0: kd> u NtOpenProcess l 28B
nt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
805cc422 8845cc mov byte ptr [ebp-34h],al
805cc425 84c0 test al,al
805cc427 0f848f000000 je nt!NtOpenProcess+0xc0 (805cc4bc)
805cc42d 8975fc mov dword ptr [ebp-4],esi
805cc430 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc435 8b4d08 mov ecx,dword ptr [ebp+8]
805cc438 3bc8 cmp ecx,eax
805cc43a 7202 jb nt!NtOpenProcess+0x42 (805cc43e)
805cc43c 8930 mov dword ptr [eax],esi
805cc43e 8b01 mov eax,dword ptr [ecx]
805cc440 8901 mov dword ptr [ecx],eax
805cc442 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc445 f6c303 test bl,3
805cc448 7405 je nt!NtOpenProcess+0x53 (805cc44f)
805cc44a e8178c0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc44f a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc454 3bd8 cmp ebx,eax
805cc456 7207 jb nt!NtOpenProcess+0x63 (805cc45f)
805cc458 8930 mov dword ptr [eax],esi
805cc45a a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc45f 397308 cmp dword ptr [ebx+8],esi
805cc462 0f9545e6 setne byte ptr [ebp-1Ah]
805cc466 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc469 894dc8 mov dword ptr [ebp-38h],ecx
805cc46c 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc46f 3bce cmp ecx,esi
805cc471 7429 je nt!NtOpenProcess+0xa0 (805cc49c)
805cc473 f6c103 test cl,3
805cc476 740d je nt!NtOpenProcess+0x89 (805cc485)
805cc478 e8e98b0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc47d a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc482 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc485 3bc8 cmp ecx,eax
805cc487 7202 jb nt!NtOpenProcess+0x8f (805cc48b)
805cc489 8930 mov dword ptr [eax],esi
805cc48b 8b01 mov eax,dword ptr [ecx]
805cc48d 8945d4 mov dword ptr [ebp-2Ch],eax
805cc490 8b4104 mov eax,dword ptr [ecx+4]
805cc493 8945d8 mov dword ptr [ebp-28h],eax
805cc496 c645e701 mov byte ptr [ebp-19h],1
805cc49a eb04 jmp nt!NtOpenProcess+0xa4 (805cc4a0)
805cc49c c645e700 mov byte ptr [ebp-19h],0
805cc4a0 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc4a4 eb42 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4a6 8b45ec mov eax,dword ptr [ebp-14h]
805cc4a9 8b00 mov eax,dword ptr [eax]
805cc4ab 8b00 mov eax,dword ptr [eax]
805cc4ad 8945c4 mov dword ptr [ebp-3Ch],eax
805cc4b0 33c0 xor eax,eax
805cc4b2 40 inc eax
805cc4b3 c3 ret
805cc4b4 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc4b7 e9b0010000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc4bc 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc4bf 397308 cmp dword ptr [ebx+8],esi
805cc4c2 0f9545e6 setne byte ptr [ebp-1Ah]
805cc4c6 8b430c mov eax,dword ptr [ebx+0Ch]
805cc4c9 8945c8 mov dword ptr [ebp-38h],eax
805cc4cc 8b4514 mov eax,dword ptr [ebp+14h]
805cc4cf 3bc6 cmp eax,esi
805cc4d1 7411 je nt!NtOpenProcess+0xe8 (805cc4e4)
805cc4d3 8b08 mov ecx,dword ptr [eax]
805cc4d5 894dd4 mov dword ptr [ebp-2Ch],ecx
805cc4d8 8b4004 mov eax,dword ptr [eax+4]
805cc4db 8945d8 mov dword ptr [ebp-28h],eax
805cc4de c645e701 mov byte ptr [ebp-19h],1
805cc4e2 eb04 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4e4 c645e700 mov byte ptr [ebp-19h],0
805cc4e8 807de600 cmp byte ptr [ebp-1Ah],0
805cc4ec 740a je nt!NtOpenProcess+0xfc (805cc4f8)
805cc4ee 807de700 cmp byte ptr [ebp-19h],0
805cc4f2 0f857d010000 jne nt!NtOpenProcess+0x279 (805cc675)
805cc4f8 a1b8495680 mov eax,dword ptr [nt!PsProcessType (805649b8)]
805cc4fd 83c068 add eax,68h
805cc500 50 push eax
805cc501 ff750c push dword ptr [ebp+0Ch]
805cc504 8d852cffffff lea eax,[ebp-0D4h]
805cc50a 50 push eax
805cc50b 8d8548ffffff lea eax,[ebp-0B8h]
805cc511 50 push eax
805cc512 e8a1580200 call nt!SeCreateAccessState (805f1db8)
805cc517 3bc6 cmp eax,esi
805cc519 0f8c5b010000 jl nt!NtOpenProcess+0x27e (805cc67a)
805cc51f ff75cc push dword ptr [ebp-34h]
805cc522 ff3520dd6780 push dword ptr [nt!SeDebugPrivilege+0x4 (8067dd20)]
805cc528 ff351cdd6780 push dword ptr [nt!SeDebugPrivilege (8067dd1c)]
805cc52e e881c70200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc533 84c0 test al,al
805cc535 7425 je nt!NtOpenProcess+0x160 (805cc55c)
805cc537 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
805cc53d a900000002 test eax,2000000h
805cc542 740c je nt!NtOpenProcess+0x154 (805cc550)
805cc544 818d5cffffffff0f1f00 or dword ptr [ebp-0A4h],1F0FFFh
805cc54e eb06 jmp nt!NtOpenProcess+0x15a (805cc556)
805cc550 09855cffffff or dword ptr [ebp-0A4h],eax
805cc556 89b558ffffff mov dword ptr [ebp-0A8h],esi
805cc55c 807de600 cmp byte ptr [ebp-1Ah],0
805cc560 745e je nt!NtOpenProcess+0x1c4 (805cc5c0)
805cc562 8d45e0 lea eax,[ebp-20h]
805cc565 50 push eax
805cc566 56 push esi
805cc567 56 push esi
805cc568 8d8548ffffff lea eax,[ebp-0B8h]
805cc56e 50 push eax
805cc56f ff75cc push dword ptr [ebp-34h]
805cc572 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc578 53 push ebx
805cc579 e86803ffff call nt!ObOpenObjectByName (805bc8e6)
805cc57e 8bf8 mov edi,eax
805cc580 8d8548ffffff lea eax,[ebp-0B8h]
805cc586 50 push eax
805cc587 e8ee550200 call nt!SeDeleteAccessState (805f1b7a)
805cc58c 3bfe cmp edi,esi
805cc58e 7c13 jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc590 c745fc01000000 mov dword ptr [ebp-4],1
805cc597 8b45e0 mov eax,dword ptr [ebp-20h]
805cc59a 8b4d08 mov ecx,dword ptr [ebp+8]
805cc59d 8901 mov dword ptr [ecx],eax
805cc59f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc5a3 8bc7 mov eax,edi
805cc5a5 e9d0000000 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc5aa 8b45ec mov eax,dword ptr [ebp-14h]
805cc5ad 8b00 mov eax,dword ptr [eax]
805cc5af 8b00 mov eax,dword ptr [eax]
805cc5b1 8945c0 mov dword ptr [ebp-40h],eax
805cc5b4 33c0 xor eax,eax
805cc5b6 40 inc eax
805cc5b7 c3 ret
805cc5b8 8b45c0 mov eax,dword ptr [ebp-40h]
805cc5bb e9ac000000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc5c0 807de700 cmp byte ptr [ebp-19h],0
805cc5c4 0f84ab000000 je nt!NtOpenProcess+0x279 (805cc675)
805cc5ca 8975d0 mov dword ptr [ebp-30h],esi
805cc5cd 3975d8 cmp dword ptr [ebp-28h],esi
805cc5d0 7425 je nt!NtOpenProcess+0x1fb (805cc5f7)
805cc5d2 8d45d0 lea eax,[ebp-30h]
805cc5d5 50 push eax
805cc5d6 8d45dc lea eax,[ebp-24h]
805cc5d9 50 push eax
805cc5da 8d45d4 lea eax,[ebp-2Ch]
805cc5dd 50 push eax
805cc5de e83f7a0000 call nt!PsLookupProcessThreadByCid (805d4022)
805cc5e3 8bf8 mov edi,eax
805cc5e5 3bfe cmp edi,esi
805cc5e7 7d1c jge nt!NtOpenProcess+0x209 (805cc605)
805cc5e9 8d8548ffffff lea eax,[ebp-0B8h]
805cc5ef 50 push eax
805cc5f0 e885550200 call nt!SeDeleteAccessState (805f1b7a)
805cc5f5 ebac jmp nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc5f7 8d45dc lea eax,[ebp-24h]
805cc5fa 50 push eax
805cc5fb ff75d4 push dword ptr [ebp-2Ch]
805cc5fe e8db7a0000 call nt!PsLookupProcessByProcessId (805d40de)
805cc603 ebde jmp nt!NtOpenProcess+0x1e7 (805cc5e3)
805cc605 8d45e0 lea eax,[ebp-20h]
805cc608 50 push eax
805cc609 ff75cc push dword ptr [ebp-34h]
805cc60c ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc612 56 push esi
805cc613 8d8548ffffff lea eax,[ebp-0B8h]
805cc619 50 push eax
805cc61a ff75c8 push dword ptr [ebp-38h]
805cc61d ff75dc push dword ptr [ebp-24h]
805cc620 e84706ffff call nt!ObOpenObjectByPointer (805bcc6c)
805cc625 8bf8 mov edi,eax
805cc627 8d8548ffffff lea eax,[ebp-0B8h]
805cc62d 50 push eax
805cc62e e847550200 call nt!SeDeleteAccessState (805f1b7a)
805cc633 8b4dd0 mov ecx,dword ptr [ebp-30h]
805cc636 3bce cmp ecx,esi
805cc638 7405 je nt!NtOpenProcess+0x243 (805cc63f)
805cc63a e83fb0f5ff call nt!ObfDereferenceObject (8052767e)
805cc63f 8b4ddc mov ecx,dword ptr [ebp-24h]
805cc642 e837b0f5ff call nt!ObfDereferenceObject (8052767e)
805cc647 3bfe cmp edi,esi
805cc649 0f8c54ffffff jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc64f c745fc02000000 mov dword ptr [ebp-4],2
805cc656 e93cffffff jmp nt!NtOpenProcess+0x19b (805cc597)
805cc65b 8b45ec mov eax,dword ptr [ebp-14h]
805cc65e 8b00 mov eax,dword ptr [eax]
805cc660 8b00 mov eax,dword ptr [eax]
805cc662 8945bc mov dword ptr [ebp-44h],eax
805cc665 33c0 xor eax,eax
805cc667 40 inc eax
805cc668 c3 ret
805cc669 8b45bc mov eax,dword ptr [ebp-44h]
805cc66c 8b65e8 mov esp,dword ptr [ebp-18h]
805cc66f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc673 eb05 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc675 b8300000c0 mov eax,0C0000030h
805cc67a e83c05f7ff call nt!_SEH_epilog (8053cbbb)
805cc67f c21000 ret 10h
805cc682 cc int 3
805cc683 cc int 3
805cc684 cc int 3
805cc685 cc int 3
805cc686 cc int 3
805cc687 cc int 3
nt!NtOpenThread:
805cc688 68c0000000 push 0C0h
805cc68d 68e0b44d80 push offset nt!ObWatchHandles+0x284 (804db4e0)
805cc692 e8e904f7ff call nt!_SEH_prolog (8053cb80)
805cc697 33f6 xor esi,esi
805cc699 8975d4 mov dword ptr [ebp-2Ch],esi
805cc69c 33c0 xor eax,eax
805cc69e 8d7dd8 lea edi,[ebp-28h]
805cc6a1 ab stos dword ptr es:[edi]
805cc6a2 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc6a8 8a8040010000 mov al,byte ptr [eax+140h]
805cc6ae 8845d0 mov byte ptr [ebp-30h],al
805cc6b1 84c0 test al,al
805cc6b3 0f848f000000 je nt!NtOpenThread+0xc0 (805cc748)
805cc6b9 8975fc mov dword ptr [ebp-4],esi
805cc6bc a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6c1 8b4d08 mov ecx,dword ptr [ebp+8]
805cc6c4 3bc8 cmp ecx,eax
805cc6c6 7202 jb nt!NtOpenThread+0x42 (805cc6ca)
805cc6c8 8930 mov dword ptr [eax],esi
805cc6ca 8b01 mov eax,dword ptr [ecx]
805cc6cc 8901 mov dword ptr [ecx],eax
805cc6ce 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc6d1 f6c303 test bl,3
805cc6d4 7405 je nt!NtOpenThread+0x53 (805cc6db)
805cc6d6 e88b890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc6db a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6e0 3bd8 cmp ebx,eax
805cc6e2 7207 jb nt!NtOpenThread+0x63 (805cc6eb)
805cc6e4 8930 mov dword ptr [eax],esi
805cc6e6 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6eb 397308 cmp dword ptr [ebx+8],esi
805cc6ee 0f9545e6 setne byte ptr [ebp-1Ah]
805cc6f2 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc6f5 894dcc mov dword ptr [ebp-34h],ecx
805cc6f8 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc6fb 3bce cmp ecx,esi
805cc6fd 7429 je nt!NtOpenThread+0xa0 (805cc728)
805cc6ff f6c103 test cl,3
805cc702 740d je nt!NtOpenThread+0x89 (805cc711)
805cc704 e85d890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc709 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc70e 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc711 3bc8 cmp ecx,eax
805cc713 7202 jb nt!NtOpenThread+0x8f (805cc717)
805cc715 8930 mov dword ptr [eax],esi
805cc717 8b01 mov eax,dword ptr [ecx]
805cc719 8945d4 mov dword ptr [ebp-2Ch],eax
805cc71c 8b4104 mov eax,dword ptr [ecx+4]
805cc71f 8945d8 mov dword ptr [ebp-28h],eax
805cc722 c645e701 mov byte ptr [ebp-19h],1
805cc726 eb04 jmp nt!NtOpenThread+0xa4 (805cc72c)
805cc728 c645e700 mov byte ptr [ebp-19h],0
805cc72c 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc730 eb42 jmp nt!NtOpenThread+0xec (805cc774)
805cc732 8b45ec mov eax,dword ptr [ebp-14h]
805cc735 8b00 mov eax,dword ptr [eax]
805cc737 8b00 mov eax,dword ptr [eax]
805cc739 8945c8 mov dword ptr [ebp-38h],eax
805cc73c 33c0 xor eax,eax
805cc73e 40 inc eax
805cc73f c3 ret
805cc740 8b45c8 mov eax,dword ptr [ebp-38h]
805cc743 e99a010000 jmp nt!NtOpenThread+0x25a (805cc8e2)
805cc748 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc74b 397308 cmp dword ptr [ebx+8],esi
805cc74e 0f9545e6 setne byte ptr [ebp-1Ah]
805cc752 8b430c mov eax,dword ptr [ebx+0Ch]
805cc755 8945cc mov dword ptr [ebp-34h],eax
805cc758 8b4514 mov eax,dword ptr [ebp+14h]
805cc75b 3bc6 cmp eax,esi
805cc75d 7411 je nt!NtOpenThread+0xe8 (805cc770)
805cc75f 8b08 mov ecx,dword ptr [eax]
805cc761 894dd4 mov dword ptr [ebp-2Ch],ecx
805cc764 8b4004 mov eax,dword ptr [eax+4]
805cc767 8945d8 mov dword ptr [ebp-28h],eax
805cc76a c645e701 mov byte ptr [ebp-19h],1
805cc76e eb04 jmp nt!NtOpenThread+0xec (805cc774)
805cc770 c645e700 mov byte ptr [ebp-19h],0
805cc774 807de600 cmp byte ptr [ebp-1Ah],0
805cc778 740a je nt!NtOpenThread+0xfc (805cc784)
805cc77a 807de700 cmp byte ptr [ebp-19h],0
805cc77e 0f8567010000 jne nt!NtOpenThread+0x263 (805cc8eb)
805cc784 a1b8495680 mov eax,dword ptr [nt!PsProcessType (805649b8)]
805cc789 83c068 add eax,68h
805cc78c 50 push eax
805cc78d ff750c push dword ptr [ebp+0Ch]
805cc790 8d8530ffffff lea eax,[ebp-0D0h]
805cc796 50 push eax
805cc797 8d854cffffff lea eax,[ebp-0B4h]
805cc79d 50 push eax
805cc79e e815560200 call nt!SeCreateAccessState (805f1db8)
805cc7a3 3bc6 cmp eax,esi
805cc7a5 0f8c45010000 jl nt!NtOpenThread+0x268 (805cc8f0)
805cc7ab ff75d0 push dword ptr [ebp-30h]
805cc7ae ff3520dd6780 push dword ptr [nt!SeDebugPrivilege+0x4 (8067dd20)]
805cc7b4 ff351cdd6780 push dword ptr [nt!SeDebugPrivilege (8067dd1c)]
805cc7ba e8f5c40200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc7bf 84c0 test al,al
805cc7c1 7425 je nt!NtOpenThread+0x160 (805cc7e8)
805cc7c3 8b855cffffff mov eax,dword ptr [ebp-0A4h]
805cc7c9 a900000002 test eax,2000000h
805cc7ce 740c je nt!NtOpenThread+0x154 (805cc7dc)
805cc7d0 818d60ffffffff031f00 or dword ptr [ebp-0A0h],1F03FFh
805cc7da eb06 jmp nt!NtOpenThread+0x15a (805cc7e2)
805cc7dc 098560ffffff or dword ptr [ebp-0A0h],eax
805cc7e2 89b55cffffff mov dword ptr [ebp-0A4h],esi
805cc7e8 807de600 cmp byte ptr [ebp-1Ah],0
805cc7ec 745e je nt!NtOpenThread+0x1c4 (805cc84c)
805cc7ee 8d45dc lea eax,[ebp-24h]
805cc7f1 50 push eax
805cc7f2 56 push esi
805cc7f3 56 push esi
805cc7f4 8d854cffffff lea eax,[ebp-0B4h]
805cc7fa 50 push eax
805cc7fb ff75d0 push dword ptr [ebp-30h]
805cc7fe ff35bc495680 push dword ptr [nt!PsThreadType (805649bc)]
805cc804 53 push ebx
805cc805 e8dc00ffff call nt!ObOpenObjectByName (805bc8e6)
805cc80a 8bf8 mov edi,eax
805cc80c 8d854cffffff lea eax,[ebp-0B4h]
805cc812 50 push eax
805cc813 e862530200 call nt!SeDeleteAccessState (805f1b7a)
805cc818 3bfe cmp edi,esi
805cc81a 7c13 jl nt!NtOpenThread+0x1a7 (805cc82f)
805cc81c c745fc01000000 mov dword ptr [ebp-4],1
805cc823 8b45dc mov eax,dword ptr [ebp-24h]
805cc826 8b4d08 mov ecx,dword ptr [ebp+8]
805cc829 8901 mov dword ptr [ecx],eax
805cc82b 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc82f 8bc7 mov eax,edi
805cc831 e9ba000000 jmp nt!NtOpenThread+0x268 (805cc8f0)
805cc836 8b45ec mov eax,dword ptr [ebp-14h]
805cc839 8b00 mov eax,dword ptr [eax]
805cc83b 8b00 mov eax,dword ptr [eax]
805cc83d 8945c4 mov dword ptr [ebp-3Ch],eax
805cc840 33c0 xor eax,eax
805cc842 40 inc eax
805cc843 c3 ret
805cc844 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc847 e996000000 jmp nt!NtOpenThread+0x25a (805cc8e2)
805cc84c 807de700 cmp byte ptr [ebp-19h],0
805cc850 0f8495000000 je nt!NtOpenThread+0x263 (805cc8eb)
805cc856 8d45e0 lea eax,[ebp-20h]
805cc859 50 push eax
805cc85a 3975d4 cmp dword ptr [ebp-2Ch],esi
805cc85d 741e je nt!NtOpenThread+0x1f5 (805cc87d)
805cc85f 56 push esi
805cc860 8d45d4 lea eax,[ebp-2Ch]
805cc863 50 push eax
805cc864 e8b9770000 call nt!PsLookupProcessThreadByCid (805d4022)
805cc869 8bf8 mov edi,eax
805cc86b 3bfe cmp edi,esi
805cc86d 7d18 jge nt!NtOpenThread+0x1ff (805cc887)
805cc86f 8d854cffffff lea eax,[ebp-0B4h]
805cc875 50 push eax
805cc876 e8ff520200 call nt!SeDeleteAccessState (805f1b7a)
805cc87b ebb2 jmp nt!NtOpenThread+0x1a7 (805cc82f)
805cc87d ff75d8 push dword ptr [ebp-28h]
805cc880 e8e5780000 call nt!PsLookupThreadByThreadId (805d416a)
805cc885 ebe2 jmp nt!NtOpenThread+0x1e1 (805cc869)
805cc887 8d45dc lea eax,[ebp-24h]
805cc88a 50 push eax
805cc88b ff75d0 push dword ptr [ebp-30h]
805cc88e ff35bc495680 push dword ptr [nt!PsThreadType (805649bc)]
805cc894 56 push esi
805cc895 8d854cffffff lea eax,[ebp-0B4h]
805cc89b 50 push eax
805cc89c ff75cc push dword ptr [ebp-34h]
805cc89f ff75e0 push dword ptr [ebp-20h]
805cc8a2 e8c503ffff call nt!ObOpenObjectByPointer (805bcc6c)
805cc8a7 8bf8 mov edi,eax
805cc8a9 8d854cffffff lea eax,[ebp-0B4h]
805cc8af 50 push eax
805cc8b0 e8c5520200 call nt!SeDeleteAccessState (805f1b7a)
805cc8b5 8b4de0 mov ecx,dword ptr [ebp-20h]
805cc8b8 e8c1adf5ff call nt!ObfDereferenceObject (8052767e)
805cc8bd 3bfe cmp edi,esi
805cc8bf 0f8c6affffff jl nt!NtOpenThread+0x1a7 (805cc82f)
805cc8c5 c745fc02000000 mov dword ptr [ebp-4],2
805cc8cc e952ffffff jmp nt!NtOpenThread+0x19b (805cc823)
805cc8d1 8b45ec mov eax,dword ptr [ebp-14h]
805cc8d4 8b00 mov eax,dword ptr [eax]
805cc8d6 8b00 mov eax,dword ptr [eax]
805cc8d8 8945c0 mov dword ptr [ebp-40h],eax
805cc8db 33c0 xor eax,eax
805cc8dd 40 inc eax
805cc8de c3 ret
805cc8df 8b45c0 mov eax,dword ptr [ebp-40h]
805cc8e2 8b65e8 mov esp,dword ptr [ebp-18h]
805cc8e5 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc8e9 eb05 jmp nt!NtOpenThread+0x268 (805cc8f0)
805cc8eb b8300000c0 mov eax,0C0000030h
805cc8f0 e8c602f7ff call nt!_SEH_epilog (8053cbbb)
805cc8f5 c21000 ret 10h
805cc8f8 cc int 3
805cc8f9 cc int 3
805cc8fa cc int 3
805cc8fb cc int 3
805cc8fc cc int 3
805cc8fd cc int 3
nt!NtQueryPortInformationProcess:
805cc8fe 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc904 8b4844 mov ecx,dword ptr [eax+44h]
805cc907 83b9bc00000000 cmp dword ptr [ecx+0BCh],0
805cc90e 740d je nt!NtQueryPortInformationProcess+0x1f (805cc91d)
805cc910 f6804802000004 test byte ptr [eax+248h],4
805cc917 7504 jne nt!NtQueryPortInformationProcess+0x1f (805cc91d)
805cc919 33c0 xor eax,eax
805cc91b 40 inc eax
805cc91c c3 ret
805cc91d 33c0 xor eax,eax
805cc91f 3981c0000000 cmp dword ptr [ecx+0C0h],eax
805cc925 0f95c0 setne al
805cc928 c3 ret
805cc929 cc int 3
805cc92a cc int 3
805cc92b cc int 3
805cc92c cc int 3
805cc92d cc int 3
nt!PspSetQuotaLimits:
805cc92e 6a78 push 78h
805cc930 6808b54d80 push offset nt!ObWatchHandles+0x2ac (804db508)
805cc935 e84602f7ff call nt!_SEH_prolog (8053cb80)
805cc93a 837d1420 cmp dword ptr [ebp+14h],20h
805cc93e 740a je nt!PspSetQuotaLimits+0x1c (805cc94a)
805cc940 b8040000c0 mov eax,0C0000004h
805cc945 e926020000 jmp nt!PspSetQuotaLimits+0x242 (805ccb70)
805cc94a 8365fc00 and dword ptr [ebp-4],0
805cc94e 6a08 push 8
805cc950 59 pop ecx
805cc951 8b7510 mov esi,dword ptr [ebp+10h]
805cc954 8d7da0 lea edi,[ebp-60h]
805cc957 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
805cc959 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc95d 6a00 push 0
805cc95f 8d45e0 lea eax,[ebp-20h]
805cc962 50 push eax
805cc963 ff7518 push dword ptr [ebp+18h]
805cc966 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc96c 6800010000 push 100h
805cc971 ff7508 push dword ptr [ebp+8]
805cc974 e819fbfeff call nt!ObReferenceObjectByHandle (805bc492)
805cc979 85c0 test eax,eax
805cc97b 0f8cef010000 jl nt!PspSetQuotaLimits+0x242 (805ccb70)
805cc981 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc987 8bf0 mov esi,eax
805cc989 33ff xor edi,edi
805cc98b 8b45e0 mov eax,dword ptr [ebp-20h]
805cc98e bb60495680 mov ebx,offset nt!PspDefaultQuotaBlock (80564960)
805cc993 399840010000 cmp dword ptr [eax+140h],ebx
805cc999 0f85d9000000 jne nt!PspSetQuotaLimits+0x14a (805cca78)
805cc99f 397da8 cmp dword ptr [ebp-58h],edi
805cc9a2 7426 je nt!PspSetQuotaLimits+0x9c (805cc9ca)
805cc9a4 397dac cmp dword ptr [ebp-54h],edi
805cc9a7 7421 je nt!PspSetQuotaLimits+0x9c (805cc9ca)
805cc9a9 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
805cc9ad 0f843d010000 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cc9b3 837dacff cmp dword ptr [ebp-54h],0FFFFFFFFh
805cc9b7 0f8433010000 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cc9bd 8b9834010000 mov ebx,dword ptr [eax+134h]
805cc9c3 3bdf cmp ebx,edi
805cc9c5 e9d6000000 jmp nt!PspSetQuotaLimits+0x172 (805ccaa0)
805cc9ca ff7518 push dword ptr [ebp+18h]
805cc9cd ff35a8dc6780 push dword ptr [nt!SeIncreaseQuotaPrivilege+0x4 (8067dca8)]
805cc9d3 ff35a4dc6780 push dword ptr [nt!SeIncreaseQuotaPrivilege (8067dca4)]
805cc9d9 e8d6c20200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc9de 84c0 test al,al
805cc9e0 750a jne nt!PspSetQuotaLimits+0xbe (805cc9ec)
805cc9e2 bf610000c0 mov edi,0C0000061h
805cc9e7 e960010000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cc9ec 6850735162 push 62517350h
805cc9f1 6a40 push 40h
805cc9f3 57 push edi
805cc9f4 e86ffff7ff call nt!ExAllocatePoolWithTag (8054c968)
805cc9f9 8bd0 mov edx,eax
805cc9fb 3bd7 cmp edx,edi
805cc9fd 750a jne nt!PspSetQuotaLimits+0xdb (805cca09)
805cc9ff bf170000c0 mov edi,0C0000017h
805cca04 e943010000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca09 6a10 push 10h
805cca0b 59 pop ecx
805cca0c 33c0 xor eax,eax
805cca0e 8bfa mov edi,edx
805cca10 f3ab rep stos dword ptr es:[edi]
805cca12 40 inc eax
805cca13 894238 mov dword ptr [edx+38h],eax
805cca16 89423c mov dword ptr [edx+3Ch],eax
805cca19 8b4de0 mov ecx,dword ptr [ebp-20h]
805cca1c 8b819c000000 mov eax,dword ptr [ecx+9Ch]
805cca22 894208 mov dword ptr [edx+8],eax
805cca25 8b81a0000000 mov eax,dword ptr [ecx+0A0h]
805cca2b 894218 mov dword ptr [edx+18h],eax
805cca2e 8b81a4000000 mov eax,dword ptr [ecx+0A4h]
805cca34 894228 mov dword ptr [edx+28h],eax
805cca37 a1ac495680 mov eax,dword ptr [nt!PspDefaultPagedLimit (805649ac)]
805cca3c 894214 mov dword ptr [edx+14h],eax
805cca3f a1a8495680 mov eax,dword ptr [nt!PspDefaultNonPagedLimit (805649a8)]
805cca44 894204 mov dword ptr [edx+4],eax
805cca47 a1a4495680 mov eax,dword ptr [nt!PspDefaultPagefileLimit (805649a4)]
805cca4c 894224 mov dword ptr [edx+24h],eax
805cca4f 8bf2 mov esi,edx
805cca51 8bc3 mov eax,ebx
805cca53 81c140010000 add ecx,140h
805cca59 f00fb131 lock cmpxchg dword ptr [ecx],esi
805cca5d 3bc3 cmp eax,ebx
805cca5f 740a je nt!PspSetQuotaLimits+0x13d (805cca6b)
805cca61 6a00 push 0
805cca63 52 push edx
805cca64 e877f8f7ff call nt!ExFreePoolWithTag (8054c2e0)
805cca69 eb06 jmp nt!PspSetQuotaLimits+0x143 (805cca71)
805cca6b 52 push edx
805cca6c e8a5f1f5ff call nt!PspInsertQuotaBlock (8052bc16)
805cca71 33ff xor edi,edi
805cca73 e9d4000000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca78 837da800 cmp dword ptr [ebp-58h],0
805cca7c 0f84ca000000 je nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca82 837dac00 cmp dword ptr [ebp-54h],0
805cca86 0f84c0000000 je nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca8c 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
805cca90 745e je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cca92 837dacff cmp dword ptr [ebp-54h],0FFFFFFFFh
805cca96 7458 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cca98 8b9834010000 mov ebx,dword ptr [eax+134h]
805cca9e 85db test ebx,ebx
805ccaa0 744e je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccaa2 8d7b20 lea edi,[ebx+20h]
805ccaa5 6a01 push 1
805ccaa7 ff8ed4000000 dec dword ptr [esi+0D4h]
805ccaad 57 push edi
805ccaae e869a7f6ff call nt!ExAcquireResourceSharedLite (8053721c)
805ccab3 f6839800000001 test byte ptr [ebx+98h],1
805ccaba 7412 je nt!PspSetQuotaLimits+0x1a0 (805ccace)
805ccabc 8b839c000000 mov eax,dword ptr [ebx+9Ch]
805ccac2 8945a8 mov dword ptr [ebp-58h],eax
805ccac5 8b83a0000000 mov eax,dword ptr [ebx+0A0h]
805ccacb 8945ac mov dword ptr [ebp-54h],eax
805ccace 8bcf mov ecx,edi
805ccad0 e89b9cf6ff call nt!ExReleaseResourceLite (80536770)
805ccad5 ff86d4000000 inc dword ptr [esi+0D4h]
805ccadb 7513 jne nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccadd 8d4634 lea eax,[esi+34h]
805ccae0 3900 cmp dword ptr [eax],eax
805ccae2 740c je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccae4 c6464901 mov byte ptr [esi+49h],1
805ccae8 b101 mov cl,1
805ccaea ff150c914d80 call dword ptr [nt!_imp_HalRequestSoftwareInterrupt (804d910c)]
805ccaf0 8d8578ffffff lea eax,[ebp-88h]
805ccaf6 50 push eax
805ccaf7 ff7518 push dword ptr [ebp+18h]
805ccafa ff35e0dc6780 push dword ptr [nt!SeIncreaseBasePriorityPrivilege+0x4 (8067dce0)]
805ccb00 ff35dcdc6780 push dword ptr [nt!SeIncreaseBasePriorityPrivilege (8067dcdc)]
805ccb06 e8d9310000 call nt!PspSinglePrivCheck (805cfce4)
805ccb0b 8845dc mov byte ptr [ebp-24h],al
805ccb0e 8d45c0 lea eax,[ebp-40h]
805ccb11 50 push eax
805ccb12 ff75e0 push dword ptr [ebp-20h]
805ccb15 e808d1f2ff call nt!KeStackAttachProcess (804f9c22)
805ccb1a 8d45e7 lea eax,[ebp-19h]
805ccb1d 50 push eax
805ccb1e 6a00 push 0
805ccb20 ff75dc push dword ptr [ebp-24h]
805ccb23 6a00 push 0
805ccb25 ff75ac push dword ptr [ebp-54h]
805ccb28 ff75a8 push dword ptr [ebp-58h]
805ccb2b e8800c0800 call nt!MmAdjustWorkingSetSizeEx (8064d7b0)
805ccb30 8bf8 mov edi,eax
805ccb32 8d45c0 lea eax,[ebp-40h]
805ccb35 50 push eax
805ccb36 e899cbf2ff call nt!KeUnstackDetachProcess (804f96d4)
805ccb3b 8d8578ffffff lea eax,[ebp-88h]
805ccb41 50 push eax
805ccb42 0fb645e7 movzx eax,byte ptr [ebp-19h]
805ccb46 50 push eax
805ccb47 e8e8310000 call nt!PspSinglePrivCheckAudit (805cfd34)
805ccb4c 8b4de0 mov ecx,dword ptr [ebp-20h]
805ccb4f e82aabf5ff call nt!ObfDereferenceObject (8052767e)
805ccb54 8bc7 mov eax,edi
805ccb56 eb18 jmp nt!PspSetQuotaLimits+0x242 (805ccb70)
805ccb58 8b45ec mov eax,dword ptr [ebp-14h]
805ccb5b 8b00 mov eax,dword ptr [eax]
805ccb5d 8b00 mov eax,dword ptr [eax]
805ccb5f 8945d8 mov dword ptr [ebp-28h],eax
805ccb62 33c0 xor eax,eax
805ccb64 40 inc eax
805ccb65 c3 ret
805ccb66 8b65e8 mov esp,dword ptr [ebp-18h]
805ccb69 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccb6d 8b45d8 mov eax,dword ptr [ebp-28h]
805ccb70 e84600f7ff call nt!_SEH_epilog (8053cbbb)
805ccb75 c21400 ret 14h
805ccb78 cc int 3
805ccb79 cc int 3
805ccb7a cc int 3
805ccb7b cc int 3
805ccb7c cc int 3
805ccb7d cc int 3
nt!NtQueryInformationThread:
805ccb7e 6890000000 push 90h
805ccb83 6818b54d80 push offset nt!ObWatchHandles+0x2bc (804db518)
805ccb88 e8f3fff6ff call nt!_SEH_prolog (8053cb80)
805ccb8d 64a124010000 mov eax,dword ptr fs:[00000124h]
805ccb93 8bd8 mov ebx,eax
805ccb95 8a8340010000 mov al,byte ptr [ebx+140h]
805ccb9b 8845e4 mov byte ptr [ebp-1Ch],al
805ccb9e 84c0 test al,al
805ccba0 744e je nt!NtQueryInformationThread+0x72 (805ccbf0)
805ccba2 8365fc00 and dword ptr [ebp-4],0
805ccba6 6a04 push 4
805ccba8 8b7514 mov esi,dword ptr [ebp+14h]
805ccbab 56 push esi
805ccbac 8b7d10 mov edi,dword ptr [ebp+10h]
805ccbaf 57 push edi
805ccbb0 e8959e0400 call nt!ProbeForWrite (80616a4a)
805ccbb5 8b4d18 mov ecx,dword ptr [ebp+18h]
805ccbb8 33d2 xor edx,edx
805ccbba 3bca cmp ecx,edx
805ccbbc 740f je nt!NtQueryInformationThread+0x4f (805ccbcd)
805ccbbe a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805ccbc3 3bc8 cmp ecx,eax
805ccbc5 7202 jb nt!NtQueryInformationThread+0x4b (805ccbc9)
805ccbc7 8910 mov dword ptr [eax],edx
805ccbc9 8b01 mov eax,dword ptr [ecx]
805ccbcb 8901 mov dword ptr [ecx],eax
805ccbcd 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccbd1 eb25 jmp nt!NtQueryInformationThread+0x7a (805ccbf8)
805ccbd3 8b45ec mov eax,dword ptr [ebp-14h]
805ccbd6 8b00 mov eax,dword ptr [eax]
805ccbd8 8b00 mov eax,dword ptr [eax]
805ccbda 8945b8 mov dword ptr [ebp-48h],eax
805ccbdd 33c0 xor eax,eax
805ccbdf 40 inc eax
805ccbe0 c3 ret
805ccbe1 8b45b8 mov eax,dword ptr [ebp-48h]
805ccbe4 8b65e8 mov esp,dword ptr [ebp-18h]
805ccbe7 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccbeb e9cc040000 jmp nt!NtQueryInformationThread+0x53e (805cd0bc)
805ccbf0 8b7514 mov esi,dword ptr [ebp+14h]
805ccbf3 8b7d10 mov edi,dword ptr [ebp+10h]
805ccbf6 33d2 xor edx,edx
805ccbf8 6a04 push 4
805ccbfa 59 pop ecx
805ccbfb 8b450c mov eax,dword ptr [ebp+0Ch]
805ccbfe 83f80b cmp eax,0Bh
805ccc01 0f8ffb020000 jg nt!NtQueryInformationThread+0x384 (805ccf02)
805ccc07 0f8482020000 je nt!NtQueryInformationThread+0x311 (805cce8f)
805ccc0d 2bc2 sub eax,edxnt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
805cc422 8845cc mov byte ptr [ebp-34h],al
805cc425 84c0 test al,al
805cc427 0f848f000000 je nt!NtOpenProcess+0xc0 (805cc4bc)
805cc42d 8975fc mov dword ptr [ebp-4],esi
805cc430 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc435 8b4d08 mov ecx,dword ptr [ebp+8]
805cc438 3bc8 cmp ecx,eax
805cc43a 7202 jb nt!NtOpenProcess+0x42 (805cc43e)
805cc43c 8930 mov dword ptr [eax],esi
805cc43e 8b01 mov eax,dword ptr [ecx]
805cc440 8901 mov dword ptr [ecx],eax
805cc442 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc445 f6c303 test bl,3
805cc448 7405 je nt!NtOpenProcess+0x53 (805cc44f)
805cc44a e8178c0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc44f a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc454 3bd8 cmp ebx,eax
805cc456 7207 jb nt!NtOpenProcess+0x63 (805cc45f)
805cc458 8930 mov dword ptr [eax],esi
805cc45a a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc45f 397308 cmp dword ptr [ebx+8],esi
805cc462 0f9545e6 setne byte ptr [ebp-1Ah]
805cc466 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc469 894dc8 mov dword ptr [ebp-38h],ecx
805cc46c 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc46f 3bce cmp ecx,esi
805cc471 7429 je nt!NtOpenProcess+0xa0 (805cc49c)
805cc473 f6c103 test cl,3
805cc476 740d je nt!NtOpenProcess+0x89 (805cc485)
805cc478 e8e98b0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc47d a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc482 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc485 3bc8 cmp ecx,eax
805cc487 7202 jb nt!NtOpenProcess+0x8f (805cc48b)
805cc489 8930 mov dword ptr [eax],esi
805cc48b 8b01 mov eax,dword ptr [ecx]
805cc48d 8945d4 mov dword ptr [ebp-2Ch],eax
805cc490 8b4104 mov eax,dword ptr [ecx+4]
805cc493 8945d8 mov dword ptr [ebp-28h],eax
805cc496 c645e701 mov byte ptr [ebp-19h],1
805cc49a eb04 jmp nt!NtOpenProcess+0xa4 (805cc4a0)
805cc49c c645e700 mov byte ptr [ebp-19h],0
805cc4a0 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc4a4 eb42 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4a6 8b45ec mov eax,dword ptr [ebp-14h]
805cc4a9 8b00 mov eax,dword ptr [eax]
805cc4ab 8b00 mov eax,dword ptr [eax]
805cc4ad 8945c4 mov dword ptr [ebp-3Ch],eax
805cc4b0 33c0 xor eax,eax
805cc4b2 40 inc eax
805cc4b3 c3 ret
805cc4b4 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc4b7 e9b0010000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc4bc 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc4bf 397308 cmp dword ptr [ebx+8],esi
0: kd> u NtOpenProcess l a
nt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
0: kd> u NtOpenProcess l 29
nt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
805cc422 8845cc mov byte ptr [ebp-34h],al
805cc425 84c0 test al,al
805cc427 0f848f000000 je nt!NtOpenProcess+0xc0 (805cc4bc)
805cc42d 8975fc mov dword ptr [ebp-4],esi
805cc430 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc435 8b4d08 mov ecx,dword ptr [ebp+8]
805cc438 3bc8 cmp ecx,eax
805cc43a 7202 jb nt!NtOpenProcess+0x42 (805cc43e)
805cc43c 8930 mov dword ptr [eax],esi
805cc43e 8b01 mov eax,dword ptr [ecx]
805cc440 8901 mov dword ptr [ecx],eax
805cc442 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc445 f6c303 test bl,3
805cc448 7405 je nt!NtOpenProcess+0x53 (805cc44f)
805cc44a e8178c0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc44f a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc454 3bd8 cmp ebx,eax
805cc456 7207 jb nt!NtOpenProcess+0x63 (805cc45f)
805cc458 8930 mov dword ptr [eax],esi
805cc45a a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc45f 397308 cmp dword ptr [ebx+8],esi
805cc462 0f9545e6 setne byte ptr [ebp-1Ah]
805cc466 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc469 894dc8 mov dword ptr [ebp-38h],ecx
805cc46c 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc46f 3bce cmp ecx,esi
805cc471 7429 je nt!NtOpenProcess+0xa0 (805cc49c)
805cc473 f6c103 test cl,3
805cc476 740d je nt!NtOpenProcess+0x89 (805cc485)
805cc478 e8e98b0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc47d a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
0: kd> u NtOpenProcess l 28B
nt!NtOpenProcess:
805cc3fc 68c4000000 push 0C4h
805cc401 68b8b44d80 push offset nt!ObWatchHandles+0x25c (804db4b8)
805cc406 e87507f7ff call nt!_SEH_prolog (8053cb80)
805cc40b 33f6 xor esi,esi
805cc40d 8975d4 mov dword ptr [ebp-2Ch],esi
805cc410 33c0 xor eax,eax
805cc412 8d7dd8 lea edi,[ebp-28h]
805cc415 ab stos dword ptr es:[edi]
805cc416 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc41c 8a8040010000 mov al,byte ptr [eax+140h]
805cc422 8845cc mov byte ptr [ebp-34h],al
805cc425 84c0 test al,al
805cc427 0f848f000000 je nt!NtOpenProcess+0xc0 (805cc4bc)
805cc42d 8975fc mov dword ptr [ebp-4],esi
805cc430 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc435 8b4d08 mov ecx,dword ptr [ebp+8]
805cc438 3bc8 cmp ecx,eax
805cc43a 7202 jb nt!NtOpenProcess+0x42 (805cc43e)
805cc43c 8930 mov dword ptr [eax],esi
805cc43e 8b01 mov eax,dword ptr [ecx]
805cc440 8901 mov dword ptr [ecx],eax
805cc442 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc445 f6c303 test bl,3
805cc448 7405 je nt!NtOpenProcess+0x53 (805cc44f)
805cc44a e8178c0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc44f a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc454 3bd8 cmp ebx,eax
805cc456 7207 jb nt!NtOpenProcess+0x63 (805cc45f)
805cc458 8930 mov dword ptr [eax],esi
805cc45a a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc45f 397308 cmp dword ptr [ebx+8],esi
805cc462 0f9545e6 setne byte ptr [ebp-1Ah]
805cc466 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc469 894dc8 mov dword ptr [ebp-38h],ecx
805cc46c 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc46f 3bce cmp ecx,esi
805cc471 7429 je nt!NtOpenProcess+0xa0 (805cc49c)
805cc473 f6c103 test cl,3
805cc476 740d je nt!NtOpenProcess+0x89 (805cc485)
805cc478 e8e98b0400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc47d a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc482 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc485 3bc8 cmp ecx,eax
805cc487 7202 jb nt!NtOpenProcess+0x8f (805cc48b)
805cc489 8930 mov dword ptr [eax],esi
805cc48b 8b01 mov eax,dword ptr [ecx]
805cc48d 8945d4 mov dword ptr [ebp-2Ch],eax
805cc490 8b4104 mov eax,dword ptr [ecx+4]
805cc493 8945d8 mov dword ptr [ebp-28h],eax
805cc496 c645e701 mov byte ptr [ebp-19h],1
805cc49a eb04 jmp nt!NtOpenProcess+0xa4 (805cc4a0)
805cc49c c645e700 mov byte ptr [ebp-19h],0
805cc4a0 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc4a4 eb42 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4a6 8b45ec mov eax,dword ptr [ebp-14h]
805cc4a9 8b00 mov eax,dword ptr [eax]
805cc4ab 8b00 mov eax,dword ptr [eax]
805cc4ad 8945c4 mov dword ptr [ebp-3Ch],eax
805cc4b0 33c0 xor eax,eax
805cc4b2 40 inc eax
805cc4b3 c3 ret
805cc4b4 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc4b7 e9b0010000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc4bc 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc4bf 397308 cmp dword ptr [ebx+8],esi
805cc4c2 0f9545e6 setne byte ptr [ebp-1Ah]
805cc4c6 8b430c mov eax,dword ptr [ebx+0Ch]
805cc4c9 8945c8 mov dword ptr [ebp-38h],eax
805cc4cc 8b4514 mov eax,dword ptr [ebp+14h]
805cc4cf 3bc6 cmp eax,esi
805cc4d1 7411 je nt!NtOpenProcess+0xe8 (805cc4e4)
805cc4d3 8b08 mov ecx,dword ptr [eax]
805cc4d5 894dd4 mov dword ptr [ebp-2Ch],ecx
805cc4d8 8b4004 mov eax,dword ptr [eax+4]
805cc4db 8945d8 mov dword ptr [ebp-28h],eax
805cc4de c645e701 mov byte ptr [ebp-19h],1
805cc4e2 eb04 jmp nt!NtOpenProcess+0xec (805cc4e8)
805cc4e4 c645e700 mov byte ptr [ebp-19h],0
805cc4e8 807de600 cmp byte ptr [ebp-1Ah],0
805cc4ec 740a je nt!NtOpenProcess+0xfc (805cc4f8)
805cc4ee 807de700 cmp byte ptr [ebp-19h],0
805cc4f2 0f857d010000 jne nt!NtOpenProcess+0x279 (805cc675)
805cc4f8 a1b8495680 mov eax,dword ptr [nt!PsProcessType (805649b8)]
805cc4fd 83c068 add eax,68h
805cc500 50 push eax
805cc501 ff750c push dword ptr [ebp+0Ch]
805cc504 8d852cffffff lea eax,[ebp-0D4h]
805cc50a 50 push eax
805cc50b 8d8548ffffff lea eax,[ebp-0B8h]
805cc511 50 push eax
805cc512 e8a1580200 call nt!SeCreateAccessState (805f1db8)
805cc517 3bc6 cmp eax,esi
805cc519 0f8c5b010000 jl nt!NtOpenProcess+0x27e (805cc67a)
805cc51f ff75cc push dword ptr [ebp-34h]
805cc522 ff3520dd6780 push dword ptr [nt!SeDebugPrivilege+0x4 (8067dd20)]
805cc528 ff351cdd6780 push dword ptr [nt!SeDebugPrivilege (8067dd1c)]
805cc52e e881c70200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc533 84c0 test al,al
805cc535 7425 je nt!NtOpenProcess+0x160 (805cc55c)
805cc537 8b8558ffffff mov eax,dword ptr [ebp-0A8h]
805cc53d a900000002 test eax,2000000h
805cc542 740c je nt!NtOpenProcess+0x154 (805cc550)
805cc544 818d5cffffffff0f1f00 or dword ptr [ebp-0A4h],1F0FFFh
805cc54e eb06 jmp nt!NtOpenProcess+0x15a (805cc556)
805cc550 09855cffffff or dword ptr [ebp-0A4h],eax
805cc556 89b558ffffff mov dword ptr [ebp-0A8h],esi
805cc55c 807de600 cmp byte ptr [ebp-1Ah],0
805cc560 745e je nt!NtOpenProcess+0x1c4 (805cc5c0)
805cc562 8d45e0 lea eax,[ebp-20h]
805cc565 50 push eax
805cc566 56 push esi
805cc567 56 push esi
805cc568 8d8548ffffff lea eax,[ebp-0B8h]
805cc56e 50 push eax
805cc56f ff75cc push dword ptr [ebp-34h]
805cc572 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc578 53 push ebx
805cc579 e86803ffff call nt!ObOpenObjectByName (805bc8e6)
805cc57e 8bf8 mov edi,eax
805cc580 8d8548ffffff lea eax,[ebp-0B8h]
805cc586 50 push eax
805cc587 e8ee550200 call nt!SeDeleteAccessState (805f1b7a)
805cc58c 3bfe cmp edi,esi
805cc58e 7c13 jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc590 c745fc01000000 mov dword ptr [ebp-4],1
805cc597 8b45e0 mov eax,dword ptr [ebp-20h]
805cc59a 8b4d08 mov ecx,dword ptr [ebp+8]
805cc59d 8901 mov dword ptr [ecx],eax
805cc59f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc5a3 8bc7 mov eax,edi
805cc5a5 e9d0000000 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc5aa 8b45ec mov eax,dword ptr [ebp-14h]
805cc5ad 8b00 mov eax,dword ptr [eax]
805cc5af 8b00 mov eax,dword ptr [eax]
805cc5b1 8945c0 mov dword ptr [ebp-40h],eax
805cc5b4 33c0 xor eax,eax
805cc5b6 40 inc eax
805cc5b7 c3 ret
805cc5b8 8b45c0 mov eax,dword ptr [ebp-40h]
805cc5bb e9ac000000 jmp nt!NtOpenProcess+0x270 (805cc66c)
805cc5c0 807de700 cmp byte ptr [ebp-19h],0
805cc5c4 0f84ab000000 je nt!NtOpenProcess+0x279 (805cc675)
805cc5ca 8975d0 mov dword ptr [ebp-30h],esi
805cc5cd 3975d8 cmp dword ptr [ebp-28h],esi
805cc5d0 7425 je nt!NtOpenProcess+0x1fb (805cc5f7)
805cc5d2 8d45d0 lea eax,[ebp-30h]
805cc5d5 50 push eax
805cc5d6 8d45dc lea eax,[ebp-24h]
805cc5d9 50 push eax
805cc5da 8d45d4 lea eax,[ebp-2Ch]
805cc5dd 50 push eax
805cc5de e83f7a0000 call nt!PsLookupProcessThreadByCid (805d4022)
805cc5e3 8bf8 mov edi,eax
805cc5e5 3bfe cmp edi,esi
805cc5e7 7d1c jge nt!NtOpenProcess+0x209 (805cc605)
805cc5e9 8d8548ffffff lea eax,[ebp-0B8h]
805cc5ef 50 push eax
805cc5f0 e885550200 call nt!SeDeleteAccessState (805f1b7a)
805cc5f5 ebac jmp nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc5f7 8d45dc lea eax,[ebp-24h]
805cc5fa 50 push eax
805cc5fb ff75d4 push dword ptr [ebp-2Ch]
805cc5fe e8db7a0000 call nt!PsLookupProcessByProcessId (805d40de)
805cc603 ebde jmp nt!NtOpenProcess+0x1e7 (805cc5e3)
805cc605 8d45e0 lea eax,[ebp-20h]
805cc608 50 push eax
805cc609 ff75cc push dword ptr [ebp-34h]
805cc60c ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc612 56 push esi
805cc613 8d8548ffffff lea eax,[ebp-0B8h]
805cc619 50 push eax
805cc61a ff75c8 push dword ptr [ebp-38h]
805cc61d ff75dc push dword ptr [ebp-24h]
805cc620 e84706ffff call nt!ObOpenObjectByPointer (805bcc6c)
805cc625 8bf8 mov edi,eax
805cc627 8d8548ffffff lea eax,[ebp-0B8h]
805cc62d 50 push eax
805cc62e e847550200 call nt!SeDeleteAccessState (805f1b7a)
805cc633 8b4dd0 mov ecx,dword ptr [ebp-30h]
805cc636 3bce cmp ecx,esi
805cc638 7405 je nt!NtOpenProcess+0x243 (805cc63f)
805cc63a e83fb0f5ff call nt!ObfDereferenceObject (8052767e)
805cc63f 8b4ddc mov ecx,dword ptr [ebp-24h]
805cc642 e837b0f5ff call nt!ObfDereferenceObject (8052767e)
805cc647 3bfe cmp edi,esi
805cc649 0f8c54ffffff jl nt!NtOpenProcess+0x1a7 (805cc5a3)
805cc64f c745fc02000000 mov dword ptr [ebp-4],2
805cc656 e93cffffff jmp nt!NtOpenProcess+0x19b (805cc597)
805cc65b 8b45ec mov eax,dword ptr [ebp-14h]
805cc65e 8b00 mov eax,dword ptr [eax]
805cc660 8b00 mov eax,dword ptr [eax]
805cc662 8945bc mov dword ptr [ebp-44h],eax
805cc665 33c0 xor eax,eax
805cc667 40 inc eax
805cc668 c3 ret
805cc669 8b45bc mov eax,dword ptr [ebp-44h]
805cc66c 8b65e8 mov esp,dword ptr [ebp-18h]
805cc66f 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc673 eb05 jmp nt!NtOpenProcess+0x27e (805cc67a)
805cc675 b8300000c0 mov eax,0C0000030h
805cc67a e83c05f7ff call nt!_SEH_epilog (8053cbbb)
805cc67f c21000 ret 10h
805cc682 cc int 3
805cc683 cc int 3
805cc684 cc int 3
805cc685 cc int 3
805cc686 cc int 3
805cc687 cc int 3
nt!NtOpenThread:
805cc688 68c0000000 push 0C0h
805cc68d 68e0b44d80 push offset nt!ObWatchHandles+0x284 (804db4e0)
805cc692 e8e904f7ff call nt!_SEH_prolog (8053cb80)
805cc697 33f6 xor esi,esi
805cc699 8975d4 mov dword ptr [ebp-2Ch],esi
805cc69c 33c0 xor eax,eax
805cc69e 8d7dd8 lea edi,[ebp-28h]
805cc6a1 ab stos dword ptr es:[edi]
805cc6a2 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc6a8 8a8040010000 mov al,byte ptr [eax+140h]
805cc6ae 8845d0 mov byte ptr [ebp-30h],al
805cc6b1 84c0 test al,al
805cc6b3 0f848f000000 je nt!NtOpenThread+0xc0 (805cc748)
805cc6b9 8975fc mov dword ptr [ebp-4],esi
805cc6bc a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6c1 8b4d08 mov ecx,dword ptr [ebp+8]
805cc6c4 3bc8 cmp ecx,eax
805cc6c6 7202 jb nt!NtOpenThread+0x42 (805cc6ca)
805cc6c8 8930 mov dword ptr [eax],esi
805cc6ca 8b01 mov eax,dword ptr [ecx]
805cc6cc 8901 mov dword ptr [ecx],eax
805cc6ce 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc6d1 f6c303 test bl,3
805cc6d4 7405 je nt!NtOpenThread+0x53 (805cc6db)
805cc6d6 e88b890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc6db a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6e0 3bd8 cmp ebx,eax
805cc6e2 7207 jb nt!NtOpenThread+0x63 (805cc6eb)
805cc6e4 8930 mov dword ptr [eax],esi
805cc6e6 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc6eb 397308 cmp dword ptr [ebx+8],esi
805cc6ee 0f9545e6 setne byte ptr [ebp-1Ah]
805cc6f2 8b4b0c mov ecx,dword ptr [ebx+0Ch]
805cc6f5 894dcc mov dword ptr [ebp-34h],ecx
805cc6f8 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc6fb 3bce cmp ecx,esi
805cc6fd 7429 je nt!NtOpenThread+0xa0 (805cc728)
805cc6ff f6c103 test cl,3
805cc702 740d je nt!NtOpenThread+0x89 (805cc711)
805cc704 e85d890400 call nt!ExRaiseDatatypeMisalignment (80615066)
805cc709 a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805cc70e 8b4d14 mov ecx,dword ptr [ebp+14h]
805cc711 3bc8 cmp ecx,eax
805cc713 7202 jb nt!NtOpenThread+0x8f (805cc717)
805cc715 8930 mov dword ptr [eax],esi
805cc717 8b01 mov eax,dword ptr [ecx]
805cc719 8945d4 mov dword ptr [ebp-2Ch],eax
805cc71c 8b4104 mov eax,dword ptr [ecx+4]
805cc71f 8945d8 mov dword ptr [ebp-28h],eax
805cc722 c645e701 mov byte ptr [ebp-19h],1
805cc726 eb04 jmp nt!NtOpenThread+0xa4 (805cc72c)
805cc728 c645e700 mov byte ptr [ebp-19h],0
805cc72c 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc730 eb42 jmp nt!NtOpenThread+0xec (805cc774)
805cc732 8b45ec mov eax,dword ptr [ebp-14h]
805cc735 8b00 mov eax,dword ptr [eax]
805cc737 8b00 mov eax,dword ptr [eax]
805cc739 8945c8 mov dword ptr [ebp-38h],eax
805cc73c 33c0 xor eax,eax
805cc73e 40 inc eax
805cc73f c3 ret
805cc740 8b45c8 mov eax,dword ptr [ebp-38h]
805cc743 e99a010000 jmp nt!NtOpenThread+0x25a (805cc8e2)
805cc748 8b5d10 mov ebx,dword ptr [ebp+10h]
805cc74b 397308 cmp dword ptr [ebx+8],esi
805cc74e 0f9545e6 setne byte ptr [ebp-1Ah]
805cc752 8b430c mov eax,dword ptr [ebx+0Ch]
805cc755 8945cc mov dword ptr [ebp-34h],eax
805cc758 8b4514 mov eax,dword ptr [ebp+14h]
805cc75b 3bc6 cmp eax,esi
805cc75d 7411 je nt!NtOpenThread+0xe8 (805cc770)
805cc75f 8b08 mov ecx,dword ptr [eax]
805cc761 894dd4 mov dword ptr [ebp-2Ch],ecx
805cc764 8b4004 mov eax,dword ptr [eax+4]
805cc767 8945d8 mov dword ptr [ebp-28h],eax
805cc76a c645e701 mov byte ptr [ebp-19h],1
805cc76e eb04 jmp nt!NtOpenThread+0xec (805cc774)
805cc770 c645e700 mov byte ptr [ebp-19h],0
805cc774 807de600 cmp byte ptr [ebp-1Ah],0
805cc778 740a je nt!NtOpenThread+0xfc (805cc784)
805cc77a 807de700 cmp byte ptr [ebp-19h],0
805cc77e 0f8567010000 jne nt!NtOpenThread+0x263 (805cc8eb)
805cc784 a1b8495680 mov eax,dword ptr [nt!PsProcessType (805649b8)]
805cc789 83c068 add eax,68h
805cc78c 50 push eax
805cc78d ff750c push dword ptr [ebp+0Ch]
805cc790 8d8530ffffff lea eax,[ebp-0D0h]
805cc796 50 push eax
805cc797 8d854cffffff lea eax,[ebp-0B4h]
805cc79d 50 push eax
805cc79e e815560200 call nt!SeCreateAccessState (805f1db8)
805cc7a3 3bc6 cmp eax,esi
805cc7a5 0f8c45010000 jl nt!NtOpenThread+0x268 (805cc8f0)
805cc7ab ff75d0 push dword ptr [ebp-30h]
805cc7ae ff3520dd6780 push dword ptr [nt!SeDebugPrivilege+0x4 (8067dd20)]
805cc7b4 ff351cdd6780 push dword ptr [nt!SeDebugPrivilege (8067dd1c)]
805cc7ba e8f5c40200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc7bf 84c0 test al,al
805cc7c1 7425 je nt!NtOpenThread+0x160 (805cc7e8)
805cc7c3 8b855cffffff mov eax,dword ptr [ebp-0A4h]
805cc7c9 a900000002 test eax,2000000h
805cc7ce 740c je nt!NtOpenThread+0x154 (805cc7dc)
805cc7d0 818d60ffffffff031f00 or dword ptr [ebp-0A0h],1F03FFh
805cc7da eb06 jmp nt!NtOpenThread+0x15a (805cc7e2)
805cc7dc 098560ffffff or dword ptr [ebp-0A0h],eax
805cc7e2 89b55cffffff mov dword ptr [ebp-0A4h],esi
805cc7e8 807de600 cmp byte ptr [ebp-1Ah],0
805cc7ec 745e je nt!NtOpenThread+0x1c4 (805cc84c)
805cc7ee 8d45dc lea eax,[ebp-24h]
805cc7f1 50 push eax
805cc7f2 56 push esi
805cc7f3 56 push esi
805cc7f4 8d854cffffff lea eax,[ebp-0B4h]
805cc7fa 50 push eax
805cc7fb ff75d0 push dword ptr [ebp-30h]
805cc7fe ff35bc495680 push dword ptr [nt!PsThreadType (805649bc)]
805cc804 53 push ebx
805cc805 e8dc00ffff call nt!ObOpenObjectByName (805bc8e6)
805cc80a 8bf8 mov edi,eax
805cc80c 8d854cffffff lea eax,[ebp-0B4h]
805cc812 50 push eax
805cc813 e862530200 call nt!SeDeleteAccessState (805f1b7a)
805cc818 3bfe cmp edi,esi
805cc81a 7c13 jl nt!NtOpenThread+0x1a7 (805cc82f)
805cc81c c745fc01000000 mov dword ptr [ebp-4],1
805cc823 8b45dc mov eax,dword ptr [ebp-24h]
805cc826 8b4d08 mov ecx,dword ptr [ebp+8]
805cc829 8901 mov dword ptr [ecx],eax
805cc82b 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc82f 8bc7 mov eax,edi
805cc831 e9ba000000 jmp nt!NtOpenThread+0x268 (805cc8f0)
805cc836 8b45ec mov eax,dword ptr [ebp-14h]
805cc839 8b00 mov eax,dword ptr [eax]
805cc83b 8b00 mov eax,dword ptr [eax]
805cc83d 8945c4 mov dword ptr [ebp-3Ch],eax
805cc840 33c0 xor eax,eax
805cc842 40 inc eax
805cc843 c3 ret
805cc844 8b45c4 mov eax,dword ptr [ebp-3Ch]
805cc847 e996000000 jmp nt!NtOpenThread+0x25a (805cc8e2)
805cc84c 807de700 cmp byte ptr [ebp-19h],0
805cc850 0f8495000000 je nt!NtOpenThread+0x263 (805cc8eb)
805cc856 8d45e0 lea eax,[ebp-20h]
805cc859 50 push eax
805cc85a 3975d4 cmp dword ptr [ebp-2Ch],esi
805cc85d 741e je nt!NtOpenThread+0x1f5 (805cc87d)
805cc85f 56 push esi
805cc860 8d45d4 lea eax,[ebp-2Ch]
805cc863 50 push eax
805cc864 e8b9770000 call nt!PsLookupProcessThreadByCid (805d4022)
805cc869 8bf8 mov edi,eax
805cc86b 3bfe cmp edi,esi
805cc86d 7d18 jge nt!NtOpenThread+0x1ff (805cc887)
805cc86f 8d854cffffff lea eax,[ebp-0B4h]
805cc875 50 push eax
805cc876 e8ff520200 call nt!SeDeleteAccessState (805f1b7a)
805cc87b ebb2 jmp nt!NtOpenThread+0x1a7 (805cc82f)
805cc87d ff75d8 push dword ptr [ebp-28h]
805cc880 e8e5780000 call nt!PsLookupThreadByThreadId (805d416a)
805cc885 ebe2 jmp nt!NtOpenThread+0x1e1 (805cc869)
805cc887 8d45dc lea eax,[ebp-24h]
805cc88a 50 push eax
805cc88b ff75d0 push dword ptr [ebp-30h]
805cc88e ff35bc495680 push dword ptr [nt!PsThreadType (805649bc)]
805cc894 56 push esi
805cc895 8d854cffffff lea eax,[ebp-0B4h]
805cc89b 50 push eax
805cc89c ff75cc push dword ptr [ebp-34h]
805cc89f ff75e0 push dword ptr [ebp-20h]
805cc8a2 e8c503ffff call nt!ObOpenObjectByPointer (805bcc6c)
805cc8a7 8bf8 mov edi,eax
805cc8a9 8d854cffffff lea eax,[ebp-0B4h]
805cc8af 50 push eax
805cc8b0 e8c5520200 call nt!SeDeleteAccessState (805f1b7a)
805cc8b5 8b4de0 mov ecx,dword ptr [ebp-20h]
805cc8b8 e8c1adf5ff call nt!ObfDereferenceObject (8052767e)
805cc8bd 3bfe cmp edi,esi
805cc8bf 0f8c6affffff jl nt!NtOpenThread+0x1a7 (805cc82f)
805cc8c5 c745fc02000000 mov dword ptr [ebp-4],2
805cc8cc e952ffffff jmp nt!NtOpenThread+0x19b (805cc823)
805cc8d1 8b45ec mov eax,dword ptr [ebp-14h]
805cc8d4 8b00 mov eax,dword ptr [eax]
805cc8d6 8b00 mov eax,dword ptr [eax]
805cc8d8 8945c0 mov dword ptr [ebp-40h],eax
805cc8db 33c0 xor eax,eax
805cc8dd 40 inc eax
805cc8de c3 ret
805cc8df 8b45c0 mov eax,dword ptr [ebp-40h]
805cc8e2 8b65e8 mov esp,dword ptr [ebp-18h]
805cc8e5 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc8e9 eb05 jmp nt!NtOpenThread+0x268 (805cc8f0)
805cc8eb b8300000c0 mov eax,0C0000030h
805cc8f0 e8c602f7ff call nt!_SEH_epilog (8053cbbb)
805cc8f5 c21000 ret 10h
805cc8f8 cc int 3
805cc8f9 cc int 3
805cc8fa cc int 3
805cc8fb cc int 3
805cc8fc cc int 3
805cc8fd cc int 3
nt!NtQueryPortInformationProcess:
805cc8fe 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc904 8b4844 mov ecx,dword ptr [eax+44h]
805cc907 83b9bc00000000 cmp dword ptr [ecx+0BCh],0
805cc90e 740d je nt!NtQueryPortInformationProcess+0x1f (805cc91d)
805cc910 f6804802000004 test byte ptr [eax+248h],4
805cc917 7504 jne nt!NtQueryPortInformationProcess+0x1f (805cc91d)
805cc919 33c0 xor eax,eax
805cc91b 40 inc eax
805cc91c c3 ret
805cc91d 33c0 xor eax,eax
805cc91f 3981c0000000 cmp dword ptr [ecx+0C0h],eax
805cc925 0f95c0 setne al
805cc928 c3 ret
805cc929 cc int 3
805cc92a cc int 3
805cc92b cc int 3
805cc92c cc int 3
805cc92d cc int 3
nt!PspSetQuotaLimits:
805cc92e 6a78 push 78h
805cc930 6808b54d80 push offset nt!ObWatchHandles+0x2ac (804db508)
805cc935 e84602f7ff call nt!_SEH_prolog (8053cb80)
805cc93a 837d1420 cmp dword ptr [ebp+14h],20h
805cc93e 740a je nt!PspSetQuotaLimits+0x1c (805cc94a)
805cc940 b8040000c0 mov eax,0C0000004h
805cc945 e926020000 jmp nt!PspSetQuotaLimits+0x242 (805ccb70)
805cc94a 8365fc00 and dword ptr [ebp-4],0
805cc94e 6a08 push 8
805cc950 59 pop ecx
805cc951 8b7510 mov esi,dword ptr [ebp+10h]
805cc954 8d7da0 lea edi,[ebp-60h]
805cc957 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
805cc959 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805cc95d 6a00 push 0
805cc95f 8d45e0 lea eax,[ebp-20h]
805cc962 50 push eax
805cc963 ff7518 push dword ptr [ebp+18h]
805cc966 ff35b8495680 push dword ptr [nt!PsProcessType (805649b8)]
805cc96c 6800010000 push 100h
805cc971 ff7508 push dword ptr [ebp+8]
805cc974 e819fbfeff call nt!ObReferenceObjectByHandle (805bc492)
805cc979 85c0 test eax,eax
805cc97b 0f8cef010000 jl nt!PspSetQuotaLimits+0x242 (805ccb70)
805cc981 64a124010000 mov eax,dword ptr fs:[00000124h]
805cc987 8bf0 mov esi,eax
805cc989 33ff xor edi,edi
805cc98b 8b45e0 mov eax,dword ptr [ebp-20h]
805cc98e bb60495680 mov ebx,offset nt!PspDefaultQuotaBlock (80564960)
805cc993 399840010000 cmp dword ptr [eax+140h],ebx
805cc999 0f85d9000000 jne nt!PspSetQuotaLimits+0x14a (805cca78)
805cc99f 397da8 cmp dword ptr [ebp-58h],edi
805cc9a2 7426 je nt!PspSetQuotaLimits+0x9c (805cc9ca)
805cc9a4 397dac cmp dword ptr [ebp-54h],edi
805cc9a7 7421 je nt!PspSetQuotaLimits+0x9c (805cc9ca)
805cc9a9 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
805cc9ad 0f843d010000 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cc9b3 837dacff cmp dword ptr [ebp-54h],0FFFFFFFFh
805cc9b7 0f8433010000 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cc9bd 8b9834010000 mov ebx,dword ptr [eax+134h]
805cc9c3 3bdf cmp ebx,edi
805cc9c5 e9d6000000 jmp nt!PspSetQuotaLimits+0x172 (805ccaa0)
805cc9ca ff7518 push dword ptr [ebp+18h]
805cc9cd ff35a8dc6780 push dword ptr [nt!SeIncreaseQuotaPrivilege+0x4 (8067dca8)]
805cc9d3 ff35a4dc6780 push dword ptr [nt!SeIncreaseQuotaPrivilege (8067dca4)]
805cc9d9 e8d6c20200 call nt!SeSinglePrivilegeCheck (805f8cb4)
805cc9de 84c0 test al,al
805cc9e0 750a jne nt!PspSetQuotaLimits+0xbe (805cc9ec)
805cc9e2 bf610000c0 mov edi,0C0000061h
805cc9e7 e960010000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cc9ec 6850735162 push 62517350h
805cc9f1 6a40 push 40h
805cc9f3 57 push edi
805cc9f4 e86ffff7ff call nt!ExAllocatePoolWithTag (8054c968)
805cc9f9 8bd0 mov edx,eax
805cc9fb 3bd7 cmp edx,edi
805cc9fd 750a jne nt!PspSetQuotaLimits+0xdb (805cca09)
805cc9ff bf170000c0 mov edi,0C0000017h
805cca04 e943010000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca09 6a10 push 10h
805cca0b 59 pop ecx
805cca0c 33c0 xor eax,eax
805cca0e 8bfa mov edi,edx
805cca10 f3ab rep stos dword ptr es:[edi]
805cca12 40 inc eax
805cca13 894238 mov dword ptr [edx+38h],eax
805cca16 89423c mov dword ptr [edx+3Ch],eax
805cca19 8b4de0 mov ecx,dword ptr [ebp-20h]
805cca1c 8b819c000000 mov eax,dword ptr [ecx+9Ch]
805cca22 894208 mov dword ptr [edx+8],eax
805cca25 8b81a0000000 mov eax,dword ptr [ecx+0A0h]
805cca2b 894218 mov dword ptr [edx+18h],eax
805cca2e 8b81a4000000 mov eax,dword ptr [ecx+0A4h]
805cca34 894228 mov dword ptr [edx+28h],eax
805cca37 a1ac495680 mov eax,dword ptr [nt!PspDefaultPagedLimit (805649ac)]
805cca3c 894214 mov dword ptr [edx+14h],eax
805cca3f a1a8495680 mov eax,dword ptr [nt!PspDefaultNonPagedLimit (805649a8)]
805cca44 894204 mov dword ptr [edx+4],eax
805cca47 a1a4495680 mov eax,dword ptr [nt!PspDefaultPagefileLimit (805649a4)]
805cca4c 894224 mov dword ptr [edx+24h],eax
805cca4f 8bf2 mov esi,edx
805cca51 8bc3 mov eax,ebx
805cca53 81c140010000 add ecx,140h
805cca59 f00fb131 lock cmpxchg dword ptr [ecx],esi
805cca5d 3bc3 cmp eax,ebx
805cca5f 740a je nt!PspSetQuotaLimits+0x13d (805cca6b)
805cca61 6a00 push 0
805cca63 52 push edx
805cca64 e877f8f7ff call nt!ExFreePoolWithTag (8054c2e0)
805cca69 eb06 jmp nt!PspSetQuotaLimits+0x143 (805cca71)
805cca6b 52 push edx
805cca6c e8a5f1f5ff call nt!PspInsertQuotaBlock (8052bc16)
805cca71 33ff xor edi,edi
805cca73 e9d4000000 jmp nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca78 837da800 cmp dword ptr [ebp-58h],0
805cca7c 0f84ca000000 je nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca82 837dac00 cmp dword ptr [ebp-54h],0
805cca86 0f84c0000000 je nt!PspSetQuotaLimits+0x21e (805ccb4c)
805cca8c 837da8ff cmp dword ptr [ebp-58h],0FFFFFFFFh
805cca90 745e je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cca92 837dacff cmp dword ptr [ebp-54h],0FFFFFFFFh
805cca96 7458 je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805cca98 8b9834010000 mov ebx,dword ptr [eax+134h]
805cca9e 85db test ebx,ebx
805ccaa0 744e je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccaa2 8d7b20 lea edi,[ebx+20h]
805ccaa5 6a01 push 1
805ccaa7 ff8ed4000000 dec dword ptr [esi+0D4h]
805ccaad 57 push edi
805ccaae e869a7f6ff call nt!ExAcquireResourceSharedLite (8053721c)
805ccab3 f6839800000001 test byte ptr [ebx+98h],1
805ccaba 7412 je nt!PspSetQuotaLimits+0x1a0 (805ccace)
805ccabc 8b839c000000 mov eax,dword ptr [ebx+9Ch]
805ccac2 8945a8 mov dword ptr [ebp-58h],eax
805ccac5 8b83a0000000 mov eax,dword ptr [ebx+0A0h]
805ccacb 8945ac mov dword ptr [ebp-54h],eax
805ccace 8bcf mov ecx,edi
805ccad0 e89b9cf6ff call nt!ExReleaseResourceLite (80536770)
805ccad5 ff86d4000000 inc dword ptr [esi+0D4h]
805ccadb 7513 jne nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccadd 8d4634 lea eax,[esi+34h]
805ccae0 3900 cmp dword ptr [eax],eax
805ccae2 740c je nt!PspSetQuotaLimits+0x1c2 (805ccaf0)
805ccae4 c6464901 mov byte ptr [esi+49h],1
805ccae8 b101 mov cl,1
805ccaea ff150c914d80 call dword ptr [nt!_imp_HalRequestSoftwareInterrupt (804d910c)]
805ccaf0 8d8578ffffff lea eax,[ebp-88h]
805ccaf6 50 push eax
805ccaf7 ff7518 push dword ptr [ebp+18h]
805ccafa ff35e0dc6780 push dword ptr [nt!SeIncreaseBasePriorityPrivilege+0x4 (8067dce0)]
805ccb00 ff35dcdc6780 push dword ptr [nt!SeIncreaseBasePriorityPrivilege (8067dcdc)]
805ccb06 e8d9310000 call nt!PspSinglePrivCheck (805cfce4)
805ccb0b 8845dc mov byte ptr [ebp-24h],al
805ccb0e 8d45c0 lea eax,[ebp-40h]
805ccb11 50 push eax
805ccb12 ff75e0 push dword ptr [ebp-20h]
805ccb15 e808d1f2ff call nt!KeStackAttachProcess (804f9c22)
805ccb1a 8d45e7 lea eax,[ebp-19h]
805ccb1d 50 push eax
805ccb1e 6a00 push 0
805ccb20 ff75dc push dword ptr [ebp-24h]
805ccb23 6a00 push 0
805ccb25 ff75ac push dword ptr [ebp-54h]
805ccb28 ff75a8 push dword ptr [ebp-58h]
805ccb2b e8800c0800 call nt!MmAdjustWorkingSetSizeEx (8064d7b0)
805ccb30 8bf8 mov edi,eax
805ccb32 8d45c0 lea eax,[ebp-40h]
805ccb35 50 push eax
805ccb36 e899cbf2ff call nt!KeUnstackDetachProcess (804f96d4)
805ccb3b 8d8578ffffff lea eax,[ebp-88h]
805ccb41 50 push eax
805ccb42 0fb645e7 movzx eax,byte ptr [ebp-19h]
805ccb46 50 push eax
805ccb47 e8e8310000 call nt!PspSinglePrivCheckAudit (805cfd34)
805ccb4c 8b4de0 mov ecx,dword ptr [ebp-20h]
805ccb4f e82aabf5ff call nt!ObfDereferenceObject (8052767e)
805ccb54 8bc7 mov eax,edi
805ccb56 eb18 jmp nt!PspSetQuotaLimits+0x242 (805ccb70)
805ccb58 8b45ec mov eax,dword ptr [ebp-14h]
805ccb5b 8b00 mov eax,dword ptr [eax]
805ccb5d 8b00 mov eax,dword ptr [eax]
805ccb5f 8945d8 mov dword ptr [ebp-28h],eax
805ccb62 33c0 xor eax,eax
805ccb64 40 inc eax
805ccb65 c3 ret
805ccb66 8b65e8 mov esp,dword ptr [ebp-18h]
805ccb69 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccb6d 8b45d8 mov eax,dword ptr [ebp-28h]
805ccb70 e84600f7ff call nt!_SEH_epilog (8053cbbb)
805ccb75 c21400 ret 14h
805ccb78 cc int 3
805ccb79 cc int 3
805ccb7a cc int 3
805ccb7b cc int 3
805ccb7c cc int 3
805ccb7d cc int 3
nt!NtQueryInformationThread:
805ccb7e 6890000000 push 90h
805ccb83 6818b54d80 push offset nt!ObWatchHandles+0x2bc (804db518)
805ccb88 e8f3fff6ff call nt!_SEH_prolog (8053cb80)
805ccb8d 64a124010000 mov eax,dword ptr fs:[00000124h]
805ccb93 8bd8 mov ebx,eax
805ccb95 8a8340010000 mov al,byte ptr [ebx+140h]
805ccb9b 8845e4 mov byte ptr [ebp-1Ch],al
805ccb9e 84c0 test al,al
805ccba0 744e je nt!NtQueryInformationThread+0x72 (805ccbf0)
805ccba2 8365fc00 and dword ptr [ebp-4],0
805ccba6 6a04 push 4
805ccba8 8b7514 mov esi,dword ptr [ebp+14h]
805ccbab 56 push esi
805ccbac 8b7d10 mov edi,dword ptr [ebp+10h]
805ccbaf 57 push edi
805ccbb0 e8959e0400 call nt!ProbeForWrite (80616a4a)
805ccbb5 8b4d18 mov ecx,dword ptr [ebp+18h]
805ccbb8 33d2 xor edx,edx
805ccbba 3bca cmp ecx,edx
805ccbbc 740f je nt!NtQueryInformationThread+0x4f (805ccbcd)
805ccbbe a134315680 mov eax,dword ptr [nt!MmUserProbeAddress (80563134)]
805ccbc3 3bc8 cmp ecx,eax
805ccbc5 7202 jb nt!NtQueryInformationThread+0x4b (805ccbc9)
805ccbc7 8910 mov dword ptr [eax],edx
805ccbc9 8b01 mov eax,dword ptr [ecx]
805ccbcb 8901 mov dword ptr [ecx],eax
805ccbcd 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccbd1 eb25 jmp nt!NtQueryInformationThread+0x7a (805ccbf8)
805ccbd3 8b45ec mov eax,dword ptr [ebp-14h]
805ccbd6 8b00 mov eax,dword ptr [eax]
805ccbd8 8b00 mov eax,dword ptr [eax]
805ccbda 8945b8 mov dword ptr [ebp-48h],eax
805ccbdd 33c0 xor eax,eax
805ccbdf 40 inc eax
805ccbe0 c3 ret
805ccbe1 8b45b8 mov eax,dword ptr [ebp-48h]
805ccbe4 8b65e8 mov esp,dword ptr [ebp-18h]
805ccbe7 834dfcff or dword ptr [ebp-4],0FFFFFFFFh
805ccbeb e9cc040000 jmp nt!NtQueryInformationThread+0x53e (805cd0bc)
805ccbf0 8b7514 mov esi,dword ptr [ebp+14h]
805ccbf3 8b7d10 mov edi,dword ptr [ebp+10h]
805ccbf6 33d2 xor edx,edx
805ccbf8 6a04 push 4
805ccbfa 59 pop ecx
805ccbfb 8b450c mov eax,dword ptr [ebp+0Ch]
805ccbfe 83f80b cmp eax,0Bh
805ccc01 0f8ffb020000 jg nt!NtQueryInformationThread+0x384 (805ccf02)
805ccc07 0f8482020000 je nt!NtQueryInformationThread+0x311 (805cce8f)
805ccc0d 2bc2 sub eax,edx蹂躪D&F數據之XP-NtOpenProcess(虛擬機)
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章