Testing Dump Analysis on Windows 7 Beta (Part 1)
I forced a complete memory dump of Windows 7 Beta running under VMWare Fusion on my MacBook Air laptop using SystemDump. In WinDbg I see kernel32 API refactoring. It looks like common API was factored out into KERNELBASE.dll. For example, a new session 1 process taskhost.exe has the following highlighted changes (the rest of stack trace layout looks the same as in Vista except nt!KiCommitThreadWait in kernel stack trace counterpart):
kd> vertarget
Windows Kernel Version 7000 UP Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS
Built by: 7000.0.x86fre.winmain_win7beta.081212-1400
Kernel base = 0x82639000 PsLoadedModuleList = 0x82790830
Debug session time: Thu Feb 5 12:21:31.765 2009 (GMT+0)
System Uptime: 0 days 0:14:43.078
kd> .process /r /p 85471598
Implicit process is now 85471598
Loading User Symbols
kd> !process 85471598
PROCESS 85471598 SessionId: 1 Cid: 0750 Peb: 7ffd5000 ParentCid: 01a4
DirBase: 1efb2320 ObjectTable: 90282990 HandleCount: 176.
Image: taskhost.exe
VadRoot 8547c480 Vads 93 Clone 0 Private 410. Modified 107. Locked 0.
DeviceMap 8f909fc8
Token 9025d980
ElapsedTime 00:13:41.390
UserTime 00:00:00.000
KernelTime 00:00:00.125
QuotaPoolUsage[PagedPool] 0
QuotaPoolUsage[NonPagedPool] 0
Working Set Sizes (now,min,max) (1276, 50, 345) (5104KB, 200KB, 1380KB)
PeakWorkingSetSize 1278
VirtualSize 38 Mb
PeakVirtualSize 38 Mb
PageFaultCount 2040
MemoryPriority BACKGROUND
BasePriority 8
CommitCharge 669
THREAD 85471af0 Cid 0750.0754 Teb: 7ffdf000 Win32Thread: fe823598 WAIT: (UserRequest) UserMode Non-Alertable
8543f778 SynchronizationEvent
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 4012 Ticks: 52505 (0:00:13:40.390)
Context Switch Count 53
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address taskhost!wWinMainCRTStartup (0x006b2e64)
Stack Init 8a3ebfd0 Current 8a3ebb30 Base 8a3ec000 Limit 8a3e9000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr
8a3ebb48 8268951d nt!KiSwapContext+0x26
8a3ebb8c 826cf460 nt!KiSwapThread+0x57b
8a3ebbe0 8268ccaf nt!KiCommitThreadWait+0×340
8a3ebcb8 828ad5bc nt!KeWaitForSingleObject+0×3ee
8a3ebd20 8269066a nt!NtWaitForSingleObject+0xc6
8a3ebd20 771e5704 nt!KiFastCallEntry+0×12a
001dfac0 771d429c ntdll!KiFastSystemCallRet
001dfac4 7543182c ntdll!NtWaitForSingleObject+0xc
001dfb30 76f54f23 KERNELBASE!WaitForSingleObjectEx+0×98
001dfb48 76f54ed2 kernel32!WaitForSingleObjectExStub+0×75
001dfb5c 006b3400 kernel32!WaitForSingleObject+0×12
001dfbbc 006b36c9 taskhost!UbpmpTaskHostSendResponseReceiveCommand+0×6c
001dfc10 006b2b52 taskhost!UbpmTaskHostWaitForCommands+0xf5
001dfc1c 006b2d0c taskhost!wWinMain+0xd
001dfcb0 76f536d6 taskhost!_initterm_e+0×1b1
001dfcbc 771c883c kernel32!BaseThreadInitThunk+0xe
001dfcfc 771c880f ntdll!__RtlUserThreadStart+0×70
001dfd14 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 8547dab0 Cid 0750.075c Teb: 7ffde000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Alertable
8547dd98 SynchronizationTimer
8547de60 SynchronizationTimer
85431df0 SynchronizationEvent
85444500 SynchronizationTimer
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 5989 Ticks: 50528 (0:00:13:09.500)
Context Switch Count 9
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWaiterpThread (0x771ccb5e)
Stack Init 8f698fd0 Current 8f698688 Base 8f699000 Limit 8f696000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr
8f6986a0 8268951d nt!KiSwapContext+0x26
8f6986e4 826cf460 nt!KiSwapThread+0x57b
8f698738 826cbb81 nt!KiCommitThreadWait+0×340
8f698940 828ae100 nt!KeWaitForMultipleObjects+0×5e3
8f698bcc 828ade6b nt!ObpWaitForMultipleObjects+0×264
8f698d18 8269066a nt!NtWaitForMultipleObjects+0xcc
8f698d18 771e5704 nt!KiFastCallEntry+0×12a
0068fa44 771d427c ntdll!KiFastSystemCallRet
0068fa48 771ccc8a ntdll!NtWaitForMultipleObjects+0xc
0068fbdc 76f536d6 ntdll!TppWaiterpThread+0×33d
0068fbe8 771c883c kernel32!BaseThreadInitThunk+0xe
0068fc28 771c880f ntdll!__RtlUserThreadStart+0×70
0068fc40 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 8547d3f8 Cid 0750.0760 Teb: 7ffdd000 Win32Thread: fe81f888 WAIT: (UserRequest) UserMode Non-Alertable
8546dff0 NotificationEvent
8542a490 SynchronizationEvent
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 43362 Ticks: 13155 (0:00:03:25.546)
Context Switch Count 43
UserTime 00:00:00.000
KernelTime 00:00:00.078
Win32 Start Address taskhost!ComTaskMgrWnd::MsgPumpThreadProc (0x006b69f6)
Stack Init 8f6a3fd0 Current 8f6a3688 Base 8f6a4000 Limit 8f6a1000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr
8f6a36a0 8268951d nt!KiSwapContext+0x26
8f6a36e4 826cf460 nt!KiSwapThread+0x57b
8f6a3738 826cbb81 nt!KiCommitThreadWait+0×340
8f6a3940 828ae100 nt!KeWaitForMultipleObjects+0×5e3
8f6a3bcc 828ade6b nt!ObpWaitForMultipleObjects+0×264
8f6a3d18 8269066a nt!NtWaitForMultipleObjects+0xcc
8f6a3d18 771e5704 nt!KiFastCallEntry+0×12a
0130f93c 771d427c ntdll!KiFastSystemCallRet
0130f940 75436e4d ntdll!NtWaitForMultipleObjects+0xc
0130f9dc 76f5506f KERNELBASE!WaitForMultipleObjectsEx+0×100
0130fa24 76fd9c0d kernel32!WaitForMultipleObjectsExStub+0xe0
0130fa78 76fda24f USER32!RealMsgWaitForMultipleObjectsEx+0×13c
0130fa94 006b6a46 USER32!MsgWaitForMultipleObjects+0×1f
0130fadc 76f536d6 taskhost!ComTaskMgrWnd::MsgPumpThreadProc+0×50
0130fae8 771c883c kernel32!BaseThreadInitThunk+0xe
0130fb28 771c880f ntdll!__RtlUserThreadStart+0×70
0130fb40 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 854b66a8 Cid 0750.0788 Teb: 7ffd6000 Win32Thread: 00000000 WAIT: (WrQueue) UserMode Alertable
85394928 QueueObject
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 4060 Ticks: 52457 (0:00:13:39.640)
Context Switch Count 7
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address ntdll!TppWorkerThread (0x771c8ede)
Stack Init 904e5fd0 Current 904e5b00 Base 904e6000 Limit 904e3000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr
904e5b18 8268951d nt!KiSwapContext+0x26
904e5b5c 826cf460 nt!KiSwapThread+0x57b
904e5bb0 826d2e5c nt!KiCommitThreadWait+0×340
904e5c38 828ad62d nt!KeRemoveQueueEx+0×7df
904e5c90 826d95cb nt!IoRemoveIoCompletion+0×23
904e5d24 8269066a nt!NtWaitForWorkViaWorkerFactory+0×1a1
904e5d24 771e5704 nt!KiFastCallEntry+0×12a
0148fc54 771d42ac ntdll!KiFastSystemCallRet
0148fc58 771cce31 ntdll!NtWaitForWorkViaWorkerFactory+0xc
0148fdbc 76f536d6 ntdll!TppWorkerThread+0×223
0148fdc8 771c883c kernel32!BaseThreadInitThunk+0xe
0148fe08 771c880f ntdll!__RtlUserThreadStart+0×70
0148fe20 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 85491658 Cid 0750.07b8 Teb: 7ffd3000 Win32Thread: fe4afbb8 WAIT: (UserRequest) UserMode Non-Alertable
8540c280 NotificationEvent
85494a08 NotificationEvent
85494980 NotificationEvent
854948f8 NotificationEvent
85494870 NotificationEvent
854947e8 NotificationEvent
85494760 NotificationEvent
854946d8 NotificationEvent
85494650 NotificationEvent
854945c8 NotificationEvent
85494540 NotificationEvent
8544ba30 NotificationEvent
85145480 NotificationEvent
84a27448 SynchronizationEvent
85459e50 SynchronizationEvent
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 53222 Ticks: 3295 (0:00:00:51.484)
Context Switch Count 738
UserTime 00:00:00.000
KernelTime 00:00:00.125
Win32 Start Address MsCtfMonitor!MsCtfMonitor::ThreadProc (0x702c208d)
Stack Init 89f1efd0 Current 89f1e688 Base 89f1f000 Limit 89f1c000 Call 0
Priority 10 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
89f1e6a0 8268951d nt!KiSwapContext+0x26
89f1e6e4 826cf460 nt!KiSwapThread+0x57b
89f1e738 826cbb81 nt!KiCommitThreadWait+0×340
89f1e940 828ae100 nt!KeWaitForMultipleObjects+0×5e3
89f1ebcc 828ade6b nt!ObpWaitForMultipleObjects+0×264
89f1ed18 8269066a nt!NtWaitForMultipleObjects+0xcc
89f1ed18 771e5704 nt!KiFastCallEntry+0×12a
0142f864 771d427c ntdll!KiFastSystemCallRet
0142f868 75436e4d ntdll!NtWaitForMultipleObjects+0xc
0142f904 76f5506f KERNELBASE!WaitForMultipleObjectsEx+0×100
0142f94c 76fd9c0d kernel32!WaitForMultipleObjectsExStub+0xe0
0142f9a0 76fda24f USER32!RealMsgWaitForMultipleObjectsEx+0×13c
0142f9bc 702c1435 USER32!MsgWaitForMultipleObjects+0×1f
0142fb7c 702c20e1 MsCtfMonitor!DoMsCtfMonitor+0×2b8
0142fd9c 76f536d6 MsCtfMonitor!MsCtfMonitor::ThreadProc+0×5d
0142fda8 771c883c kernel32!BaseThreadInitThunk+0xe
0142fde8 771c880f ntdll!__RtlUserThreadStart+0×70
0142fe00 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 85491370 Cid 0750.07bc Teb: 7ffda000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode Non-Alertable
85492ff0 NotificationEvent
853bc030 NotificationEvent
IRP List:
85492408: (0006,0094) Flags: 00060070 Mdl: 00000000
85492568: (0006,0094) Flags: 00060070 Mdl: 00000000
854926c8: (0006,0094) Flags: 00060070 Mdl: 00000000
85492828: (0006,0094) Flags: 00060070 Mdl: 00000000
85492988: (0006,0094) Flags: 00060070 Mdl: 00000000
85492ae8: (0006,0094) Flags: 00060070 Mdl: 00000000
85492c48: (0006,0094) Flags: 00060070 Mdl: 00000000
85492da8: (0006,0094) Flags: 00060070 Mdl: 00000000
8544e4b8: (0006,0094) Flags: 00060070 Mdl: 00000000
853cf470: (0006,0094) Flags: 00060070 Mdl: 00000000
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 4060 Ticks: 52457 (0:00:13:39.640)
Context Switch Count 2
UserTime 00:00:00.000
KernelTime 00:00:00.000
Win32 Start Address PlaySndSrv!CBeepRedirector::WorkThread (0x70271c6c)
Stack Init 8f65dfd0 Current 8f65d688 Base 8f65e000 Limit 8f65b000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
Kernel stack not resident.
ChildEBP RetAddr
8f65d6a0 8268951d nt!KiSwapContext+0x26
8f65d6e4 826cf460 nt!KiSwapThread+0x57b
8f65d738 826cbb81 nt!KiCommitThreadWait+0×340
8f65d940 828ae100 nt!KeWaitForMultipleObjects+0×5e3
8f65dbcc 828ade6b nt!ObpWaitForMultipleObjects+0×264
8f65dd18 8269066a nt!NtWaitForMultipleObjects+0xcc
8f65dd18 771e5704 nt!KiFastCallEntry+0×12a
01c6f6d4 771d427c ntdll!KiFastSystemCallRet
01c6f6d8 75436e4d ntdll!NtWaitForMultipleObjects+0xc
01c6f774 76f5506f KERNELBASE!WaitForMultipleObjectsEx+0×100
01c6f7bc 70271cdd kernel32!WaitForMultipleObjectsExStub+0xe0
01c6f93c 76f536d6 PlaySndSrv!CBeepRedirector::WorkThread+0×266
01c6f948 771c883c kernel32!BaseThreadInitThunk+0xe
01c6f988 771c880f ntdll!__RtlUserThreadStart+0×70
01c6f9a0 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 84a01370 Cid 0750.07c8 Teb: 7ffd9000 Win32Thread: fe4afde0 WAIT: (WrLpcReceive) UserMode Non-Alertable
84a015a4 Semaphore Limit 0x1
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 53222 Ticks: 3295 (0:00:00:51.484)
Context Switch Count 890
UserTime 00:00:00.000
KernelTime 00:00:00.031
Win32 Start Address MSCTF!CCtfServerPort::StaticServerThread (0x76bea423)
Stack Init 89e4ffd0 Current 89e4fa78 Base 89e50000 Limit 89e4d000 Call 0
Priority 9 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
89e4fa90 8268951d nt!KiSwapContext+0x26
89e4fad4 826cf460 nt!KiSwapThread+0x57b
89e4fb28 8268ccaf nt!KiCommitThreadWait+0×340
89e4fc04 828b9a5a nt!KeWaitForSingleObject+0×3ee
89e4fc34 828ba1c9 nt!AlpcpReceiveMessagePort+0×245
89e4fcb4 828ba489 nt!AlpcpReceiveMessage+0×1b8
89e4fd0c 8269066a nt!NtAlpcSendWaitReceivePort+0×11b
89e4fd0c 771e5704 nt!KiFastCallEntry+0×12a
005feb10 771d2c8c ntdll!KiFastSystemCallRet
005feb14 76bd5b34 ntdll!NtAlpcSendWaitReceivePort+0xc
005ffb9c 76bea53c MSCTF!CCtfServerPort::ServerLoop+0×136
005ffe2c 76bea441 MSCTF!CCtfServerPort::ServerThread+0xde
005ffe3c 76f536d6 MSCTF!CCtfServerPort::StaticServerThread+0×22
005ffe48 771c883c kernel32!BaseThreadInitThunk+0xe
005ffe88 771c880f ntdll!__RtlUserThreadStart+0×70
005ffea0 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 854cc5f0 Cid 0750.0114 Teb: 7ffd8000 Win32Thread: fe4bb008 WAIT: (WrUserRequest) UserMode Non-Alertable
854cc488 SynchronizationEvent
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 53850 Ticks: 2667 (0:00:00:41.671)
Context Switch Count 301
UserTime 00:00:00.000
KernelTime 00:00:00.218
Win32 Start Address WINMM!mciwindow (0x73942761)
Stack Init 904c6fd0 Current 904c6a60 Base 904c7000 Limit 904c4000 Call 0
Priority 12 BasePriority 10 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
904c6a78 8268951d nt!KiSwapContext+0x26
904c6abc 826cf460 nt!KiSwapThread+0x57b
904c6b10 8268ccaf nt!KiCommitThreadWait+0×340
904c6be8 8e50c768 nt!KeWaitForSingleObject+0×3ee
904c6c44 8e50c575 win32k!xxxRealSleepThread+0×1d7
904c6c60 8e508379 win32k!xxxSleepThread+0×2d
904c6cb8 8e50cf9a win32k!xxxRealInternalGetMessage+0×4b2
904c6d1c 8269066a win32k!NtUserGetMessage+0×3f
904c6d1c 771e5704 nt!KiFastCallEntry+0×12a
0169f7d8 76fdbb29 ntdll!KiFastSystemCallRet
0169f7dc 76fd3f49 USER32!NtUserGetMessage+0xc
0169f800 739427e0 USER32!GetMessageA+0×8d
0169f838 76f536d6 WINMM!mciwindow+0×102
0169f844 771c883c kernel32!BaseThreadInitThunk+0xe
0169f884 771c880f ntdll!__RtlUserThreadStart+0×70
0169f89c 00000000 ntdll!_RtlUserThreadStart+0×1b
THREAD 83bafd48 Cid 0750.09f8 Teb: 7ffdb000 Win32Thread: fe569198 WAIT: (WrQueue) UserMode Alertable
8547dfd0 QueueObject
83bafdd8 NotificationTimer
Not impersonating
DeviceMap 8f909fc8
Owning Process 85471598 Image: taskhost.exe
Wait Start TickCount 53850 Ticks: 2667 (0:00:00:41.671)
Context Switch Count 102
UserTime 00:00:00.000
KernelTime 00:00:00.015
Win32 Start Address ntdll!TppWorkerThread (0x771c8ede)
Stack Init 8bff3fd0 Current 8bff3b00 Base 8bff4000 Limit 8bff1000 Call 0
Priority 8 BasePriority 8 PriorityDecrement 0 IoPriority 2 PagePriority 5
ChildEBP RetAddr
8bff3b18 8268951d nt!KiSwapContext+0x26
8bff3b5c 826cf460 nt!KiSwapThread+0x57b
8bff3bb0 826d2e5c nt!KiCommitThreadWait+0×340
8bff3c38 828ad62d nt!KeRemoveQueueEx+0×7df
8bff3c90 826d95cb nt!IoRemoveIoCompletion+0×23
8bff3d24 8269066a nt!NtWaitForWorkViaWorkerFactory+0×1a1
8bff3d24 771e5704 nt!KiFastCallEntry+0×12a
0184f9f4 771d42ac ntdll!KiFastSystemCallRet
0184f9f8 771cce31 ntdll!NtWaitForWorkViaWorkerFactory+0xc
0184fb5c 76f536d6 ntdll!TppWorkerThread+0×223
0184fb68 771c883c kernel32!BaseThreadInitThunk+0xe
0184fba8 771c880f ntdll!__RtlUserThreadStart+0×70
0184fbc0 00000000 ntdll!_RtlUserThreadStart+0×1b
kd> lmv m taskhost
start end module name
006b0000 006be000 taskhost (deferred)
Image path: C:\Windows\system32\taskhost.exe
Image name: taskhost.exe
Timestamp: Sat Dec 13 02:02:54 2008 (494317CE)
CheckSum: 00011C71
ImageSize: 0000E000
File version: 6.1.7000.0
Product version: 6.1.7000.0
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: taskhost.exe
OriginalFilename: taskhost.exe
ProductVersion: 6.1.7000.0
FileVersion: 6.1.7000.0 (winmain_win7beta.081212-1400)
FileDescription: Host Process for Windows Tasks
LegalCopyright: © Microsoft Corporation. All rights reserved.
Functions that previously called kernel32 API now call their stub equivalents in kernel32 (function names affixed with Stub) and then stubs call KERNELBASE functions having previous kernel32 function names.
It can be seen from dumping contents of import directories of USER32, ADVAPI32, and GDI32 modules that they also depend on KERNELBASE. For example, for GDI32 we have:
kd> !dh 75e70000
File Type: DLL
FILE HEADER VALUES
14C machine (i386)
4 number of sections
49433CCD time date stamp Sat Dec 13 04:40:45 2008
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
2102 characteristics
Executable
32 bit word machine
DLL
OPTIONAL HEADER VALUES
10B magic #
9.00 linker version
46600 size of code
3A00 size of initialized data
0 size of uninitialized data
CF7C address of entry point
1000 base of code
----- new -----
75e70000 image base
1000 section alignment
200 file alignment
3 subsystem (Windows CUI)
6.01 operating system version
6.01 image version
6.01 subsystem version
4D000 size of image
800 size of headers
4D765 checksum
00040000 size of stack reserve
00001000 size of stack commit
00100000 size of heap reserve
00001000 size of heap commit
1284 [ 4BB4] address [size] of Export Directory
46308 [ 1B8] address [size] of Import Directory
4A000 [ 3D0] address [size] of Resource Directory
0 [ 0] address [size] of Exception Directory
0 [ 0] address [size] of Security Directory
4B000 [ 1920] address [size] of Base Relocation Directory
474F0 [ 38] address [size] of Debug Directory
0 [ 0] address [size] of Description Directory
0 [ 0] address [size] of Special Directory
0 [ 0] address [size] of Thread Storage Directory
2A000 [ 40] address [size] of Load Configuration Directory
280 [ 3E4] address [size] of Bound Import Directory
1000 [ 284] address [size] of Import Address Table Directory
0 [ 0] address [size] of Delay Import Directory
0 [ 0] address [size] of COR20 Header Directory
0 [ 0] address [size] of Reserved Directory
[…]
kd> dds 75e70000+1000 75e70000+1000+284
75e71000 771d3da0 ntdll!ZwSecureConnectPort
75e71004 771d3bb0 ntdll!ZwRegisterThreadTerminatePort
75e71008 771d38b0 ntdll!ZwQueryInformationProcess
75e7100c 771ab232 ntdll!RtlUnwind
75e71010 771d3680 ntdll!NtOpenThreadToken
75e71014 771d3600 ntdll!ZwOpenProcessToken
75e71018 771d38e0 ntdll!NtQueryInformationToken
75e7101c 771adecf ntdll!RtlLengthSid
75e71020 771adeeb ntdll!RtlCopySid
75e71024 771d3cd0 ntdll!ZwRequestWaitReplyPort
75e71028 771bb080 ntdll!_vsnwprintf
75e7102c 771aca7c ntdll!_strnicmp
75e71030 771b75a8 ntdll!_stricmp
75e71034 771b30f4 ntdll!RtlCreateUnicodeStringFromAsciiz
75e71038 771d59c0 ntdll!strncpy
75e7103c 771d4230 ntdll!ZwUnmapViewOfSection
75e71040 771f3b4b ntdll!RtlMultiByteToUnicodeN
75e71044 771c9339 ntdll!RtlDosPathNameToNtPathName_U
75e71048 771d3490 ntdll!NtMapViewOfSection
75e7104c 771d2f50 ntdll!NtCreateSection
75e71050 771d3880 ntdll!ZwQueryInformationFile
75e71054 771d5580 ntdll!memset
75e71058 771d5240 ntdll!memmove
75e7105c 771f1f7e ntdll!RtlUnicodeToMultiByteN
75e71060 771f221b ntdll!RtlUnicodeToMultiByteSize
75e71064 771b069d ntdll!RtlInitializeCriticalSection
75e71068 771b77b7 ntdll!RtlEncodePointer
75e7106c 771c5093 ntdll!RtlDeleteCriticalSection
75e71070 771d43b0 ntdll!RtlInitUnicodeString
75e71074 771d3570 ntdll!NtOpenKey
75e71078 771d3ab0 ntdll!NtQueryValueKey
75e7107c 771d2d30 ntdll!ZwClose
75e71080 771d3540 ntdll!ZwOpenFile
75e71084 771cf682 ntdll!_wcsnicmp
75e71088 771cc1cd ntdll!RtlNtStatusToDosError
75e7108c 771f2a11 ntdll!RtlFreeAnsiString
75e71090 771c2fe5 ntdll!RtlNtPathNameToDosPathName
75e71094 771a3e05 ntdll!RtlpEnsureBufferSize
75e71098 771b3cf0 ntdll!_wcsicmp
75e7109c 771b13db ntdll!wcschr
75e710a0 771cf0ea ntdll!wcsrchr
75e710a4 771d5e00 ntdll!RtlCompareMemory
75e710a8 771bd9e4 ntdll!RtlDecodePointer
75e710ac 771d4240 ntdll!NtVdmControl
75e710b0 771f0ea0 ntdll!RtlAllocateHeap
75e710b4 771f0fb0 ntdll!RtlFreeHeap
75e710b8 771d4f00 ntdll!memcpy
75e710bc 771f1068 ntdll!RtlLeaveCriticalSection
75e710c0 771f10a6 ntdll!RtlEnterCriticalSection
75e710c4 00000000
75e710c8 75440220 KERNELBASE!IsDBCSLeadByte
75e710cc 7544f8b9 KERNELBASE!IsDBCSLeadByteEx
75e710d0 00000000
75e710d4 75436dec KERNELBASE!GetLastError
75e710d8 7545f842 KERNELBASE!UnhandledExceptionFilter
75e710dc 7544c2b3 KERNELBASE!SetUnhandledExceptionFilter
75e710e0 771f1412 ntdll!RtlSetLastWin32Error
75e710e4 00000000
75e710e8 76f465cc kernel32!GetDriveTypeWStub
75e710ec 76f55685 kernel32!WriteFileStub
75e710f0 76f55169 kernel32!CreateFileWStub
75e710f4 76f466b8 kernel32!GetFullPathNameWStub
75e710f8 76f40808 kernel32!DeleteFileWStub
75e710fc 76f354aa kernel32!SetFilePointerExStub
75e71100 76f4a269 kernel32!SetFilePointerStub
75e71104 76f40c4d kernel32!GetFileSizeExStub
75e71108 76f370ed kernel32!GetTempFileNameWStub
75e7110c 00000000
75e71110 76f55137 kernel32!CloseHandleStub
75e71114 00000000
75e71118 75436d3a KERNELBASE!InterlockedCompareExchange
75e7111c 00000000
75e71120 7543ab61 KERNELBASE!FreeLibrary
75e71124 754436f1 KERNELBASE!SizeofResource
75e71128 754376d8 KERNELBASE!GetModuleHandleA
75e7112c 7543bb5a KERNELBASE!LoadLibraryExW
75e71130 75438116 KERNELBASE!SetHandleCount
75e71134 7544367e KERNELBASE!LoadResource
75e71138 7543cad6 KERNELBASE!DisableThreadLibraryCalls
75e7113c 7543762d KERNELBASE!GetProcAddress
75e71140 00000000
75e71144 7543810b KERNELBASE!GetACP
75e71148 75444dee KERNELBASE!GetLocaleInfoW
75e7114c 7544c484 KERNELBASE!GetOEMCP
75e71150 00000000
75e71154 7543d213 KERNELBASE!RegOpenKeyExA
75e71158 75439771 KERNELBASE!RegCloseKey
75e7115c 7543d379 KERNELBASE!RegQueryValueExA
75e71160 75439549 KERNELBASE!RegOpenKeyExW
75e71164 75449b64 KERNELBASE!RegEnumValueW
75e71168 00000000
75e7116c 754373cc KERNELBASE!UnmapViewOfFile
75e71170 7543fc4c KERNELBASE!CreateFileMappingW
75e71174 7543fbc8 KERNELBASE!MapViewOfFile
75e71178 00000000
75e7117c 75438854 KERNELBASE!GlobalFree
75e71180 75437256 KERNELBASE!lstrlenW
75e71184 7543cec7 KERNELBASE!LocalReAlloc
75e71188 754388d1 KERNELBASE!LocalAlloc
75e7118c 7543d9a9 KERNELBASE!GlobalAlloc
75e71190 75438e61 KERNELBASE!lstrlenA
75e71194 75438854 KERNELBASE!GlobalFree
75e71198 00000000
75e7119c 75449d05 KERNELBASE!SearchPathW
75e711a0 00000000
75e711a4 75436d30 KERNELBASE!GetCurrentThreadId
75e711a8 75436e20 KERNELBASE!GetCurrentProcessId
75e711ac 7543771a KERNELBASE!ProcessIdToSessionId
75e711b0 754370bf KERNELBASE!GetCurrentThread
75e711b4 75459f89 KERNELBASE!TerminateProcess
75e711b8 75436dfb KERNELBASE!GetCurrentProcess
75e711bc 00000000
75e711c0 771f145a ntdll!RtlQueryPerformanceCounter
75e711c4 00000000
75e711c8 7545a887 KERNELBASE!IsWellKnownSid
75e711cc 00000000
75e711d0 75437e76 KERNELBASE!MultiByteToWideChar
75e711d4 7543839a KERNELBASE!WideCharToMultiByte
75e711d8 00000000
75e711dc 771c5093 ntdll!RtlDeleteCriticalSection
75e711e0 771f1068 ntdll!RtlLeaveCriticalSection
75e711e4 771b069d ntdll!RtlInitializeCriticalSection
75e711e8 771f10a6 ntdll!RtlEnterCriticalSection
75e711ec 00000000
75e711f0 75438eb9 KERNELBASE!GetTickCount64+0×4
75e711f4 7543f6ea KERNELBASE!GetWindowsDirectoryW
75e711f8 7543f67b KERNELBASE!GetSystemWindowsDirectoryW
75e711fc 7543aa71 KERNELBASE!GetSystemInfo
75e71200 754387b0 KERNELBASE!GetLocalTime
75e71204 75436cc3 KERNELBASE!GetTickCount+0×4
75e71208 7543712d KERNELBASE!GetSystemTimeAsFileTime
75e7120c 00000000
75e71210 76f351d4 kernel32!CopyFileW
75e71214 76f526c8 kernel32!GlobalLock
75e71218 76f54be0 kernel32!MulDiv
75e7121c 76f4662d kernel32!LoadLibraryW
75e71220 76f3b86c kernel32!GlobalSize
75e71224 76f3a5c0 kernel32!GetTempPathW
75e71228 76f40c2f kernel32!FindResourceW
75e7122c 76f45a27 kernel32!LoadLibraryA
75e71230 76f37015 kernel32!VirtualUnlock
75e71234 76f5018b kernel32!GlobalUnlock
75e71238 00000000
75e7123c 76fd89ed USER32!GetAppCompatFlags2
75e71240 76fd68f6 USER32!InitializeLpkHooks
75e71244 76fda345 USER32!NtUserGetDC
75e71248 76ff21c7 USER32!UserRealizePalette
75e7124c 76fd34f2 USER32!GetAppCompatFlags
75e71250 76fd7c23 USER32!CharUpperBuffA
75e71254 76fe17ff USER32!IsThreadDesktopComposited
75e71258 76fda409 USER32!GetWindowRect
75e7125c 76fe1766 USER32!IntersectRect
75e71260 76fd7ce4 USER32!CharLowerBuffW
75e71264 76fda31a USER32!ReleaseDC
75e71268 00000000
75e7126c 772e1bbf LPK!LpkUseGDIWidthCache
75e71270 772e4e3e LPK!LpkGetCharacterPlacement
75e71274 772e167a LPK!LpkExtTextOut
75e71278 772e1df6 LPK!LpkGetTextExtentExPoint
75e7127c 772e1898 LPK!LpkInitialize
75e71280 00000000
75e71284 00000000
- Dmitry Vostokov @ DumpAnalysis.org -