API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Mar 27th, 2017
53
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.84 KB | None | 0 0
raw download clone embed print report
  1. RtlExitUserProcess:
  2. 00007FFAD4408490 48 89 5C 24 10 mov qword ptr [rsp+10h],rbx
  3. 00007FFAD4408495 48 89 74 24 18 mov qword ptr [rsp+18h],rsi
  4. 00007FFAD440849A 57 push rdi
  5. 00007FFAD440849B 48 81 EC E0 00 00 00 sub rsp,0E0h
  6. 00007FFAD44084A2 48 8B 05 DF BE 12 00 mov rax,qword ptr [__security_cookie (07FFAD4534388h)]
  7. 00007FFAD44084A9 48 33 C4 xor rax,rsp
  8. 00007FFAD44084AC 48 89 84 24 D0 00 00 00 mov qword ptr [rsp+0D0h],rax
  9. 00007FFAD44084B4 48 83 3D 34 77 11 00 00 cmp qword ptr [EtwpLoggerArray (07FFAD451FBF0h)],0
  10. 00007FFAD44084BC 8B F9 mov edi,ecx
  11. 00007FFAD44084BE 0F 85 CE 9A 08 00 jne string L"\\??\\%C:"+2F32h (07FFAD4491F92h)
  12. 00007FFAD44084C4 E8 87 31 02 00 call LdrpAcquireLoaderLock (07FFAD442B650h)
  13. 00007FFAD44084C9 48 8D 0D 70 8D 11 00 lea rcx,[FastPebLock (07FFAD4521240h)]
  14. 00007FFAD44084D0 E8 CB 31 02 00 call RtlEnterCriticalSection (07FFAD442B6A0h)
  15. 00007FFAD44084D5 65 48 8B 0C 25 60 00 00 00 mov rcx,qword ptr gs:[60h]
  16. 00007FFAD44084DE 48 8B 49 30 mov rcx,qword ptr [rcx+30h]
  17. 00007FFAD44084E2 E8 69 57 02 00 call RtlLockHeap (07FFAD442DC50h)
  18. 00007FFAD44084E7 8B D7 mov edx,edi
  19. 00007FFAD44084E9 33 C9 xor ecx,ecx
  20. 00007FFAD44084EB E8 80 84 07 00 call NtTerminateProcess (07FFAD4480970h)
  21. 00007FFAD44084F0 65 48 8B 0C 25 60 00 00 00 mov rcx,qword ptr gs:[60h]
  22. 00007FFAD44084F9 48 8B 49 30 mov rcx,qword ptr [rcx+30h]
  23. 00007FFAD44084FD 8B D8 mov ebx,eax
  24. 00007FFAD44084FF E8 7C 56 02 00 call RtlUnlockHeap (07FFAD442DB80h)
  25. 00007FFAD4408504 48 8D 0D 35 8D 11 00 lea rcx,[FastPebLock (07FFAD4521240h)]
  26. 00007FFAD440850B E8 30 3A 02 00 call RtlLeaveCriticalSection (07FFAD442BF40h)
  27. 00007FFAD4408510 85 DB test ebx,ebx
  28. 00007FFAD4408512 0F 88 15 9B 08 00 js string L"\\??\\%C:"+2FCDh (07FFAD449202Dh)
  29. 00007FFAD4408518 8B D7 mov edx,edi
  30. 00007FFAD440851A 48 83 C9 FF or rcx,0FFFFFFFFFFFFFFFFh
  31. 00007FFAD440851E E8 FD FD FF FF call RtlReportSilentProcessExit (07FFAD4408320h)
  32. 00007FFAD4408523 E8 98 2E 00 00 call LdrShutdownProcess (07FFAD440B3C0h)
  33. 00007FFAD4408528 8B D7 mov edx,edi
  34. 00007FFAD440852A 48 83 C9 FF or rcx,0FFFFFFFFFFFFFFFFh
  35. 00007FFAD440852E E8 3D 84 07 00 call NtTerminateProcess (07FFAD4480970h)
  36. 00007FFAD4408533 90 nop
  37. 00007FFAD4408534 E9 0E 9B 08 00 jmp string L"\\??\\%C:"+2FE7h (07FFAD4492047h)
  38. 00007FFAD4408539 CC int 3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!