Quickly brute forcing syscall indices in Windows

I've seen sites with lists of syscall indices like j00ru's and always hoped for a way to obtain syscalls programatically, and I finally figured it out.

THREADINFOCLASS enum value ThreadLastSystemCall was introduced at some point, and there's pretty limited documentation on how it's supposed to work so I thought I'd put it out there for all to see.

#include "stdafx.h"
#include "syscalls.h"
#include "ntdll_syscall_list.h"

BOOL GetFunctionSystemCallIndex(PVOID pFunctionAddress, DWORD *dwSyscallIndex)  
{
    if (!dwSyscallIndex)
        return FALSE;

    typedef NTSTATUS(*fn_t)(ULONG_PTR a1, ULONG_PTR a2, ULONG_PTR a3);
    typedef struct _THREAD_BRUTE_PARAMS
    {
        fn_t proc;
        int state;
    } THREAD_BRUTE_PARAMS;

    THREAD_BRUTE_PARAMS params;

    params.proc = (fn_t)pFunctionAddress;
    params.state = 0;

    auto thread_fn = [](LPVOID lpParam) -> DWORD
    {
        THREAD_BRUTE_PARAMS *pparams = (THREAD_BRUTE_PARAMS *)lpParam;

        do
        {
            // On x64 values are passed via registers first
            // then stack.
            // Shouldn't matter if this is incorrect since kernel shouldn't fault.

            __try
            {
                volatile unsigned char stack_filler[0x4000];

                pparams->proc(0, 0, 0);
            }
            __except (EXCEPTION_EXECUTE_HANDLER)
            {
                printf("EXCEPTION.\n");
                // Exception loop
                pparams->state = 3;
                continue;
            }

            pparams->state = 1;
        } while (true);

        return 0;
    };

    HANDLE hThread = CreateThread(0, 0, thread_fn, &params, 0, 0);
    if (hThread)
    {
        HANDLE hWaitObject;
        RegisterWaitForSingleObject(&hWaitObject, hThread, [](PVOID lpParameter, BOOLEAN TimerOrWaitFired) -> VOID {
            // If we timed out...
            if (TimerOrWaitFired)
            {
                THREAD_BRUTE_PARAMS *pparams = (THREAD_BRUTE_PARAMS *)lpParameter;

                pparams->state = 2;
            }
        }, &params , 5, WT_EXECUTEONLYONCE);

        while (true)
        {
            if (params.state == 0)
                continue;

            if (params.state > 1)
                break;

            // Once the state is not zero, 
            // the syscall index is valid.
            SuspendThread(hThread);

            THREAD_LAST_SYSCALL_INFORMATION sys;
            memset(&sys, 0, sizeof(sys));

            ULONG u;

            NTSTATUS status = NtQueryInformationThread(hThread, ThreadLastSystemCall, &sys, sizeof(THREAD_LAST_SYSCALL_INFORMATION), &u);
            if (status == 0)
            {
                *dwSyscallIndex = sys.SystemCallNumber;
                break;
            }
            else
            {
                // STATUS_NOT_IMPLEMENTED
                // Your OS doesn't support this API my dude.
                if (status == 0xC0000002)
                    break;
            }
        }

        TerminateThread(hThread, 0);
        CloseHandle(hThread);

        if (*dwSyscallIndex)
            return TRUE;
    }

    return FALSE;
}

void dump_ntdll_functions()  
{
    HMODULE hNtDll = LoadLibrary(L"ntdll.dll");
    if (!hNtDll)
    {
        printf("[!] ERROR: Unable to get ntdll.dll base address.\n");
        return;
    }

    for (size_t i = 0; ntdll_functions[i] != 0; i++)
    {
        PVOID pProc = GetProcAddress(hNtDll, ntdll_functions[i]);
        if (!pProc)
        {
            printf("[!] ERROR: Unable to get [%s] address.\n", ntdll_functions[i]);
            continue;
        }

        LARGE_INTEGER frequency;
        LARGE_INTEGER start;
        LARGE_INTEGER end;
        double interval;

        QueryPerformanceFrequency(&frequency);
        QueryPerformanceCounter(&start);

        DWORD dwIndex = -1;
        if (!GetFunctionSystemCallIndex(pProc, &dwIndex))
        {
            printf("[!] ERROR: Failed to get syscall index for [%s]\n", ntdll_functions[i]);
        }

        QueryPerformanceCounter(&end);
        interval = (double)(end.QuadPart - start.QuadPart) / frequency.QuadPart;

        if (dwIndex != -1)
        {
            printf("%s index: 0x%X (Time: %f)\n", ntdll_functions[i], dwIndex, interval);
        }
    }
}

int main()  
{
    dump_ntdll_functions();

    return 0;
}

I use a few weird tricks here. Functions that transition to kernel mode via syscall are all X64-style "fastcall", and if they fault, no big deal. So I call them all with invalid parameters because even if the function fails, I'm still getting the syscall index.

I haven't and probably won't provide a method of getting X86 syscalls, but considering there likely won't be any new X86 operating systems (syscall indices for WOW64 syscalls is same as X64) you can safely use already documented syscall indices (or rewrite this slightly)

The result of this is:

NtAcceptConnectPort index: 0x2 (Time: 0.000111)  
[!] ERROR: Failed to get syscall index for [NtAccessCheck]
NtAccessCheck index: 0x0 (Time: 0.001454)  
NtAccessCheckAndAuditAlarm index: 0x29 (Time: 0.000102)  
NtAccessCheckByType index: 0x63 (Time: 0.000090)  
NtAccessCheckByTypeAndAuditAlarm index: 0x59 (Time: 0.000112)  
NtAccessCheckByTypeResultList index: 0x64 (Time: 0.000069)  
NtAccessCheckByTypeResultListAndAuditAlarm index: 0x65 (Time: 0.000088)  
NtAccessCheckByTypeResultListAndAuditAlarmByHandle index: 0x66 (Time: 0.000061)  
[!] ERROR: Unable to get [NtAcquireCMFViewOwnership] address.
NtAddAtom index: 0x47 (Time: 0.000097)  
NtAddAtomEx index: 0x68 (Time: 0.000055)  
NtAddBootEntry index: 0x69 (Time: 0.000070)  
NtAddDriverEntry index: 0x6A (Time: 0.000059)  
NtAdjustGroupsToken index: 0x6B (Time: 0.000062)  
NtAdjustPrivilegesToken index: 0x41 (Time: 0.000058)  
NtAdjustTokenClaimsAndDeviceGroups index: 0x6C (Time: 0.000062)  
NtAlertResumeThread index: 0x6D (Time: 0.000077)  
NtAlertThread index: 0x6E (Time: 0.000063)  
NtAlertThreadByThreadId index: 0x6F (Time: 0.000057)  
NtAllocateLocallyUniqueId index: 0x70 (Time: 0.000066)  
NtAllocateReserveObject index: 0x71 (Time: 0.000060)  
NtAllocateUserPhysicalPages index: 0x72 (Time: 0.000060)  
NtAllocateUuids index: 0x73 (Time: 0.000063)  
NtAllocateVirtualMemory index: 0x18 (Time: 0.000061)  
NtAlpcAcceptConnectPort index: 0x74 (Time: 0.000070)  
NtAlpcCancelMessage index: 0x75 (Time: 0.000060)  
NtAlpcConnectPort index: 0x76 (Time: 0.000069)  
NtAlpcConnectPortEx index: 0x77 (Time: 0.000061)  
NtAlpcCreatePort index: 0x78 (Time: 0.000062)  
NtAlpcCreatePortSection index: 0x79 (Time: 0.000437)  
NtAlpcCreateResourceReserve index: 0x7A (Time: 0.000363)  
NtAlpcCreateSectionView index: 0x7B (Time: 0.000366)  
NtAlpcCreateSecurityContext index: 0x7C (Time: 0.000346)  
NtAlpcDeletePortSection index: 0x7D (Time: 0.000348)  
NtAlpcDeleteResourceReserve index: 0x7E (Time: 0.000342)  
NtAlpcDeleteSectionView index: 0x7F (Time: 0.000495)  
NtAlpcDeleteSecurityContext index: 0x80 (Time: 0.000526)  
NtAlpcDisconnectPort index: 0x81 (Time: 0.000692)  
NtAlpcImpersonateClientContainerOfPort index: 0x82 (Time: 0.000479)  
NtAlpcImpersonateClientOfPort index: 0x83 (Time: 0.000389)  
NtAlpcOpenSenderProcess index: 0x84 (Time: 0.000365)  
NtAlpcOpenSenderThread index: 0x85 (Time: 0.000339)  
NtAlpcQueryInformation index: 0x86 (Time: 0.000362)  
NtAlpcQueryInformationMessage index: 0x87 (Time: 0.000352)  
NtAlpcRevokeSecurityContext index: 0x88 (Time: 0.000456)  
NtAlpcSendWaitReceivePort index: 0x89 (Time: 0.000443)  
NtAlpcSetInformation index: 0x8A (Time: 0.000424)  
NtApphelpCacheControl index: 0x4C (Time: 0.000416)  
NtAreMappedFilesTheSame index: 0x8B (Time: 0.000372)  
NtAssignProcessToJobObject index: 0x8C (Time: 0.000346)  
NtAssociateWaitCompletionPacket index: 0x8D (Time: 0.000349)  
NtCallbackReturn index: 0x5 (Time: 0.000328)  
[!] ERROR: Unable to get [NtCancelDeviceWakeupRequest] address.
NtCancelIoFile index: 0x5D (Time: 0.000336)  
NtCancelIoFileEx index: 0x8E (Time: 0.000336)  
NtCancelSynchronousIoFile index: 0x8F (Time: 0.000332)  
NtCancelTimer index: 0x61 (Time: 0.000325)  
NtCancelTimer2 index: 0x90 (Time: 0.000356)  
NtCancelWaitCompletionPacket index: 0x91 (Time: 0.000328)  
[!] ERROR: Unable to get [NtClearAllSavepointsTransaction] address.
NtClearEvent index: 0x3E (Time: 0.000339)  
[!] ERROR: Unable to get [NtClearSavepointTransaction] address.
NtClose index: 0xF (Time: 0.000335)  
NtCloseObjectAuditAlarm index: 0x3B (Time: 0.000367)  
NtCommitComplete index: 0x92 (Time: 0.000363)  
NtCommitEnlistment index: 0x93 (Time: 0.000402)  
NtCommitRegistryTransaction index: 0x94 (Time: 0.000959)  
NtCommitTransaction index: 0x95 (Time: 0.000658)  
NtCompactKeys index: 0x96 (Time: 0.000472)  
NtCompareObjects index: 0x97 (Time: 0.000505)  
NtCompareTokens index: 0x99 (Time: 0.000494)  
NtCompleteConnectPort index: 0x9A (Time: 0.000465)  
NtCompressKey index: 0x9B (Time: 0.000523)  
NtConnectPort index: 0x9C (Time: 0.000392)  
NtContinue index: 0x43 (Time: 0.000460)  
NtCreateDebugObject index: 0x9E (Time: 0.000653)  
NtCreateDirectoryObject index: 0x9F (Time: 0.000353)  
NtCreateDirectoryObjectEx index: 0xA0 (Time: 0.000313)  
NtCreateEnclave index: 0xA1 (Time: 0.000328)  
NtCreateEnlistment index: 0xA2 (Time: 0.000434)  
NtCreateEvent index: 0x48 (Time: 0.000374)  
NtCreateEventPair index: 0xA3 (Time: 0.000353)  
NtCreateFile index: 0x55 (Time: 0.000347)  
NtCreateIRTimer index: 0xA4 (Time: 0.000465)  
NtCreateIoCompletion index: 0xA5 (Time: 0.000325)  
NtCreateJobObject index: 0xA6 (Time: 0.000318)  
NtCreateJobSet index: 0xA7 (Time: 0.000345)  
NtCreateKey index: 0x1D (Time: 0.000372)  
NtCreateKeyTransacted index: 0xA8 (Time: 0.000343)  
NtCreateKeyedEvent index: 0xA9 (Time: 0.000367)  
NtCreateLowBoxToken index: 0xAA (Time: 0.000351)  
NtCreateMailslotFile index: 0xAB (Time: 0.000362)  
NtCreateMutant index: 0xAC (Time: 0.000353)  
NtCreateNamedPipeFile index: 0xAD (Time: 0.000345)  
NtCreatePagingFile index: 0xAE (Time: 0.000337)  
NtCreatePartition index: 0xAF (Time: 0.000360)  
NtCreatePort index: 0xB0 (Time: 0.000348)  
NtCreatePrivateNamespace index: 0xB1 (Time: 0.000347)  
NtCreateProcess index: 0xB2 (Time: 0.000336)  
NtCreateProcessEx index: 0x4D (Time: 0.000339)  
NtCreateProfile index: 0xB3 (Time: 0.000353)  
NtCreateProfileEx index: 0xB4 (Time: 0.000887)  
NtCreateRegistryTransaction index: 0xB5 (Time: 0.000415)  
NtCreateResourceManager index: 0xB6 (Time: 0.000431)  
NtCreateSection index: 0x4A (Time: 0.000441)  
NtCreateSemaphore index: 0xB7 (Time: 0.000396)  
NtCreateSymbolicLinkObject index: 0xB8 (Time: 0.000414)  
NtCreateThread index: 0x4E (Time: 0.000384)  
NtCreateThreadEx index: 0xB9 (Time: 0.000433)  
NtCreateTimer index: 0xBA (Time: 0.000511)  
NtCreateTimer2 index: 0xBB (Time: 0.000454)  
NtCreateToken index: 0xBC (Time: 0.000356)  
NtCreateTokenEx index: 0xBD (Time: 0.000338)  
NtCreateTransaction index: 0xBE (Time: 0.000346)  
NtCreateTransactionManager index: 0xBF (Time: 0.000342)  
NtCreateUserProcess index: 0xC0 (Time: 0.000344)  
NtCreateWaitCompletionPacket index: 0xC1 (Time: 0.000342)  
NtCreateWaitablePort index: 0xC2 (Time: 0.000332)  
NtCreateWnfStateName index: 0xC3 (Time: 0.000331)  
NtCreateWorkerFactory index: 0xC4 (Time: 0.000345)  
NtDebugActiveProcess index: 0xC5 (Time: 0.000345)  
NtDebugContinue index: 0xC6 (Time: 0.000336)  
NtDelayExecution index: 0x34 (Time: 0.000336)  
NtDeleteAtom index: 0xC7 (Time: 0.000373)  
NtDeleteBootEntry index: 0xC8 (Time: 0.000335)  
NtDeleteDriverEntry index: 0xC9 (Time: 0.000328)  
NtDeleteFile index: 0xCA (Time: 0.000382)  
NtDeleteKey index: 0xCB (Time: 0.000347)  
NtDeleteObjectAuditAlarm index: 0xCC (Time: 0.000336)  
NtDeletePrivateNamespace index: 0xCD (Time: 0.000326)  
NtDeleteValueKey index: 0xCE (Time: 0.000328)  
NtDeleteWnfStateData index: 0xCF (Time: 0.000337)  
NtDeleteWnfStateName index: 0xD0 (Time: 0.000332)  
NtDeviceIoControlFile index: 0x7 (Time: 0.000373)  
NtDisableLastKnownGood index: 0xD1 (Time: 0.000853)  
NtDisplayString index: 0xD2 (Time: 0.000383)  
NtDrawText index: 0xD3 (Time: 0.000530)  
NtDuplicateObject index: 0x3C (Time: 0.000517)  
NtDuplicateToken index: 0x42 (Time: 0.000483)  
NtEnableLastKnownGood index: 0xD4 (Time: 0.000485)  
NtEnumerateBootEntries index: 0xD5 (Time: 0.000409)  
NtEnumerateDriverEntries index: 0xD6 (Time: 0.000401)  
NtEnumerateKey index: 0x32 (Time: 0.000416)  
NtEnumerateSystemEnvironmentValuesEx index: 0xD7 (Time: 0.000467)  
NtEnumerateTransactionObject index: 0xD8 (Time: 0.000431)  
NtEnumerateValueKey index: 0x13 (Time: 0.000468)  
NtExtendSection index: 0xD9 (Time: 0.000373)  
NtFilterBootOption index: 0xDA (Time: 0.000384)  
NtFilterToken index: 0xDB (Time: 0.000447)  
NtFilterTokenEx index: 0xDC (Time: 0.000398)  
NtFindAtom index: 0x14 (Time: 0.000414)  
NtFlushBuffersFile index: 0x4B (Time: 0.000594)  
NtFlushBuffersFileEx index: 0xDD (Time: 0.000441)  
NtFlushInstallUILanguage index: 0xDE (Time: 0.000367)  
NtFlushInstructionCache index: 0xDF (Time: 0.000337)  
NtFlushKey index: 0xE0 (Time: 0.000364)  
NtFlushProcessWriteBuffers index: 0xE1 (Time: 0.000372)  
NtFlushVirtualMemory index: 0xE2 (Time: 0.000369)  
NtFlushWriteBuffer index: 0xE3 (Time: 0.000362)  
NtFreeUserPhysicalPages index: 0xE4 (Time: 0.000354)  
NtFreeVirtualMemory index: 0x1E (Time: 0.001653)  
NtFreezeRegistry index: 0xE5 (Time: 0.000390)  
NtFreezeTransactions index: 0xE6 (Time: 0.000379)  
NtFsControlFile index: 0x39 (Time: 0.000371)  
NtGetCachedSigningLevel index: 0xE7 (Time: 0.000352)  
NtGetCompleteWnfStateSubscription index: 0xE8 (Time: 0.000508)  
NtGetContextThread index: 0xE9 (Time: 0.000447)  
NtGetCurrentProcessorNumber index: 0xEA (Time: 0.000379)  
NtGetCurrentProcessorNumberEx index: 0xEB (Time: 0.000360)  
NtGetDevicePowerState index: 0xEC (Time: 0.000472)  
NtGetMUIRegistryInfo index: 0xED (Time: 0.000348)  
NtGetNextProcess index: 0xEE (Time: 0.000439)  
NtGetNextThread index: 0xEF (Time: 0.000481)  
NtGetNlsSectionPtr index: 0xF0 (Time: 0.000428)  
NtGetNotificationResourceManager index: 0xF1 (Time: 0.000356)  
[!] ERROR: Unable to get [NtGetPlugPlayEvent] address.
NtGetWriteWatch index: 0xF2 (Time: 0.000338)  
NtImpersonateAnonymousToken index: 0xF3 (Time: 0.000359)  
NtImpersonateClientOfPort index: 0x1F (Time: 0.000345)  
NtImpersonateThread index: 0xF4 (Time: 0.000347)  
NtInitializeEnclave index: 0xF5 (Time: 0.000352)  
NtInitializeNlsFiles index: 0xF6 (Time: 0.000345)  
NtInitializeRegistry index: 0xF7 (Time: 0.000351)  
NtInitiatePowerAction index: 0xF8 (Time: 0.000369)  
NtIsProcessInJob index: 0x4F (Time: 0.000352)  
NtIsSystemResumeAutomatic index: 0xF9 (Time: 0.000341)  
NtIsUILanguageComitted index: 0xFA (Time: 0.000378)  
[!] ERROR: Unable to get [NtListTransactions] address.
NtListenPort index: 0xFB (Time: 0.000338)  
NtLoadDriver index: 0xFC (Time: 0.000370)  
NtLoadEnclaveData index: 0xFD (Time: 0.000341)  
NtLoadKey index: 0xFF (Time: 0.000330)  
NtLoadKey2 index: 0x100 (Time: 0.000326)  
NtLoadKeyEx index: 0x101 (Time: 0.000347)  
NtLockFile index: 0x102 (Time: 0.000339)  
NtLockProductActivationKeys index: 0x103 (Time: 0.000533)  
NtLockRegistryKey index: 0x104 (Time: 0.000366)  
NtLockVirtualMemory index: 0x105 (Time: 0.000344)  
NtMakePermanentObject index: 0x106 (Time: 0.000580)  
NtMakeTemporaryObject index: 0x107 (Time: 0.000373)  
NtManagePartition index: 0x108 (Time: 0.000368)  
NtMapCMFModule index: 0x109 (Time: 0.000364)  
NtMapUserPhysicalPages index: 0x10A (Time: 0.000458)  
NtMapUserPhysicalPagesScatter index: 0x3 (Time: 0.000476)  
NtMapViewOfSection index: 0x28 (Time: 0.000462)  
[!] ERROR: Unable to get [NtMarshallTransaction] address.
NtModifyBootEntry index: 0x10B (Time: 0.000373)  
NtModifyDriverEntry index: 0x10C (Time: 0.000337)  
NtNotifyChangeDirectoryFile index: 0x10D (Time: 0.000417)  
NtNotifyChangeKey index: 0x10E (Time: 0.000354)  
NtNotifyChangeMultipleKeys index: 0x10F (Time: 0.000360)  
NtNotifyChangeSession index: 0x110 (Time: 0.000328)  
NtOpenDirectoryObject index: 0x58 (Time: 0.000330)  
NtOpenEnlistment index: 0x111 (Time: 0.000329)  
NtOpenEvent index: 0x40 (Time: 0.000360)  
NtOpenEventPair index: 0x112 (Time: 0.000345)  
NtOpenFile index: 0x33 (Time: 0.000332)  
NtOpenIoCompletion index: 0x113 (Time: 0.000350)  
NtOpenJobObject index: 0x114 (Time: 0.000338)  
NtOpenKey index: 0x12 (Time: 0.000342)  
NtOpenKeyEx index: 0x115 (Time: 0.000325)  
NtOpenKeyTransacted index: 0x116 (Time: 0.000331)  
NtOpenKeyTransactedEx index: 0x117 (Time: 0.000346)  
NtOpenKeyedEvent index: 0x118 (Time: 0.000338)  
NtOpenMutant index: 0x119 (Time: 0.000329)  
NtOpenObjectAuditAlarm index: 0x11A (Time: 0.000327)  
NtOpenPartition index: 0x11B (Time: 0.000349)  
NtOpenPrivateNamespace index: 0x11C (Time: 0.000337)  
NtOpenProcess index: 0x26 (Time: 0.000345)  
NtOpenProcessToken index: 0x11D (Time: 0.000343)  
NtOpenProcessTokenEx index: 0x30 (Time: 0.000347)  
NtOpenRegistryTransaction index: 0x11E (Time: 0.000344)  
NtOpenResourceManager index: 0x11F (Time: 0.000331)  
NtOpenSection index: 0x37 (Time: 0.000328)  
NtOpenSemaphore index: 0x120 (Time: 0.000341)  
NtOpenSession index: 0x121 (Time: 0.000339)  
NtOpenSymbolicLinkObject index: 0x122 (Time: 0.000327)  
NtOpenThread index: 0x123 (Time: 0.000341)  
NtOpenThreadToken index: 0x24 (Time: 0.000683)  
NtOpenThreadTokenEx index: 0x2F (Time: 0.000375)  
NtOpenTimer index: 0x124 (Time: 0.000428)  
NtOpenTransaction index: 0x125 (Time: 0.000364)  
NtOpenTransactionManager index: 0x126 (Time: 0.000420)  
NtPlugPlayControl index: 0x127 (Time: 0.000477)  
NtPowerInformation index: 0x5F (Time: 0.000458)  
NtPrePrepareComplete index: 0x128 (Time: 0.000380)  
NtPrePrepareEnlistment index: 0x129 (Time: 0.000344)  
NtPrepareComplete index: 0x12A (Time: 0.000333)  
NtPrepareEnlistment index: 0x12B (Time: 0.000334)  
NtPrivilegeCheck index: 0x12C (Time: 0.000324)  
NtPrivilegeObjectAuditAlarm index: 0x12D (Time: 0.000342)  
NtPrivilegedServiceAuditAlarm index: 0x12E (Time: 0.000327)  
NtPropagationComplete index: 0x12F (Time: 0.000348)  
NtPropagationFailed index: 0x130 (Time: 0.000361)  
NtProtectVirtualMemory index: 0x50 (Time: 0.000356)  
[!] ERROR: Unable to get [NtPullTransaction] address.
NtPulseEvent index: 0x131 (Time: 0.000340)  
NtQueryAttributesFile index: 0x3D (Time: 0.000347)  
NtQueryBootEntryOrder index: 0x133 (Time: 0.000344)  
NtQueryBootOptions index: 0x134 (Time: 0.000394)  
NtQueryDebugFilterState index: 0x135 (Time: 0.000411)  
NtQueryDefaultLocale index: 0x15 (Time: 0.000363)  
NtQueryDefaultUILanguage index: 0x44 (Time: 0.000352)  
NtQueryDirectoryFile index: 0x35 (Time: 0.000368)  
NtQueryDirectoryObject index: 0x136 (Time: 0.000351)  
NtQueryDriverEntryOrder index: 0x137 (Time: 0.000339)  
NtQueryEaFile index: 0x138 (Time: 0.000433)  
NtQueryEvent index: 0x56 (Time: 0.000341)  
NtQueryFullAttributesFile index: 0x139 (Time: 0.000344)  
NtQueryInformationAtom index: 0x13A (Time: 0.000351)  
NtQueryInformationEnlistment index: 0x13C (Time: 0.000343)  
NtQueryInformationFile index: 0x11 (Time: 0.000344)  
NtQueryInformationJobObject index: 0x13D (Time: 0.000340)  
NtQueryInformationPort index: 0x13E (Time: 0.000332)  
NtQueryInformationProcess index: 0x19 (Time: 0.000330)  
NtQueryInformationResourceManager index: 0x13F (Time: 0.000368)  
NtQueryInformationThread index: 0x25 (Time: 0.000335)  
NtQueryInformationToken index: 0x21 (Time: 0.000332)  
NtQueryInformationTransaction index: 0x140 (Time: 0.000381)  
NtQueryInformationTransactionManager index: 0x141 (Time: 0.000349)  
NtQueryInformationWorkerFactory index: 0x142 (Time: 0.000341)  
NtQueryInstallUILanguage index: 0x143 (Time: 0.000349)  
NtQueryIntervalProfile index: 0x144 (Time: 0.000372)  
NtQueryIoCompletion index: 0x145 (Time: 0.000383)  
NtQueryKey index: 0x16 (Time: 0.000351)  
NtQueryLicenseValue index: 0x146 (Time: 0.000330)  
NtQueryMultipleValueKey index: 0x147 (Time: 0.000348)  
NtQueryMutant index: 0x148 (Time: 0.000383)  
NtQueryObject index: 0x10 (Time: 0.000343)  
NtQueryOpenSubKeys index: 0x149 (Time: 0.000346)  
NtQueryOpenSubKeysEx index: 0x14A (Time: 0.000340)  
NtQueryPerformanceCounter index: 0x31 (Time: 0.000339)  
NtQueryPortInformationProcess index: 0x14B (Time: 0.000329)  
NtQueryQuotaInformationFile index: 0x14C (Time: 0.000332)  
NtQuerySection index: 0x51 (Time: 0.000330)  
NtQuerySecurityAttributesToken index: 0x14D (Time: 0.000348)  
NtQuerySecurityObject index: 0x14E (Time: 0.000334)  
NtQuerySecurityPolicy index: 0x14F (Time: 0.000765)  
NtQuerySemaphore index: 0x150 (Time: 0.000406)  
NtQuerySymbolicLinkObject index: 0x151 (Time: 0.000453)  
NtQuerySystemEnvironmentValue index: 0x152 (Time: 0.000342)  
NtQuerySystemEnvironmentValueEx index: 0x153 (Time: 0.000327)  
NtQuerySystemInformation index: 0x36 (Time: 0.000335)  
NtQuerySystemInformationEx index: 0x154 (Time: 0.000353)  
NtQuerySystemTime index: 0x43 (Time: 0.000374)  
NtQueryTimer index: 0x38 (Time: 0.000330)  
NtQueryTimerResolution index: 0x155 (Time: 0.001401)  
NtQueryValueKey index: 0x17 (Time: 0.000361)  
NtQueryVirtualMemory index: 0x23 (Time: 0.000340)  
NtQueryVolumeInformationFile index: 0x49 (Time: 0.000334)  
NtQueryWnfStateData index: 0x156 (Time: 0.000349)  
NtQueryWnfStateNameInformation index: 0x157 (Time: 0.000341)  
NtQueueApcThread index: 0x45 (Time: 0.000340)  
NtQueueApcThreadEx index: 0x158 (Time: 0.000334)  
NtRaiseException index: 0x159 (Time: 0.000340)  
NtRaiseHardError index: 0x15A (Time: 0.000360)  
NtReadFile index: 0x6 (Time: 0.000467)  
NtReadFileScatter index: 0x2E (Time: 0.000344)  
NtReadOnlyEnlistment index: 0x15B (Time: 0.000348)  
NtReadRequestData index: 0x54 (Time: 0.000359)  
NtReadVirtualMemory index: 0x3F (Time: 0.000464)  
NtRecoverEnlistment index: 0x15C (Time: 0.000334)  
NtRecoverResourceManager index: 0x15D (Time: 0.000335)  
NtRecoverTransactionManager index: 0x15E (Time: 0.000353)  
NtRegisterProtocolAddressInformation index: 0x15F (Time: 0.000337)  
NtRegisterThreadTerminatePort index: 0x160 (Time: 0.000335)  
[!] ERROR: Unable to get [NtReleaseCMFViewOwnership] address.
NtReleaseMutant index: 0x20 (Time: 0.000335)  
NtReleaseSemaphore index: 0xA (Time: 0.000336)  
NtReleaseWorkerFactoryWorker index: 0x162 (Time: 0.000362)  
NtRemoveIoCompletion index: 0x9 (Time: 0.000350)  
NtRemoveIoCompletionEx index: 0x163 (Time: 0.000334)  
NtRemoveProcessDebug index: 0x164 (Time: 0.000338)  
NtRenameKey index: 0x165 (Time: 0.000338)  
NtRenameTransactionManager index: 0x166 (Time: 0.000331)  
NtReplaceKey index: 0x167 (Time: 0.000328)  
NtReplacePartitionUnit index: 0x168 (Time: 0.000345)  
NtReplyPort index: 0xC (Time: 0.000641)  
NtReplyWaitReceivePort index: 0xB (Time: 0.000391)  
NtReplyWaitReceivePortEx index: 0x2B (Time: 0.000402)  
NtReplyWaitReplyPort index: 0x169 (Time: 0.000341)  
[!] ERROR: Unable to get [NtRequestDeviceWakeup] address.
NtRequestPort index: 0x16A (Time: 0.000339)  
NtRequestWaitReplyPort index: 0x22 (Time: 0.000336)  
[!] ERROR: Unable to get [NtRequestWakeupLatency] address.
NtResetEvent index: 0x16B (Time: 0.000331)  
NtResetWriteWatch index: 0x16C (Time: 0.000340)  
NtRestoreKey index: 0x16D (Time: 0.000334)  
NtResumeProcess index: 0x16E (Time: 0.000333)  
NtResumeThread index: 0x52 (Time: 0.000332)  
NtRevertContainerImpersonation index: 0x16F (Time: 0.000363)  
NtRollbackComplete index: 0x170 (Time: 0.000343)  
NtRollbackEnlistment index: 0x171 (Time: 0.000338)  
NtRollbackRegistryTransaction index: 0x172 (Time: 0.000340)  
[!] ERROR: Unable to get [NtRollbackSavepointTransaction] address.
NtRollbackTransaction index: 0x173 (Time: 0.000353)  
NtRollforwardTransactionManager index: 0x174 (Time: 0.000438)  
NtSaveKey index: 0x175 (Time: 0.000338)  
NtSaveKeyEx index: 0x176 (Time: 0.000349)  
NtSaveMergedKeys index: 0x177 (Time: 0.000336)  
[!] ERROR: Unable to get [NtSavepointComplete] address.
[!] ERROR: Unable to get [NtSavepointTransaction] address.
NtSecureConnectPort index: 0x178 (Time: 0.000335)  
NtSerializeBoot index: 0x179 (Time: 0.000339)  
NtSetBootEntryOrder index: 0x17A (Time: 0.000339)  
NtSetBootOptions index: 0x17B (Time: 0.000342)  
NtSetCachedSigningLevel index: 0x17C (Time: 0.000335)  
NtSetCachedSigningLevel2 index: 0x17D (Time: 0.000374)  
NtSetContextThread index: 0x17E (Time: 0.000342)  
NtSetDebugFilterState index: 0x17F (Time: 0.000345)  
NtSetDefaultHardErrorPort index: 0x180 (Time: 0.000340)  
NtSetDefaultLocale index: 0x181 (Time: 0.000341)  
NtSetDriverEntryOrder index: 0x183 (Time: 0.000210)  
NtSetEaFile index: 0x184 (Time: 0.001016)  
NtSetEvent index: 0xE (Time: 0.000428)  
NtSetEventBoostPriority index: 0x2D (Time: 0.000378)  
NtSetHighEventPair index: 0x185 (Time: 0.000394)  
NtSetHighWaitLowEventPair index: 0x186 (Time: 0.000365)  
NtSetIRTimer index: 0x187 (Time: 0.000363)  
NtSetInformationDebugObject index: 0x188 (Time: 0.000395)  
NtSetInformationEnlistment index: 0x189 (Time: 0.000387)  
NtSetInformationFile index: 0x27 (Time: 0.000363)  
NtSetInformationJobObject index: 0x18A (Time: 0.000382)  
NtSetInformationKey index: 0x18B (Time: 0.000370)  
NtSetInformationObject index: 0x5C (Time: 0.000376)  
NtSetInformationProcess index: 0x1C (Time: 0.000468)  
NtSetInformationResourceManager index: 0x18C (Time: 0.000359)  
NtSetInformationSymbolicLink index: 0x18D (Time: 0.000389)  
NtSetInformationThread index: 0xD (Time: 0.000381)  
NtSetInformationToken index: 0x18E (Time: 0.000366)  
NtSetInformationTransaction index: 0x18F (Time: 0.000360)  
NtSetInformationTransactionManager index: 0x190 (Time: 0.000537)  
NtSetInformationVirtualMemory index: 0x191 (Time: 0.000430)  
NtSetInformationWorkerFactory index: 0x192 (Time: 0.000368)  
NtSetIntervalProfile index: 0x193 (Time: 0.000346)  
NtSetIoCompletion index: 0x194 (Time: 0.000391)  
NtSetIoCompletionEx index: 0x195 (Time: 0.000367)  
NtSetLdtEntries index: 0x196 (Time: 0.000342)  
NtSetLowEventPair index: 0x197 (Time: 0.000336)  
NtSetLowWaitHighEventPair index: 0x198 (Time: 0.000327)  
NtSetQuotaInformationFile index: 0x199 (Time: 0.000364)  
NtSetSecurityObject index: 0x19A (Time: 0.000344)  
NtSetSystemEnvironmentValue index: 0x19B (Time: 0.000334)  
NtSetSystemEnvironmentValueEx index: 0x19C (Time: 0.000327)  
NtSetSystemInformation index: 0x19D (Time: 0.000513)  
NtSetSystemPowerState index: 0x19E (Time: 0.000346)  
NtSetSystemTime index: 0x19F (Time: 0.000582)  
NtSetThreadExecutionState index: 0x1A0 (Time: 0.000338)  
NtSetTimer index: 0x62 (Time: 0.000383)  
NtSetTimer2 index: 0x1A1 (Time: 0.000336)  
NtSetTimerEx index: 0x1A2 (Time: 0.000340)  
NtSetTimerResolution index: 0x1A3 (Time: 0.000335)  
NtSetUuidSeed index: 0x1A4 (Time: 0.000370)  
NtSetValueKey index: 0x60 (Time: 0.000372)  
NtSetVolumeInformationFile index: 0x1A5 (Time: 0.000334)  
NtSetWnfProcessNotificationEvent index: 0x1A6 (Time: 0.000359)  
NtShutdownSystem index: 0x1A7 (Time: 0.000348)  
NtShutdownWorkerFactory index: 0x1A8 (Time: 0.000338)  
NtSignalAndWaitForSingleObject index: 0x1A9 (Time: 0.000327)  
NtSinglePhaseReject index: 0x1AA (Time: 0.000328)  
NtStartProfile index: 0x1AB (Time: 0.000329)  
[!] ERROR: Unable to get [NtStartTm] address.
NtStopProfile index: 0x1AC (Time: 0.000327)  
NtSubscribeWnfStateChange index: 0x1AD (Time: 0.000357)  
NtSuspendProcess index: 0x1AE (Time: 0.000398)  
NtSuspendThread index: 0x1AF (Time: 0.000333)  
NtSystemDebugControl index: 0x1B0 (Time: 0.000359)  
NtTerminateJobObject index: 0x1B1 (Time: 0.000339)  
Press any key to continue . . .  

Andrew Artz

Read more posts by this author.