfSection~~ ~~82ab9040 82d4056c nt!NtModifyBootEntry~~ ~~82ab9044 82d417c4 nt!NtModifyDriverEntry~~ ~~82ab9048 82c31db6 nt!NtNotifyChangeDirectoryFile~~ ~~82ab904c 82c35e17 nt!NtNotifyChangeKey~~ ~~82ab9050 82c34f39 nt!NtNotifyChangeMultipleKeys~~ ~~82ab9054 82bfbd6b nt!NtNotifyChangeSession~~ ~~82ab9058 82c7e584 nt!NtOpenDirectoryObject~~ ~~82ab905c 82d2d995 nt!NtOpenEnlistment~~ ~~82ab9060 82c4bb92 nt!NtOpenEvent~~ ~~82ab9064 82d46169 nt!NtOpenEventPair~~ ~~82ab9068 82c6db10 nt!NtOpenFile~~ ~~82ab906c 82cf2ca5 nt!NtOpenIoCompletion~~ ~~82ab9070 82d1b057 nt!NtOpenJobObject~~ ~~82ab9074 82c87642 nt!NtOpenKey~~ ~~82ab9078 82c4badd nt!NtOpenKeyEx~~ ~~82ab907c 82d4649f nt!NtOpenKeyedEvent~~ ~~82ab9080 82c0b169 nt!NtOpenKeyTransacted~~ ~~82ab9084 82c0b0f9 nt!NtOpenKeyTransactedEx~~ ~~82ab9088 82c9d0e2 nt!NtOpenMutant~~ ~~82ab908c 82c144b2 nt!NtOpenObjectAuditAlarm~~ ~~82ab9090 82c15f07 nt!NtOpenPrivateNamespace~~ ~~82ab9094 82c4d9dc nt!NtOpenProcess~~ ~~82ab9098 82c9ffff nt!NtOpenProcessToken~~ ~~82ab909c 82c8db37 nt!NtOpenProcessTokenEx~~ ~~82ab90a0 82bb90c7 nt!NtOpenResourceManager~~ ~~82ab90a4 82ca5674 nt!NtOpenSection~~ ~~82ab90a8 82c210c6 nt!NtOpenSemaphore~~ ~~82ab90ac 82cc2977 nt!NtOpenSession~~ ~~82ab90b0 82c89b6f nt!NtOpenSymbolicLinkObject~~ ~~82ab90b4 82c99d87 nt!NtOpenThread~~ ~~82ab90b8 82cb42e4 nt!NtOpenThreadToken~~ ~~82ab90bc 82c8dc4e nt!NtOpenThreadTokenEx~~ ~~82ab90c0 82d45e0f nt!NtOpenTimer~~ ~~82ab90c4 82d2e6f1 nt!NtOpenTransaction~~ ~~82ab90c8 82d2f989 nt!NtOpenTransactionManager~~ ~~82ab90cc 82c1f506 nt!NtPlugPlayControl~~ ~~82ab90d0 82c7c970 nt!NtPowerInformation~~ ~~82ab90d4 82d2e2a2 nt!NtPrepareComplete~~ ~~82ab90d8 82d2dfc2 nt!NtPrepareEnlistment~~ ~~82ab90dc 82d2e35a nt!NtPrePrepareComplete~~ ~~82ab90e0 82d2e07a nt!NtPrePrepareEnlistment~~ ~~82ab90e4 82c3293f nt!NtPrivilegeCheck~~ ~~82ab90e8 82c01f60 nt!NtPrivilegedServiceAuditAlarm~~ ~~82ab90ec 82c1ca51 nt!NtPrivilegeObjectAuditAlarm~~ ~~82ab90f0 82d300e4 nt!NtPropagationComplete~~ ~~82ab90f4 82d301aa nt!NtPropagationFailed~~ ~~82ab90f8 82c7e403 nt!NtProtectVirtualMemory~~ ~~82ab90fc 82ccf5a7 nt!NtPulseEvent~~ ~~82ab9100 82c939a1 nt!NtQueryAttributesFile~~ ~~82ab9104 82d40a3e nt!NtQueryBootEntryOrder~~ ~~82ab9108 82d40e83 nt!NtQueryBootOptions~~ ~~82ab910c 82afed34 nt!NtQueryDebugFilterState~~ ~~82ab9110 82cb2b8c nt!NtQueryDefaultLocale~~ ~~82ab9114 82bdef5c nt!NtQueryDefaultUILanguage~~ ~~82ab9118 82c6fd11 nt!NtQueryDirectoryFile~~ ~~82ab911c 82c949f0 nt!NtQueryDirectoryObject~~ ~~82ab9120 82d41381 nt!NtQueryDriverEntryOrder~~ ~~82ab9124 82bcdb4a nt!NtQueryEaFile~~ ~~82ab9128 82c3681e nt!NtQueryEvent~~ ~~82ab912c 82cbc5d5 nt!NtQueryFullAttributesFile~~ ~~82ab9130 82c2824c nt!NtQueryInformationAtom~~ ~~82ab9134 82d2dba2 nt!NtQueryInformationEnlistment~~ ~~82ab9138 82c916d5 nt!NtQueryInformationFile~~ ~~82ab913c 82cc80ff nt!NtQueryInformationJobObject~~ ~~82ab9140 82d057d4 nt!NtQueryInformationPort~~ ~~82ab9144 82c72644 nt!NtQueryInformationProcess~~ ~~82ab9148 82d2f5fe nt!NtQueryInformationResourceManager~~ ~~82ab914c 82c98d6d nt!NtQueryInformationThread~~ ~~82ab9150 82c8e06e nt!NtQueryInformationToken~~ ~~82ab9154 82d2e8e4 nt!NtQueryInformationTransaction~~ ~~82ab9158 82bb8bcf nt!NtQueryInformationTransactionManager~~ ~~82ab915c 82b4fe81 nt!NtQueryInformationWorkerFactory~~ ~~82ab9160 82c1ac3f nt!NtQueryInstallUILanguage~~ ~~82ab9164 82d46e6b nt!NtQueryIntervalProfile~~ ~~82ab9168 82cf2d68 nt!NtQueryIoCompletion~~ ~~82ab916c 82c87cae nt!NtQueryKey~~ ~~82ab9170 82c3de8d nt!NtQueryLicenseValue~~ ~~82ab9174 82c1ccc0 nt!NtQueryMultipleValueKey~~ ~~82ab9178 82d4657c nt!NtQueryMutant~~ ~~82ab917c 82c3ced6 nt!NtQueryObject~~ ~~82ab9180 82cd7b05 nt!NtQueryOpenSubKeys~~ ~~82ab9184 82cc5df8 nt!NtQueryOpenSubKeysEx~~ ~~82ab9188 82c4c277 nt!NtQueryPerformanceCounter~~ ~~82ab918c 82d182c4 nt!NtQueryPortInformationProcess~~ ~~82ab9190 82cf4349 nt!NtQueryQuotaInformationFile~~ ~~82ab9194 82cb29e6 nt!NtQuerySection~~ ~~82ab9198 82c322d0 nt!NtQuerySecurityAttributesToken~~ ~~82ab919c 82c35e4c nt!NtQuerySecurityObject~~ ~~82ab91a0 82d3f3fc nt!NtQuerySemaphore~~ ~~82ab91a4 82c89c15 nt!NtQuerySymbolicLinkObject~~ ~~82ab91a8 82d3f5d3 nt!NtQuerySystemEnvironmentValue~~ ~~82ab91ac 82d3fbc7 nt!NtQuerySystemEnvironmentValueEx~~ ~~82ab91b0 82c6bcd4 nt!NtQuerySystemInformation~~ ~~82ab91b4 82ca4ddd nt!NtQuerySystemInformationEx~~ ~~82ab91b8 82cb2af7 nt!NtQuerySystemTime~~ ~~82ab91bc 82d45ece nt!NtQueryTimer~~ ~~82ab91c0 82c28729 nt!NtQueryTimerResolution~~ ~~82ab91c4 82c86405 nt!NtQueryValueKey~~ ~~82ab91c8 82c976a7 nt!NtQueryVirtualMemory~~ ~~82ab91cc 82c922c8 nt!NtQueryVolumeInformationFile~~ ~~82ab91d0 82c37caa nt!NtQueueApcThread~~ ~~82ab91d4 82c33e67 nt!NtQueueApcThreadEx~~ ~~82ab91d8 82a7bd54 nt!NtRaiseException~~ ~~82ab91dc 82c130a3 nt!NtRaiseHardError~~ ~~82ab91e0 82c9dc8c nt!NtReadFile~~ ~~82ab91e4 82bd36a7 nt!NtReadFileScatter~~ ~~82ab91e8 82d2e580 nt!NtReadOnlyEnlistment~~ ~~82ab91ec 82d058b9 nt!NtReadRequestData~~ ~~82ab91f0 82c9b82c nt!NtReadVirtualMemory~~ ~~82ab91f4 82d2db46 nt!NtRecoverEnlistment~~ ~~82ab91f8 82be388c nt!NtRecoverResourceManager~~ ~~82ab91fc 82be5128 nt!NtRecoverTransactionManager~~ ~~82ab9200 82d2ff38 nt!NtRegisterProtocolAddressInformation~~ ~~82ab9204 82d1909c nt!NtRegisterThreadTerminatePort~~ ~~82ab9208 82c6c0ed nt!NtReleaseKeyedEvent~~ ~~82ab920c 82c64873 nt!NtReleaseMutant~~ ~~82ab9210 82c4eb6a nt!NtReleaseSemaphore~~ ~~82ab9214 82abec28 nt!NtReleaseWorkerFactoryWorker~~ ~~82ab9218 82c41a8e nt!NtRemoveIoCompletion~~ ~~82ab921c 82c3ca8e nt!NtRemoveIoCompletionEx~~ ~~82ab9220 82ce9c81 nt!NtRemoveProcessDebug~~ ~~82ab9224 82cd7d4b nt!NtRenameKey~~ ~~82ab9228 82d2fbd4 nt!NtRenameTransactionManager~~ ~~82ab922c 82cd7898 nt!NtReplaceKey~~ ~~82ab9230 82b173d3 nt!NtReplacePartitionUnit~~ ~~82ab9234 82c2ca3d nt!NtReplyPort~~ ~~82ab9238 82c745e2 nt!NtReplyWaitReceivePort~~ ~~82ab923c 82c74165 nt!NtReplyWaitReceivePortEx~~ ~~82ab9240 82d05a85 nt!NtReplyWaitReplyPort~~ ~~82ab9244 82cbc435 nt!NtRequestPort~~ ~~82ab9248 82c798d9 nt!NtRequestWaitReplyPort~~ ~~82ab924c 82c17ec3 nt!NtResetEvent~~ ~~82ab9250 82b25c18 nt!NtResetWriteWatch~~ ~~82ab9254 82ccd904 nt!NtRestoreKey~~ ~~82ab9258 82d198fd nt!NtResumeProcess~~ ~~82ab925c 82cac34b nt!NtResumeThread~~ ~~82ab9260 82d2e636 nt!NtRollbackComplete~~ ~~82ab9264 82d2e1ea nt!NtRollbackEnlistment~~ ~~82ab9268 82be1c7c nt!NtRollbackTransaction~~ ~~82ab926c 82d2fd36 nt!NtRollforwardTransactionManager~~ ~~82ab9270 82ccf176 nt!NtSaveKey~~ ~~82ab9274 82cce91c nt!NtSaveKeyEx~~ ~~82ab9278 82cd6bbb nt!NtSaveMergedKeys~~ ~~82ab927c 82c99dbc nt!NtSecureConnectPort~~ ~~82ab9280 82bc6f07 nt!NtSerializeBoot~~ ~~82ab9284 82d40c7f nt!NtSetBootEntryOrder~~ ~~82ab9288 82d4116b nt!NtSetBootOptions~~ ~~82ab928c 82d18cff nt!NtSetContextThread~~ ~~82ab9290 82bac9bd nt!NtSetDebugFilterState~~ ~~82ab9294 82bca895 nt!NtSetDefaultHardErrorPort~~ ~~82ab9298 82bdece1 nt!NtSetDefaultLocale~~ ~~82ab929c 82bdf250 nt!NtSetDefaultUILanguage~~ ~~82ab92a0 82d41bf5 nt!NtSetDriverEntryOrder~~ ~~82ab92a4 82cf3dda nt!NtSetEaFile~~ ~~82ab92a8 82c656de nt!NtSetEvent~~ ~~82ab92ac 82d3f0b7 nt!NtSetEventBoostPriority~~ ~~82ab92b0 82d46435 nt!NtSetHighEventPair~~ ~~82ab92b4 82d46367 nt!NtSetHighWaitLowEventPair~~ ~~82ab92b8 82cea3b9 nt!NtSetInformationDebugObject~~ ~~82ab92bc 82d2ddea nt!NtSetInformationEnlistment~~ ~~82ab92c0 82c9275c nt!NtSetInformationFile~~ ~~82ab92c4 82c37cce nt!NtSetInformationJobObject~~ ~~82ab92c8 82cd73ad nt!NtSetInformationKey~~ ~~82ab92cc 82c44314 nt!NtSetInformationObject~~ ~~82ab92d0 82c74603 nt!NtSetInformationProcess~~ ~~82ab92d4 82d2f80c nt!NtSetInformationResourceManager~~ ~~82ab92d8 82ca5aaf nt!NtSetInformationThread~~ ~~82ab92dc 82c3f780 nt!NtSetInformationToken~~ ~~82ab92e0 82d2f146 nt!NtSetInformationTransaction~~ ~~82ab92e4 82d2fdfb nt!NtSetInformationTransactionManager~~ ~~82ab92e8 82ae8362 nt!NtSetInformationWorkerFactory~~ ~~82ab92ec 82d46e48 nt!NtSetIntervalProfile~~ ~~82ab92f0 82c1fb82 nt!NtSetIoCompletion~~ ~~82ab92f4 82cf2e8e nt!NtSetIoCompletionEx~~ ~~82ab92f8 82d1ad17 nt!NtSetLdtEntries~~ ~~82ab92fc 82d463d2 nt!NtSetLowEventPair~~ ~~82ab9300 82d462fc nt!NtSetLowWaitHighEventPair~~ ~~82ab9304 82cf495f nt!NtSetQuotaInformationFile~~ ~~82ab9308 82c3d626 nt!NtSetSecurityObject~~ ~~82ab930c 82d3f8cd nt!NtSetSystemEnvironmentValue~~ ~~82ab9310 82d3fedf nt!NtSetSystemEnvironmentValueEx~~ ~~82ab9314 82c8a0ee nt!NtSetSystemInformation~~ ~~82ab9318 82d5cd7a nt!NtSetSystemPowerState~~ ~~82ab931c 82ccbe70 nt!NtSetSystemTime~~ ~~82ab9320 82cd2b4d nt!NtSetThreadExecutionState~~ ~~82ab9324 82abed52 nt!NtSetTimer~~ ~~82ab9328 82ad14b9 nt!NtSetTimerEx~~ ~~82ab932c 82c2cb3e nt!NtSetTimerResolution~~ ~~82ab9330 82bce2d7 nt!NtSetUuidSeed~~ ~~82ab9334 82c46427 nt!NtSetValueKey~~ ~~82ab9338 82cf4979 nt!NtSetVolumeInformationFile~~ ~~82ab933c 82d3e5ad nt!NtShutdownSystem~~ ~~82ab9340 82c4e9b7 nt!NtShutdownWorkerFactory~~ ~~82ab9344 82b08701 nt!NtSignalAndWaitForSingleObject~~ ~~82ab9348 82d2e4ca nt!NtSinglePhaseReject~~ ~~82ab934c 82d46b84 nt!NtStartProfile~~ ~~82ab9350 82d46d7b nt!NtStopProfile~~ ~~82ab9354 82d1989f nt!NtSuspendProcess~~ ~~82ab9358 82cd0e2d nt!NtSuspendThread~~ ~~82ab935c 82cc1464 nt!NtSystemDebugControl~~ ~~82ab9360 82c2e36f nt!NtTerminateJobObject~~ ~~82ab9364 82c969bf nt!NtTerminateProcess~~ ~~82ab9368 82cb4334 nt!NtTerminateThread~~ ~~82ab936c 82cabafa nt!NtTestAlert~~ ~~82ab9370 82b0e75f nt!NtThawRegistry~~ ~~82ab9374 82d2f478 nt!NtThawTransactions~~ ~~82ab9378 82c8b9bb nt!NtTraceControl~~ ~~82ab937c 82b016a0 nt!NtTraceEvent~~ ~~82ab9380 82d41df9 nt!NtTranslateFilePath~~ ~~82ab9384 82d0574b nt!NtUmsThreadYield~~ ~~82ab9388 82cf51cf nt!NtUnloadDriver~~ ~~82ab938c 82cc4503 nt!NtUnloadKey~~ ~~82ab9390 82cc451d nt!NtUnloadKey2~~ ~~82ab9394 82cd6d53 nt!NtUnloadKeyEx~~ ~~82ab9398 82c41eaf nt!NtUnlockFile~~ ~~82ab939c 82a57b17 nt!NtUnlockVirtualMemory~~ ~~82ab93a0 82ca063a nt!NtUnmapViewOfSection~~ ~~82ab93a4 82d33769 nt!NtVdmControl~~ ~~82ab93a8 82ce9ed7 nt!NtWaitForDebugEvent~~ ~~82ab93ac 82c6be16 nt!NtWaitForKeyedEvent~~ ~~82ab93b0 82c64435 nt!NtWaitForMultipleObjects~~ ~~82ab93b4 82d0f904 nt!NtWaitForMultipleObjects32~~ ~~82ab93b8 82c63ae7 nt!NtWaitForSingleObject~~ ~~82ab93bc 82abe7b1 nt!NtWaitForWorkViaWorkerFactory~~ ~~82ab93c0 82d46293 nt!NtWaitHighEventPair~~ ~~82ab93c4 82d4622a nt!NtWaitLowEventPair~~ ~~82ab93c8 82af74b4 nt!NtWorkerFactoryWorkerReady~~ ~~82ab93cc 82caaf2b nt!NtWriteFile~~ ~~82ab93d0 82bdb2f7 nt!NtWriteFileGather~~ ~~82ab93d4 82d05926 nt!NtWriteRequestData~~ ~~82ab93d8 82c9b71c nt!NtWriteVirtualMemory~~ ~~82ab93dc 82a665c5 nt!NtYieldExecution~~ ~~</source>~~ == References == {{Reflist}} {{Windows-stub}} [[Category:Windows technology]] [[Category:Computer security]] ~~[[Category:Rootkits]]~~ [[Category:Windows NT kernel]] ~~[[Category:Data structures]]~~ [[Category:Windows rootkit techniques]]