API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Nov 29th, 2013
175
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 75.87 KB | None | 0 0
raw download clone embed print report
  1. Log data
  2. Address Message
  3. OllyDbg v2.01
  4. Missing SYMSRV.DLL, Microsoft Symbol Server is deactivated
  5.  
  6. File 'C:\WINDOWS\NOTEPAD.EXE'
  7. New process (ID 00000D90) created
  8. 0100739D Main thread (ID 000005B4) created
  9. Debug string: AVRF: NOTEPAD.EXE: pid 0xD90: flags 0x0: application verifier enabled
  10. Debug string: DLL_PROCESS_VERIFIER
  11. Debug string: SIDE FSTATE length 0x8
  12. Debug string: DLL_PROCESS_VERIFIER.SEP: 0x1
  13. Debug string: DLL_PROCESS_VERIFIER.NtBase: 0x7C900000
  14. Debug string: DLL_PROCESS_VERIFIER.InitTls: 0x7C900000
  15. Debug string: FLT: LdrMapViewOfImage.ZwQueryVirtualMemory(): 0x0
  16. Debug string: FLT: LdrMapViewOfImage.FILE: \Device\HarddiskVolume1\WINDOWS\system32\ntdll.dll
  17. Debug string: FLT: LdrMapViewOfImage.ZwOpenFile(): 0x0
  18. Debug string: FLT: LdrMapViewOfImage.ZwCreateSection(): 0x0
  19. Debug string: FLT: LdrMapViewOfImage.ZwMapViewOfSection(): 0x40000003
  20. Debug string: DLL_PROCESS_VERIFIER.LdrMapViewOfImage: 0x40000003
  21. Debug string: DLL_PROCESS_VERIFIER.GenerateZwList: 0x0
  22. Debug string: DLL_PROCESS_VERIFIER.FindThreadLock: 0x7C97E20C
  23. Debug string: DLL_PROCESS_VERIFIER.ApiInitialize: 0x480010
  24. Debug string: DLL_PROCESS_VERIFIER.InitApi: 0x480010
  25. Debug string: DLL_INIT: 0x1
  26. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  27. Debug string: Fret): 0x89
  28. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  29. Debug string: Fret): 0x89
  30. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  31. Debug string: Fret): 0x89
  32. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  33. Debug string: Fret): 0x89
  34. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  35. Debug string: Fret): 0x89
  36. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  37. Debug string: Fret): 0x89
  38. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  39. Debug string: Fret): 0x89
  40. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  41. Debug string: Fret): 0x89
  42. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  43. Debug string: Fret): 0x77
  44. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  45. Debug string: Fret): 0x77
  46. Debug string: AVRF: verifier.dll provider initialized for NOTEPAD.EXE with flags 0x0
  47. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  48. Debug string: Fret): 0x77
  49. Debug string: RouteIp(pIp: 0x6F4C0, Handler: 0x10010087, TLS_PRE: 0x7C9132F0, GetTlsFrame(): 0x10030950)
  50. Debug string: Filter(NTID{Rva: 0xD7FE, Id: 0x9A, Name: ZwQueryInformationProcess}
  51. Debug string: Filter(pZw: 0x100100F0
  52. Debug string: NtQueryInformationProcess(ProcessHandle: 0xFFFFFFFF, ProcessInformationClass: 0x24)
  53. Debug string: Fret): 0x9A
  54. Debug string: pRtlDecodePointer exited.
  55. Debug string: Rload(Ip: 0x7C9132F0, GetTlsFrame(): 0x10030974)
  56. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  57. Debug string: Fret): 0xAD
  58. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  59. Debug string: Fret): 0xAD
  60. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  61. Debug string: Fret): 0x32
  62. Debug string: Filter(NTID{Rva: 0xDB7E, Id: 0xD2, Name: ZwSecureConnectPort}
  63. Debug string: Fret): 0xD2
  64. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  65. Debug string: Filter(pZw: 0x1001006E
  66. Debug string: NtClose(HANDLE: 0x10, OBJECT: (null))
  67. Debug string: Fret): 0x19
  68. Debug string: Filter(NTID{Rva: 0xD88E, Id: 0xA3, Name: ZwQueryObject}
  69. Debug string: Fret): 0xA3
  70. Debug string: Filter(NTID{Rva: 0xDC8E, Id: 0xE3, Name: ZwSetInformationObject}
  71. Debug string: Fret): 0xE3
  72. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  73. Debug string: Fret): 0xAD
  74. Debug string: Filter(NTID{Rva: 0xD97E, Id: 0xB2, Name: ZwQueryVirtualMemory}
  75. Debug string: Fret): 0xB2
  76. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  77. Debug string: Fret): 0x11
  78. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  79. Debug string: Fret): 0xC8
  80. Debug string: Filter(NTID{Rva: 0xDA0E, Id: 0xBB, Name: ZwRegisterThreadTerminatePort}
  81. Debug string: Fret): 0xBB
  82. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  83. Debug string: Fret): 0x77
  84. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  85. Debug string: Fret): 0xB1
  86. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  87. Debug string: Filter(pZw: 0x1001006E
  88. Debug string: NtClose(HANDLE: 0x10, OBJECT: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Terminal Server)
  89. Debug string: Fret): 0x19
  90. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  91. Debug string: Fret): 0x77
  92. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  93. Debug string: Fret): 0xB1
  94. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  95. Debug string: Filter(pZw: 0x1001006E
  96. Debug string: NtClose(HANDLE: 0x10, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe)
  97. Debug string: Fret): 0x19
  98. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  99. Debug string: Fret): 0x7D
  100. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  101. Debug string: Fret): 0xAD
  102. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  103. Debug string: Fret): 0x6C
  104. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  105. Debug string: Filter(pZw: 0x1001006E
  106. Debug string: NtClose(HANDLE: 0x10, OBJECT: \NLS\NlsSectionUnicode)
  107. Debug string: Fret): 0x19
  108. Debug string: Filter(NTID{Rva: 0xD74E, Id: 0x8F, Name: ZwQueryDefaultLocale}
  109. Debug string: Fret): 0x8F
  110. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  111. Debug string: Fret): 0x7D
  112. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  113. Debug string: Fret): 0xAD
  114. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  115. Debug string: Fret): 0x6C
  116. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  117. Debug string: Filter(pZw: 0x1001006E
  118. Debug string: NtClose(HANDLE: 0x10, OBJECT: \NLS\NlsSectionLocale)
  119. Debug string: Fret): 0x19
  120. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  121. Debug string: Fret): 0x7D
  122. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  123. Debug string: Fret): 0xAD
  124. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  125. Debug string: Fret): 0x6C
  126. Debug string: Filter(NTID{Rva: 0xD8CE, Id: 0xA7, Name: ZwQuerySection}
  127. Debug string: Fret): 0xA7
  128. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  129. Debug string: Filter(pZw: 0x1001006E
  130. Debug string: NtClose(HANDLE: 0x10, OBJECT: \NLS\NlsSectionSortkey)
  131. Debug string: Fret): 0x19
  132. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  133. Debug string: Fret): 0x7D
  134. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  135. Debug string: Fret): 0xAD
  136. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  137. Debug string: Fret): 0x6C
  138. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  139. Debug string: Filter(pZw: 0x1001006E
  140. Debug string: NtClose(HANDLE: 0x10, OBJECT: \NLS\NlsSectionSortTbls)
  141. Debug string: Fret): 0x19
  142. Debug string: Filter(NTID{Rva: 0xD97E, Id: 0xB2, Name: ZwQueryVirtualMemory}
  143. Debug string: Fret): 0xB2
  144. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  145. Debug string: Fret): 0x7D
  146. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  147. Debug string: Fret): 0x7D
  148. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  149. Debug string: Fret): 0x11
  150. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  151. Debug string: Fret): 0xC8
  152. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  153. Debug string: Fret): 0xC8
  154. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  155. Debug string: Fret): 0x77
  156. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  157. Debug string: Fret): 0x77
  158. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  159. Debug string: Fret): 0xAD
  160. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  161. Debug string: Fret): 0xC8
  162. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  163. Debug string: Fret): 0x77
  164. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  165. Debug string: Fret): 0xB1
  166. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  167. Debug string: Filter(pZw: 0x1001006E
  168. Debug string: NtClose(HANDLE: 0x10, OBJECT: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Session Manager)
  169. Debug string: Fret): 0x19
  170. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  171. Debug string: Fret): 0x11
  172. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  173. Debug string: Fret): 0x8B
  174. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  175. Debug string: Fret): 0x74
  176. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  177. Debug string: Fret): 0x32
  178. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  179. Debug string: Filter(pZw: 0x1001006E
  180. Debug string: NtClose(HANDLE: 0x10, OBJECT: \Device\HarddiskVolume1\WINDOWS\system32\imm32.dll)
  181. Debug string: Fret): 0x19
  182. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  183. Debug string: Fret): 0x6C
  184. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  185. Debug string: Filter(pZw: 0x1001006E
  186. Debug string: NtClose(HANDLE: 0x1C, OBJECT: (null))
  187. Debug string: Fret): 0x19
  188. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  189. Debug string: Fret): 0x10B
  190. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  191. Debug string: Fret): 0x8B
  192. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  193. Debug string: Fret): 0x74
  194. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  195. Debug string: Fret): 0x32
  196. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  197. Debug string: Filter(pZw: 0x1001006E
  198. Debug string: NtClose(HANDLE: 0x1C, OBJECT: \Device\HarddiskVolume1\WINDOWS\system32\imm32.dll)
  199. Debug string: Fret): 0x19
  200. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  201. Debug string: Fret): 0x6C
  202. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  203. Debug string: Filter(pZw: 0x1001006E
  204. Debug string: NtClose(HANDLE: 0x10, OBJECT: (null))
  205. Debug string: Fret): 0x19
  206. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  207. Debug string: Fret): 0x10B
  208. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  209. Debug string: Fret): 0x11
  210. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  211. Debug string: Fret): 0x8B
  212. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  213. Debug string: Fret): 0x74
  214. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  215. Debug string: Fret): 0x32
  216. Debug string: Filter(NTID{Rva: 0xD8CE, Id: 0xA7, Name: ZwQuerySection}
  217. Debug string: Fret): 0xA7
  218. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  219. Debug string: Filter(pZw: 0x1001006E
  220. Debug string: NtClose(HANDLE: 0x10, OBJECT: \Device\HarddiskVolume1\WINDOWS\system32\imm32.dll)
  221. Debug string: Fret): 0x19
  222. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  223. Debug string: Fret): 0x6C
  224. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  225. Debug string: Filter(pZw: 0x1001006E
  226. Debug string: NtClose(HANDLE: 0x1C, OBJECT: (null))
  227. Debug string: Fret): 0x19
  228. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  229. Debug string: Fret): 0x7D
  230. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  231. Debug string: Fret): 0x6C
  232. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  233. Debug string: Filter(pZw: 0x1001006E
  234. Debug string: NtClose(HANDLE: 0x1C, OBJECT: \KnownDlls\advapi32.dll)
  235. Debug string: Fret): 0x19
  236. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  237. Debug string: Fret): 0x89
  238. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  239. Debug string: Fret): 0x89
  240. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  241. Debug string: Fret): 0x4E
  242. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  243. Debug string: Fret): 0x89
  244. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  245. Debug string: Fret): 0x89
  246. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  247. Debug string: Fret): 0x4E
  248. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  249. Debug string: Fret): 0x7D
  250. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  251. Debug string: Fret): 0x6C
  252. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  253. Debug string: Filter(pZw: 0x1001006E
  254. Debug string: NtClose(HANDLE: 0x1C, OBJECT: \KnownDlls\rpcrt4.dll)
  255. Debug string: Fret): 0x19
  256. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  257. Debug string: Fret): 0x89
  258. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  259. Debug string: Fret): 0x89
  260. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  261. Debug string: Fret): 0x4E
  262. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  263. Debug string: Fret): 0x89
  264. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  265. Debug string: Fret): 0x89
  266. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  267. Debug string: Fret): 0x4E
  268. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  269. Debug string: Fret): 0x89
  270. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  271. Debug string: Fret): 0x89
  272. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  273. Debug string: Fret): 0x4E
  274. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  275. Debug string: Fret): 0x7D
  276. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  277. Debug string: Fret): 0x6C
  278. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  279. Debug string: Filter(pZw: 0x1001006E
  280. Debug string: NtClose(HANDLE: 0x1C, OBJECT: \KnownDlls\Secur32.dll)
  281. Debug string: Fret): 0x19
  282. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  283. Debug string: Fret): 0x89
  284. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  285. Debug string: Fret): 0x89
  286. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  287. Debug string: Fret): 0x4E
  288. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  289. Debug string: Fret): 0x89
  290. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  291. Debug string: Fret): 0x89
  292. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  293. Debug string: Fret): 0x4E
  294. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  295. Debug string: Fret): 0x89
  296. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  297. Debug string: Fret): 0x89
  298. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  299. Debug string: Fret): 0x4E
  300. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  301. Debug string: Fret): 0x89
  302. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  303. Debug string: Fret): 0x89
  304. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  305. Debug string: Fret): 0x89
  306. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  307. Debug string: Fret): 0x89
  308. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  309. Debug string: Fret): 0x4E
  310. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  311. Debug string: Fret): 0x89
  312. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  313. Debug string: Fret): 0x89
  314. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  315. Debug string: Fret): 0x89
  316. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  317. Debug string: Fret): 0x89
  318. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  319. Debug string: Fret): 0x4E
  320. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  321. Debug string: Fret): 0x89
  322. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  323. Debug string: Fret): 0x89
  324. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  325. Debug string: Fret): 0x89
  326. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  327. Debug string: Fret): 0x89
  328. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  329. Debug string: Fret): 0x4E
  330. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  331. Debug string: Fret): 0x89
  332. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  333. Debug string: Fret): 0x89
  334. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  335. Debug string: Fret): 0x4E
  336. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  337. Debug string: Fret): 0x89
  338. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  339. Debug string: Fret): 0x89
  340. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  341. Debug string: Fret): 0x4E
  342. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  343. Debug string: Fret): 0x89
  344. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  345. Debug string: Fret): 0x89
  346. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  347. Debug string: Fret): 0x4E
  348. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  349. Debug string: Fret): 0x89
  350. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  351. Debug string: Fret): 0x89
  352. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  353. Debug string: Fret): 0x8B
  354. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  355. Debug string: Fret): 0x77
  356. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  357. Debug string: Fret): 0x77
  358. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  359. Debug string: Fret): 0xB1
  360. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  361. Debug string: Filter(pZw: 0x1001006E
  362. Debug string: NtClose(HANDLE: 0x1C, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\GRE_Initialize)
  363. Debug string: Fret): 0x19
  364. Debug string: Fret): 0x10F4
  365. Debug string: Fret): 0x1142
  366. Debug string: Fret): 0x101E
  367. Debug string: Fret): 0x10C8
  368. Debug string: Fret): 0x10C8
  369. Debug string: Fret): 0x1019
  370. Debug string: Fret): 0x102C
  371. Debug string: Fret): 0x10C8
  372. Debug string: Fret): 0x101E
  373. Debug string: Fret): 0x1101
  374. Debug string: Fret): 0x11B2
  375. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  376. Debug string: Fret): 0x77
  377. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  378. Debug string: Fret): 0xB1
  379. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  380. Debug string: Filter(pZw: 0x1001006E
  381. Debug string: NtClose(HANDLE: 0x28, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows)
  382. Debug string: Fret): 0x19
  383. Debug string: Fret): 0x1179
  384. Debug string: Fret): 0x11E8
  385. Debug string: Fret): 0x1179
  386. Debug string: Fret): 0x11E8
  387. Debug string: Fret): 0x1179
  388. Debug string: Fret): 0x11E8
  389. Debug string: Fret): 0x1179
  390. Debug string: Fret): 0x11E8
  391. Debug string: Fret): 0x1179
  392. Debug string: Fret): 0x11E8
  393. Debug string: Fret): 0x1179
  394. Debug string: Fret): 0x11E8
  395. Debug string: Fret): 0x1179
  396. Debug string: Fret): 0x11E8
  397. Debug string: Fret): 0x1179
  398. Debug string: Fret): 0x11E8
  399. Debug string: Fret): 0x1179
  400. Debug string: Fret): 0x11E8
  401. Debug string: Fret): 0x11E8
  402. Debug string: Fret): 0x11E8
  403. Debug string: Fret): 0x11E8
  404. Debug string: Fret): 0x11E8
  405. Debug string: Fret): 0x11E8
  406. Debug string: Filter(NTID{Rva: 0xCF9E, Id: 0x14, Name: ZwCallbackReturn}
  407. Debug string: Fret): 0x14
  408. Debug string: Fret): 0x10DC
  409. Debug string: Fret): 0x10C8
  410. Debug string: Fret): 0x10C8
  411. Debug string: Fret): 0x11E3
  412. Debug string: Fret): 0x11E3
  413. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  414. Debug string: Fret): 0x77
  415. Debug string: DLL_INIT: 0x1
  416. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  417. Debug string: Fret): 0x77
  418. Debug string: Filter(NTID{Rva: 0xD18E, Id: 0x33, Name: ZwCreateSemaphore}
  419. Debug string: Fret): 0x33
  420. Debug string: Filter(NTID{Rva: 0xD18E, Id: 0x33, Name: ZwCreateSemaphore}
  421. Debug string: Fret): 0x33
  422. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  423. Debug string: Fret): 0x77
  424. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  425. Debug string: Fret): 0x11
  426. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  427. Debug string: Fret): 0x77
  428. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  429. Debug string: Fret): 0x77
  430. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  431. Debug string: Fret): 0xB1
  432. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  433. Debug string: Filter(pZw: 0x1001006E
  434. Debug string: NtClose(HANDLE: 0x30, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon)
  435. Debug string: Fret): 0x19
  436. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  437. Debug string: Fret): 0x77
  438. Debug string: Filter(NTID{Rva: 0xDC8E, Id: 0xE3, Name: ZwSetInformationObject}
  439. Debug string: Fret): 0xE3
  440. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  441. Debug string: Fret): 0x77
  442. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  443. Debug string: Fret): 0x77
  444. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  445. Debug string: Fret): 0xAD
  446. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  447. Debug string: Fret): 0x7D
  448. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  449. Debug string: Fret): 0x6C
  450. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  451. Debug string: Filter(pZw: 0x1001006E
  452. Debug string: NtClose(HANDLE: 0x34, OBJECT: \KnownDlls\comdlg32.dll)
  453. Debug string: Fret): 0x19
  454. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  455. Debug string: Fret): 0x89
  456. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  457. Debug string: Fret): 0x89
  458. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  459. Debug string: Fret): 0x4E
  460. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  461. Debug string: Fret): 0x77
  462. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  463. Debug string: Fret): 0x8E
  464. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  465. Debug string: Fret): 0x8E
  466. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  467. Debug string: Fret): 0x8B
  468. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  469. Debug string: Fret): 0x8E
  470. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  471. Debug string: Fret): 0x8E
  472. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  473. Debug string: Fret): 0x8E
  474. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  475. Debug string: Fret): 0x8B
  476. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  477. Debug string: Fret): 0x74
  478. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  479. Debug string: Fret): 0x8E
  480. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  481. Debug string: Fret): 0x74
  482. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  483. Debug string: Fret): 0x32
  484. Debug string: Filter(NTID{Rva: 0xD8CE, Id: 0xA7, Name: ZwQuerySection}
  485. Debug string: Fret): 0xA7
  486. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  487. Debug string: Filter(pZw: 0x1001006E
  488. Debug string: NtClose(HANDLE: 0x38, OBJECT: \Device\HarddiskVolume1\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll)
  489. Debug string: Fret): 0x19
  490. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  491. Debug string: Fret): 0x6C
  492. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  493. Debug string: Filter(pZw: 0x1001006E
  494. Debug string: NtClose(HANDLE: 0x3C, OBJECT: (null))
  495. Debug string: Fret): 0x19
  496. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  497. Debug string: Fret): 0x7D
  498. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  499. Debug string: Fret): 0x6C
  500. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  501. Debug string: Filter(pZw: 0x1001006E
  502. Debug string: NtClose(HANDLE: 0x3C, OBJECT: \KnownDlls\msvcrt.dll)
  503. Debug string: Fret): 0x19
  504. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  505. Debug string: Fret): 0x89
  506. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  507. Debug string: Fret): 0x89
  508. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  509. Debug string: Fret): 0x4E
  510. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  511. Debug string: Fret): 0x89
  512. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  513. Debug string: Fret): 0x89
  514. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  515. Debug string: Fret): 0x4E
  516. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  517. Debug string: Fret): 0x89
  518. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  519. Debug string: Fret): 0x89
  520. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  521. Debug string: Fret): 0x89
  522. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  523. Debug string: Fret): 0x89
  524. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  525. Debug string: Fret): 0x4E
  526. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  527. Debug string: Fret): 0x89
  528. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  529. Debug string: Fret): 0x89
  530. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  531. Debug string: Fret): 0x4E
  532. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  533. Debug string: Fret): 0x89
  534. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  535. Debug string: Fret): 0x89
  536. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  537. Debug string: Fret): 0x4E
  538. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  539. Debug string: Fret): 0x89
  540. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  541. Debug string: Fret): 0x89
  542. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  543. Debug string: Fret): 0x4E
  544. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  545. Debug string: Fret): 0x89
  546. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  547. Debug string: Fret): 0x89
  548. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  549. Debug string: Fret): 0x4E
  550. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  551. Debug string: Fret): 0x7D
  552. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  553. Debug string: Fret): 0x6C
  554. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  555. Debug string: Filter(pZw: 0x1001006E
  556. Debug string: NtClose(HANDLE: 0x3C, OBJECT: \KnownDlls\SHLWAPI.dll)
  557. Debug string: Fret): 0x19
  558. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  559. Debug string: Fret): 0x89
  560. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  561. Debug string: Fret): 0x89
  562. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  563. Debug string: Fret): 0x4E
  564. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  565. Debug string: Fret): 0x89
  566. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  567. Debug string: Fret): 0x89
  568. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  569. Debug string: Fret): 0x4E
  570. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  571. Debug string: Fret): 0x89
  572. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  573. Debug string: Fret): 0x89
  574. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  575. Debug string: Fret): 0x4E
  576. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  577. Debug string: Fret): 0x89
  578. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  579. Debug string: Fret): 0x89
  580. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  581. Debug string: Fret): 0x4E
  582. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  583. Debug string: Fret): 0x89
  584. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  585. Debug string: Fret): 0x89
  586. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  587. Debug string: Fret): 0x4E
  588. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  589. Debug string: Fret): 0x89
  590. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  591. Debug string: Fret): 0x89
  592. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  593. Debug string: Fret): 0x89
  594. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  595. Debug string: Fret): 0x89
  596. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  597. Debug string: Fret): 0x4E
  598. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  599. Debug string: Fret): 0x89
  600. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  601. Debug string: Fret): 0x89
  602. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  603. Debug string: Fret): 0x4E
  604. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  605. Debug string: Fret): 0x89
  606. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  607. Debug string: Fret): 0x89
  608. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  609. Debug string: Fret): 0x89
  610. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  611. Debug string: Fret): 0x89
  612. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  613. Debug string: Fret): 0x4E
  614. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  615. Debug string: Fret): 0x89
  616. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  617. Debug string: Fret): 0x89
  618. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  619. Debug string: Fret): 0x4E
  620. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  621. Debug string: Fret): 0x89
  622. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  623. Debug string: Fret): 0x89
  624. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  625. Debug string: Fret): 0x4E
  626. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  627. Debug string: Fret): 0x89
  628. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  629. Debug string: Fret): 0x89
  630. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  631. Debug string: Fret): 0x4E
  632. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  633. Debug string: Fret): 0x7D
  634. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  635. Debug string: Fret): 0x6C
  636. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  637. Debug string: Filter(pZw: 0x1001006E
  638. Debug string: NtClose(HANDLE: 0x3C, OBJECT: \KnownDlls\shell32.dll)
  639. Debug string: Fret): 0x19
  640. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  641. Debug string: Fret): 0x89
  642. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  643. Debug string: Fret): 0x89
  644. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  645. Debug string: Fret): 0x4E
  646. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  647. Debug string: Fret): 0x89
  648. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  649. Debug string: Fret): 0x89
  650. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  651. Debug string: Fret): 0x4E
  652. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  653. Debug string: Fret): 0x89
  654. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  655. Debug string: Fret): 0x89
  656. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  657. Debug string: Fret): 0x4E
  658. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  659. Debug string: Fret): 0x89
  660. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  661. Debug string: Fret): 0x89
  662. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  663. Debug string: Fret): 0x4E
  664. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  665. Debug string: Fret): 0x89
  666. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  667. Debug string: Fret): 0x89
  668. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  669. Debug string: Fret): 0x4E
  670. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  671. Debug string: Fret): 0x89
  672. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  673. Debug string: Fret): 0x89
  674. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  675. Debug string: Fret): 0x4E
  676. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  677. Debug string: Fret): 0x89
  678. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  679. Debug string: Fret): 0x89
  680. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  681. Debug string: Fret): 0x4E
  682. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  683. Debug string: Fret): 0x89
  684. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  685. Debug string: Fret): 0x89
  686. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  687. Debug string: Fret): 0x4E
  688. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  689. Debug string: Fret): 0x89
  690. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  691. Debug string: Fret): 0x89
  692. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  693. Debug string: Fret): 0x89
  694. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  695. Debug string: Fret): 0x89
  696. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  697. Debug string: Fret): 0x4E
  698. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  699. Debug string: Fret): 0x89
  700. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  701. Debug string: Fret): 0x89
  702. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  703. Debug string: Fret): 0x4E
  704. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  705. Debug string: Fret): 0x89
  706. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  707. Debug string: Fret): 0x89
  708. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  709. Debug string: Fret): 0x89
  710. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  711. Debug string: Fret): 0x89
  712. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  713. Debug string: Fret): 0x4E
  714. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  715. Debug string: Fret): 0x11
  716. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  717. Debug string: Fret): 0x7D
  718. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  719. Debug string: Fret): 0x11
  720. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  721. Debug string: Fret): 0x8B
  722. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  723. Debug string: Fret): 0x8B
  724. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  725. Debug string: Fret): 0x74
  726. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  727. Debug string: Fret): 0x32
  728. Debug string: Filter(NTID{Rva: 0xD8CE, Id: 0xA7, Name: ZwQuerySection}
  729. Debug string: Fret): 0xA7
  730. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  731. Debug string: Filter(pZw: 0x1001006E
  732. Debug string: NtClose(HANDLE: 0x3C, OBJECT: \Device\HarddiskVolume1\WINDOWS\system32\winspool.drv)
  733. Debug string: Fret): 0x19
  734. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  735. Debug string: Fret): 0x6C
  736. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  737. Debug string: Filter(pZw: 0x1001006E
  738. Debug string: NtClose(HANDLE: 0x38, OBJECT: (null))
  739. Debug string: Fret): 0x19
  740. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  741. Debug string: Fret): 0x89
  742. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  743. Debug string: Fret): 0x89
  744. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  745. Debug string: Fret): 0x4E
  746. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  747. Debug string: Fret): 0x89
  748. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  749. Debug string: Fret): 0x89
  750. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  751. Debug string: Fret): 0x4E
  752. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  753. Debug string: Fret): 0x89
  754. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  755. Debug string: Fret): 0x89
  756. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  757. Debug string: Fret): 0x4E
  758. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  759. Debug string: Fret): 0x89
  760. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  761. Debug string: Fret): 0x89
  762. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  763. Debug string: Fret): 0x4E
  764. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  765. Debug string: Fret): 0x89
  766. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  767. Debug string: Fret): 0x89
  768. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  769. Debug string: Fret): 0x4E
  770. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  771. Debug string: Fret): 0x89
  772. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  773. Debug string: Fret): 0x89
  774. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  775. Debug string: Fret): 0x4E
  776. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  777. Debug string: Fret): 0x89
  778. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  779. Debug string: Fret): 0x89
  780. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  781. Debug string: Fret): 0x89
  782. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  783. Debug string: Fret): 0x89
  784. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  785. Debug string: Fret): 0x4E
  786. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  787. Debug string: Fret): 0x89
  788. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  789. Debug string: Fret): 0x89
  790. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  791. Debug string: Fret): 0x4E
  792. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  793. Debug string: Fret): 0x89
  794. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  795. Debug string: Fret): 0x89
  796. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  797. Debug string: Fret): 0x4E
  798. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  799. Debug string: Fret): 0x89
  800. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  801. Debug string: Fret): 0x89
  802. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  803. Debug string: Fret): 0x4E
  804. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  805. Debug string: Fret): 0x89
  806. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  807. Debug string: Fret): 0x89
  808. Debug string: Filter(NTID{Rva: 0xD33E, Id: 0x4E, Name: ZwFlushInstructionCache}
  809. Debug string: Fret): 0x4E
  810. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  811. Debug string: Fret): 0x89
  812. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  813. Debug string: Fret): 0x89
  814. 003B0000 Module <Mod_003B> (anonymous)
  815. 01000000 Module 'C:\WINDOWS\NOTEPAD.EXE'
  816. PDB file: 'C:\WINDOWS\symbols\EXE\notepad.pdb'
  817. 10000000 Module 'C:\WINDOWS\System32\Flt.dll'
  818. PDB file: 'E:\Nt\_icplib\______________LV\Arachne\Filter\Model\Flt.pdb'
  819. 5B1F0000 Module 'C:\WINDOWS\System32\verifier.dll'
  820. PDB file: 'C:\WINDOWS\symbols\dll\verifier.pdb'
  821. 72FC0000 Module 'C:\WINDOWS\system32\WINSPOOL.DRV'
  822. PDB file: 'C:\WINDOWS\symbols\DRV\winspool.pdb'
  823. 76360000 Module 'C:\WINDOWS\system32\IMM32.DLL'
  824. PDB file: 'C:\WINDOWS\symbols\DLL\imm32.pdb'
  825. 76380000 Module 'C:\WINDOWS\system32\comdlg32.dll'
  826. PDB file: 'C:\WINDOWS\symbols\dll\comdlg32.pdb'
  827. 773C0000 Module 'C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\COMCTL32.dll'
  828. 77C00000 Module 'C:\WINDOWS\system32\msvcrt.dll'
  829. PDB file: 'C:\WINDOWS\symbols\dll\msvcrt.pdb'
  830. 77DC0000 Module 'C:\WINDOWS\system32\ADVAPI32.dll'
  831. 77E70000 Module 'C:\WINDOWS\system32\RPCRT4.dll'
  832. Code sections '.text' and '.orpc' will be merged to a single memory block
  833. 77F10000 Module 'C:\WINDOWS\system32\GDI32.dll'
  834. 77F60000 Module 'C:\WINDOWS\system32\SHLWAPI.dll'
  835. 77FE0000 Module 'C:\WINDOWS\system32\Secur32.dll'
  836. 7C800000 Module 'C:\WINDOWS\system32\KERNEL32.dll'
  837. 7C900000 Module 'C:\WINDOWS\system32\ntdll.dll'
  838. PDB file: 'C:\Symbols\ntdll.pdb\CEFC0863B1F84130A11E0F54180CD21A2\ntdll.pdb'
  839. 7C9C0000 Module 'C:\WINDOWS\system32\SHELL32.dll'
  840. 7E360000 Module 'C:\WINDOWS\system32\USER32.dll'
  841. PDB file: 'C:\WINDOWS\symbols\dll\user32.pdb'
  842. Debug string: Filter(NTID{Rva: 0xDC9E, Id: 0xE4, Name: ZwSetInformationProcess}
  843. Debug string: Filter(pZw: 0x100100EB
  844. Debug string: NtSetInformationProcess(ProcessHandle: 0xFFFFFFFF, ProcessInformationClass: 0x22)
  845. Debug string: Fret): 0xE4
  846. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  847. Debug string: Fret): 0x77
  848. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  849. Debug string: Fret): 0xB1
  850. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  851. Debug string: Filter(pZw: 0x1001006E
  852. Debug string: NtClose(HANDLE: 0x38, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe)
  853. Debug string: Fret): 0x19
  854. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  855. Debug string: Fret): 0x77
  856. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  857. Debug string: Fret): 0xB1
  858. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  859. Debug string: Filter(pZw: 0x1001006E
  860. Debug string: NtClose(HANDLE: 0x38, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe)
  861. Debug string: Fret): 0x19
  862. Debug string: Filter(NTID{Rva: 0xD75E, Id: 0x90, Name: ZwQueryDefaultUILanguage}
  863. Debug string: Fret): 0x90
  864. Debug string: Filter(NTID{Rva: 0xD74E, Id: 0x8F, Name: ZwQueryDefaultLocale}
  865. Debug string: Fret): 0x8F
  866. Debug string: Filter(NTID{Rva: 0xD7FE, Id: 0x9A, Name: ZwQueryInformationProcess}
  867. Debug string: Filter(pZw: 0x100100F0
  868. Debug string: NtQueryInformationProcess(ProcessHandle: 0xFFFFFFFF, ProcessInformationClass: 0x25)
  869. Debug string: Fret): 0x9A
  870. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  871. Debug string: Fret): 0x77
  872. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  873. Debug string: Fret): 0x77
  874. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  875. Debug string: Fret): 0xAD
  876. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  877. Debug string: Fret): 0x11
  878. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  879. Debug string: Fret): 0x89
  880. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  881. Debug string: Fret): 0x89
  882. Debug string: Filter(NTID{Rva: 0xD8AE, Id: 0xA5, Name: ZwQueryPerformanceCounter}
  883. Debug string: Fret): 0xA5
  884. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  885. Debug string: Fret): 0xAD
  886. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  887. Debug string: Fret): 0x11
  888. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  889. Debug string: Fret): 0x11
  890. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  891. Debug string: Fret): 0x11
  892. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  893. Debug string: Fret): 0x11
  894. Debug string: Filter(NTID{Rva: 0xD62E, Id: 0x7D, Name: ZwOpenSection}
  895. Debug string: Fret): 0x7D
  896. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  897. Debug string: Fret): 0xAD
  898. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  899. Debug string: Fret): 0x6C
  900. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  901. Debug string: Filter(pZw: 0x1001006E
  902. Debug string: NtClose(HANDLE: 0x38, OBJECT: \NLS\NlsSectionCType)
  903. Debug string: Fret): 0x19
  904. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  905. Debug string: Fret): 0x11
  906. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  907. Debug string: Fret): 0x11
  908. Debug string: Filter(NTID{Rva: 0xD97E, Id: 0xB2, Name: ZwQueryVirtualMemory}
  909. Debug string: Fret): 0xB2
  910. Debug string: RouteIp(pIp: 0x6F6E8, Handler: 0x10010087, TLS_PRE: 0x7C9132F0, GetTlsFrame(): 0x10030950)
  911. Debug string: Filter(NTID{Rva: 0xD7FE, Id: 0x9A, Name: ZwQueryInformationProcess}
  912. Debug string: Filter(pZw: 0x100100F0
  913. Debug string: NtQueryInformationProcess(ProcessHandle: 0xFFFFFFFF, ProcessInformationClass: 0x24)
  914. Debug string: Fret): 0x9A
  915. Debug string: pRtlDecodePointer exited.
  916. Debug string: Rload(Ip: 0x7C9132F0, GetTlsFrame(): 0x10030974)
  917. Debug string: RouteIp(pIp: 0x6F6E8, Handler: 0x10010087, TLS_PRE: 0x7C9132F0, GetTlsFrame(): 0x10030950)
  918. Debug string: Filter(NTID{Rva: 0xD7FE, Id: 0x9A, Name: ZwQueryInformationProcess}
  919. Debug string: Filter(pZw: 0x100100F0
  920. Debug string: NtQueryInformationProcess(ProcessHandle: 0xFFFFFFFF, ProcessInformationClass: 0x24)
  921. Debug string: Fret): 0x9A
  922. Debug string: pRtlDecodePointer exited.
  923. Debug string: Rload(Ip: 0x7C9132F0, GetTlsFrame(): 0x10030974)
  924. Debug string: Filter(NTID{Rva: 0xD97E, Id: 0xB2, Name: ZwQueryVirtualMemory}
  925. Debug string: Fret): 0xB2
  926. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  927. Debug string: Fret): 0x77
  928. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  929. Debug string: Fret): 0x77
  930. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  931. Debug string: Fret): 0x77
  932. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  933. Debug string: Fret): 0x11
  934. Debug string: Filter(NTID{Rva: 0xD56E, Id: 0x71, Name: ZwOpenDirectoryObject}
  935. Debug string: Fret): 0x71
  936. Debug string: Filter(NTID{Rva: 0xD18E, Id: 0x33, Name: ZwCreateSemaphore}
  937. Debug string: Fret): 0x33
  938. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  939. Debug string: Fret): 0x77
  940. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  941. Debug string: Fret): 0x77
  942. Debug string: Filter(NTID{Rva: 0xCEDE, Id: 0x8, Name: ZwAddAtom}
  943. Debug string: Fret): 0x8
  944. Debug string: Filter(NTID{Rva: 0xD75E, Id: 0x90, Name: ZwQueryDefaultUILanguage}
  945. Debug string: Fret): 0x90
  946. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  947. Debug string: Fret): 0x8B
  948. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  949. Debug string: Fret): 0x11
  950. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  951. Debug string: Fret): 0x74
  952. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  953. Debug string: Fret): 0x32
  954. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  955. Debug string: Filter(pZw: 0x1001006E
  956. Debug string: NtClose(HANDLE: 0x40, OBJECT: \Device\HarddiskVolume1\WINDOWS\WindowsShell.Manifest)
  957. Debug string: Fret): 0x19
  958. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  959. Debug string: Fret): 0x6C
  960. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  961. Debug string: Filter(pZw: 0x1001006E
  962. Debug string: NtClose(HANDLE: 0x44, OBJECT: (null))
  963. Debug string: Fret): 0x19
  964. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  965. Debug string: Fret): 0x10B
  966. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  967. Debug string: Fret): 0x8B
  968. Debug string: Filter(NTID{Rva: 0xD0AE, Id: 0x25, Name: ZwCreateFile}
  969. Debug string: Fret): 0x25
  970. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  971. Debug string: Fret): 0x32
  972. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  973. Debug string: Filter(pZw: 0x1001006E
  974. Debug string: NtClose(HANDLE: 0x44, OBJECT: \Device\HarddiskVolume1\WINDOWS\WindowsShell.Manifest)
  975. Debug string: Fret): 0x19
  976. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  977. Debug string: Fret): 0xAD
  978. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  979. Debug string: Fret): 0x6C
  980. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  981. Debug string: Filter(pZw: 0x1001006E
  982. Debug string: NtClose(HANDLE: 0x40, OBJECT: (null))
  983. Debug string: Fret): 0x19
  984. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  985. Debug string: Fret): 0x10B
  986. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  987. Debug string: Fret): 0x74
  988. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  989. Debug string: Fret): 0x32
  990. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  991. Debug string: Fret): 0xAD
  992. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  993. Debug string: Fret): 0x6C
  994. Debug string: Filter(NTID{Rva: 0xD7CE, Id: 0x97, Name: ZwQueryInformationFile}
  995. Debug string: Fret): 0x97
  996. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  997. Debug string: Fret): 0x74
  998. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  999. Debug string: Fret): 0xC8
  1000. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1001. Debug string: Filter(pZw: 0x1001006E
  1002. Debug string: NtClose(HANDLE: 0x40, OBJECT: \Device\HarddiskVolume1\WINDOWS\WindowsShell.Manifest)
  1003. Debug string: Fret): 0x19
  1004. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1005. Debug string: Filter(pZw: 0x1001006E
  1006. Debug string: NtClose(HANDLE: 0x44, OBJECT: (null))
  1007. Debug string: Fret): 0x19
  1008. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  1009. Debug string: Fret): 0x10B
  1010. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1011. Debug string: Fret): 0x8E
  1012. Debug string: Fret): 0x11ED
  1013. Debug string: Fret): 0x122F
  1014. Debug string: Fret): 0x1191
  1015. Debug string: Fret): 0x1143
  1016. Debug string: Fret): 0x122F
  1017. Debug string: Fret): 0x122F
  1018. Debug string: Filter(NTID{Rva: 0xD67E, Id: 0x82, Name: ZwOpenThreadTokenEx}
  1019. Debug string: Fret): 0x82
  1020. Debug string: Filter(NTID{Rva: 0xD61E, Id: 0x7C, Name: ZwOpenProcessTokenEx}
  1021. Debug string: Fret): 0x7C
  1022. Debug string: Filter(NTID{Rva: 0xD81E, Id: 0x9C, Name: ZwQueryInformationToken}
  1023. Debug string: Fret): 0x9C
  1024. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1025. Debug string: Filter(pZw: 0x1001006E
  1026. Debug string: NtClose(HANDLE: 0x44, OBJECT: (null))
  1027. Debug string: Fret): 0x19
  1028. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1029. Debug string: Fret): 0x77
  1030. Debug string: Filter(NTID{Rva: 0xD60E, Id: 0x7B, Name: ZwOpenProcessToken}
  1031. Debug string: Fret): 0x7B
  1032. Debug string: Filter(NTID{Rva: 0xCE6E, Id: 0x1, Name: ZwAccessCheck}
  1033. Debug string: Fret): 0x1
  1034. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1035. Debug string: Filter(pZw: 0x1001006E
  1036. Debug string: NtClose(HANDLE: 0x40, OBJECT: (null))
  1037. Debug string: Fret): 0x19
  1038. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1039. Debug string: Fret): 0x77
  1040. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  1041. Debug string: Fret): 0xB1
  1042. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1043. Debug string: Filter(pZw: 0x1001006E
  1044. Debug string: NtClose(HANDLE: 0x40, OBJECT: \REGISTRY\USER\S-1-5-21-299502267-1972579041-1275210071-1003\Control Panel\Desktop)
  1045. Debug string: Fret): 0x19
  1046. Debug string: Fret): 0x122F
  1047. Debug string: Filter(NTID{Rva: 0xD60E, Id: 0x7B, Name: ZwOpenProcessToken}
  1048. Debug string: Fret): 0x7B
  1049. Debug string: Filter(NTID{Rva: 0xCE6E, Id: 0x1, Name: ZwAccessCheck}
  1050. Debug string: Fret): 0x1
  1051. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1052. Debug string: Filter(pZw: 0x1001006E
  1053. Debug string: NtClose(HANDLE: 0x40, OBJECT: (null))
  1054. Debug string: Fret): 0x19
  1055. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1056. Debug string: Fret): 0x77
  1057. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  1058. Debug string: Fret): 0xB1
  1059. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1060. Debug string: Filter(pZw: 0x1001006E
  1061. Debug string: NtClose(HANDLE: 0x40, OBJECT: \REGISTRY\USER\S-1-5-21-299502267-1972579041-1275210071-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced)
  1062. Debug string: Fret): 0x19
  1063. Debug string: Fret): 0x122F
  1064. Debug string: Fret): 0x122F
  1065. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1066. Debug string: Filter(pZw: 0x1001006E
  1067. Debug string: NtClose(HANDLE: 0x44, OBJECT: \REGISTRY\USER\S-1-5-21-299502267-1972579041-1275210071-1003)
  1068. Debug string: Fret): 0x19
  1069. Debug string: Fret): 0x122F
  1070. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1071. Debug string: Fret): 0x77
  1072. Debug string: Filter(NTID{Rva: 0xD2EE, Id: 0x49, Name: ZwEnumerateValueKey}
  1073. Debug string: Fret): 0x49
  1074. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1075. Debug string: Filter(pZw: 0x1001006E
  1076. Debug string: NtClose(HANDLE: 0x44, OBJECT: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\LanguagePack)
  1077. Debug string: Fret): 0x19
  1078. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1079. Debug string: Fret): 0x11
  1080. Debug string: Fret): 0x1179
  1081. Debug string: Fret): 0x11E8
  1082. Debug string: Fret): 0x11E8
  1083. Debug string: Fret): 0x1179
  1084. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1085. Debug string: Fret): 0x11
  1086. Debug string: Fret): 0x11E8
  1087. Debug string: Fret): 0x1179
  1088. Debug string: Fret): 0x11E8
  1089. Debug string: Fret): 0x1179
  1090. Debug string: Fret): 0x11E8
  1091. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1092. Debug string: Fret): 0x11
  1093. Debug string: Fret): 0x11E8
  1094. Debug string: Fret): 0x1179
  1095. Debug string: Fret): 0x11E8
  1096. Debug string: Fret): 0x1179
  1097. Debug string: Fret): 0x11E8
  1098. Debug string: Fret): 0x1179
  1099. Debug string: Fret): 0x11E8
  1100. Debug string: Fret): 0x1179
  1101. Debug string: Fret): 0x11E8
  1102. Debug string: Fret): 0x1179
  1103. Debug string: Fret): 0x11E8
  1104. Debug string: Fret): 0x11E8
  1105. Debug string: Fret): 0x1179
  1106. Debug string: Fret): 0x11E8
  1107. Debug string: Fret): 0x1179
  1108. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1109. Debug string: Fret): 0x11
  1110. Debug string: Fret): 0x11E8
  1111. Debug string: Fret): 0x1179
  1112. Debug string: Fret): 0x11E8
  1113. Debug string: Fret): 0x1179
  1114. Debug string: Fret): 0x11E8
  1115. Debug string: Fret): 0x1179
  1116. Debug string: Fret): 0x11E8
  1117. Debug string: Fret): 0x1179
  1118. Debug string: Fret): 0x11E8
  1119. Debug string: Fret): 0x1179
  1120. Debug string: Fret): 0x11E8
  1121. Debug string: Fret): 0x1179
  1122. Debug string: Fret): 0x11E8
  1123. Debug string: Fret): 0x1179
  1124. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1125. Debug string: Fret): 0x11
  1126. Debug string: Fret): 0x11E8
  1127. Debug string: Fret): 0x1179
  1128. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1129. Debug string: Fret): 0x11
  1130. Debug string: Fret): 0x11E8
  1131. Debug string: Fret): 0x1179
  1132. Debug string: Fret): 0x11E8
  1133. Debug string: Fret): 0x1179
  1134. Debug string: Fret): 0x11E8
  1135. Debug string: Fret): 0x1179
  1136. Debug string: Fret): 0x11E8
  1137. Debug string: Fret): 0x1179
  1138. Debug string: Fret): 0x11E8
  1139. Debug string: Fret): 0x1179
  1140. Debug string: Fret): 0x11E8
  1141. Debug string: Fret): 0x1179
  1142. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1143. Debug string: Fret): 0x11
  1144. Debug string: Fret): 0x11E8
  1145. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1146. Debug string: Fret): 0x77
  1147. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1148. Debug string: Fret): 0x77
  1149. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1150. Debug string: Fret): 0x77
  1151. Debug string: Filter(NTID{Rva: 0xD96E, Id: 0xB1, Name: ZwQueryValueKey}
  1152. Debug string: Fret): 0xB1
  1153. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1154. Debug string: Filter(pZw: 0x1001006E
  1155. Debug string: NtClose(HANDLE: 0x44, OBJECT: \REGISTRY\MACHINE\SYSTEM\Setup)
  1156. Debug string: Fret): 0x19
  1157. Debug string: Filter(NTID{Rva: 0xD75E, Id: 0x90, Name: ZwQueryDefaultUILanguage}
  1158. Debug string: Fret): 0x90
  1159. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  1160. Debug string: Fret): 0x74
  1161. Debug string: Filter(NTID{Rva: 0xD17E, Id: 0x32, Name: ZwCreateSection}
  1162. Debug string: Fret): 0x32
  1163. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  1164. Debug string: Fret): 0xAD
  1165. Debug string: Filter(NTID{Rva: 0xD51E, Id: 0x6C, Name: ZwMapViewOfSection}
  1166. Debug string: Fret): 0x6C
  1167. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  1168. Debug string: Fret): 0x74
  1169. Debug string: Filter(NTID{Rva: 0xD82E, Id: 0x9D, Name: ZwQueryInstallUILanguage}
  1170. Debug string: Fret): 0x9D
  1171. Debug string: Filter(NTID{Rva: 0xD74E, Id: 0x8F, Name: ZwQueryDefaultLocale}
  1172. Debug string: Fret): 0x8F
  1173. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  1174. Debug string: Fret): 0x74
  1175. Debug string: Filter(NTID{Rva: 0xDADE, Id: 0xC8, Name: ZwRequestWaitReplyPort}
  1176. Debug string: Fret): 0xC8
  1177. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1178. Debug string: Filter(pZw: 0x1001006E
  1179. Debug string: NtClose(HANDLE: 0x44, OBJECT: \Device\HarddiskVolume1\WINDOWS\system32\shell32.dll)
  1180. Debug string: Fret): 0x19
  1181. Debug string: Filter(NTID{Rva: 0xCFEE, Id: 0x19, Name: ZwClose}
  1182. Debug string: Filter(pZw: 0x1001006E
  1183. Debug string: NtClose(HANDLE: 0x40, OBJECT: (null))
  1184. Debug string: Fret): 0x19
  1185. Debug string: Filter(NTID{Rva: 0xDF0E, Id: 0x10B, Name: ZwUnmapViewOfSection}
  1186. Debug string: Fret): 0x10B
  1187. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1188. Debug string: Fret): 0x8E
  1189. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1190. Debug string: Fret): 0x77
  1191. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1192. Debug string: Fret): 0x8E
  1193. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1194. Debug string: Fret): 0x8E
  1195. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1196. Debug string: Fret): 0x11
  1197. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  1198. Debug string: Fret): 0x8B
  1199. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1200. Debug string: Fret): 0x8E
  1201. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1202. Debug string: Fret): 0x8E
  1203. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1204. Debug string: Fret): 0x8E
  1205. Debug string: Filter(NTID{Rva: 0xD70E, Id: 0x8B, Name: ZwQueryAttributesFile}
  1206. Debug string: Fret): 0x8B
  1207. Debug string: Filter(NTID{Rva: 0xD59E, Id: 0x74, Name: ZwOpenFile}
  1208. Debug string: Fret): 0x74
  1209. Debug string: Filter(NTID{Rva: 0xD73E, Id: 0x8E, Name: ZwQueryDebugFilterState}
  1210. Debug string: Fret): 0x8E
  1211. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1212. Debug string: Fret): 0x11
  1213. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1214. Debug string: Fret): 0x11
  1215. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1216. Debug string: Fret): 0x77
  1217. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1218. Debug string: Fret): 0x77
  1219. Debug string: Fret): 0x11ED
  1220. Debug string: Fret): 0x11ED
  1221. Debug string: Fret): 0x11ED
  1222. Debug string: Fret): 0x11ED
  1223. Debug string: Fret): 0x11ED
  1224. Debug string: Fret): 0x11ED
  1225. Debug string: Fret): 0x11ED
  1226. Debug string: Fret): 0x11ED
  1227. Debug string: Fret): 0x11ED
  1228. Debug string: Fret): 0x11ED
  1229. Debug string: Fret): 0x11ED
  1230. Debug string: Fret): 0x11ED
  1231. Debug string: Fret): 0x11ED
  1232. Debug string: Fret): 0x11ED
  1233. Debug string: Fret): 0x11ED
  1234. Debug string: Fret): 0x11ED
  1235. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1236. Debug string: Fret): 0x77
  1237. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1238. Debug string: Fret): 0x77
  1239. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  1240. Debug string: Fret): 0xAD
  1241. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1242. Debug string: Fret): 0x11
  1243. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  1244. Debug string: Fret): 0x89
  1245. Debug string: Filter(NTID{Rva: 0xD6EE, Id: 0x89, Name: ZwProtectVirtualMemory}
  1246. Debug string: Fret): 0x89
  1247. Debug string: Filter(NTID{Rva: 0xD8AE, Id: 0xA5, Name: ZwQueryPerformanceCounter}
  1248. Debug string: Fret): 0xA5
  1249. Debug string: Filter(NTID{Rva: 0xD92E, Id: 0xAD, Name: ZwQuerySystemInformation}
  1250. Debug string: Fret): 0xAD
  1251. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1252. Debug string: Fret): 0x11
  1253. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1254. Debug string: Fret): 0x11
  1255. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1256. Debug string: Fret): 0x11
  1257. Debug string: Filter(NTID{Rva: 0xCF6E, Id: 0x11, Name: ZwAllocateVirtualMemory}
  1258. Debug string: Fret): 0x11
  1259. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1260. Debug string: Fret): 0x77
  1261. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1262. Debug string: Fret): 0x77
  1263. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1264. Debug string: Fret): 0x77
  1265. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1266. Debug string: Fret): 0x77
  1267. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1268. Debug string: Fret): 0x77
  1269. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1270. Debug string: Fret): 0x77
  1271. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1272. Debug string: Fret): 0x77
  1273. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1274. Debug string: Fret): 0x77
  1275. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1276. Debug string: Fret): 0x77
  1277. Debug string: Filter(NTID{Rva: 0xD5CE, Id: 0x77, Name: ZwOpenKey}
  1278. Debug string: Fret): 0x77
  1279. Debug string: Filter(NTID{Rva: 0xDE8E, Id: 0x103, Name: ZwTestAlert}
  1280. Debug string: Fret): 0x103
  1281. Debug string: Filter(NTID{Rva: 0xD05E, Id: 0x20, Name: ZwContinue}
  1282. Debug string: Fret): 0x20
  1283. Debug string: Filter(NTID{Rva: 0xDCAE, Id: 0xE5, Name: ZwSetInformationThread}
  1284. Debug string: Fret): 0xE5
  1285. 0100739D Entry point of main module
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!