Reading Notebook: 01-March-10
Comments in italics are mine and express my own views, thoughts and opinions
Windows Internals by M. Russinovich, D. Solomon and A. Ionescu:
NtCreateProcess (pp. 349 - 351) - a condensed view of top level function calls on x64 W2K8:
0: kd> uf /c nt!NtCreateProcess
nt!NtCreateProcess (fffff800`01c51770)
nt!NtCreateProcess+0x64 (fffff800`01c517d4):
call to nt!NtCreateProcessEx (fffff800`01c516e0)
0: kd> uf /c nt!NtCreateProcessEx
nt!NtCreateProcessEx (fffff800`01c516e0)
nt!NtCreateProcessEx+0x7d (fffff800`01c5175d):
call to nt!PspCreateProcess (fffff800`01c51410)
0: kd> uf /c nt!PspCreateProcess
nt!PspCreateProcess (fffff800`01c51410)
nt!PspCreateProcess+0xd0 (fffff800`01c514e0):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateProcess+0xff (fffff800`01c5150f):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x146 (fffff800`01c51556):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!PspCreateProcess+0x1a6 (fffff800`01c515b6):
call to nt!PspAllocateProcess (fffff800`01aac690)
nt!PspCreateProcess+0x202 (fffff800`01c51612):
call to nt!PspInsertProcess (fffff800`01aa6520)
nt!PspCreateProcess+0x21b (fffff800`01c5162b):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt!PspCreateProcess+0x26f (fffff800`01c5167f):
call to nt!SeDeleteAccessState (fffff800`01b02f8c)
nt!PspCreateProcess+0x27a (fffff800`01c5168a):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x287 (fffff800`01c51697):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x294 (fffff800`01c516a4):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!PspCreateProcess+0x2a7 (fffff800`01c516b7):
call to nt!_security_check_cookie (fffff800`01895e50)
NtCreateUserProcess (pp. 351 - 360) - a condensed view of top level function calls on x64 W2K8:
0: kd> uf /c nt!NtCreateUserProcess
nt!NtCreateUserProcess (fffff800`01ab2238)
nt!NtCreateUserProcess+0x97 (fffff800`01ab22cf):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0xb4 (fffff800`01ab22ec):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0x184 (fffff800`01ab23bc):
call to nt!ExRaiseDatatypeMisalignment (fffff800`01bddd20)
nt!NtCreateUserProcess+0x1c2 (fffff800`01ab23fb):
call to nt!memset (fffff800`0187a4d0)
nt!NtCreateUserProcess+0x1dd (fffff800`01ab2416):
call to nt!PspBuildCreateProcessContext (fffff800`01af5204)
nt!NtCreateUserProcess+0x207 (fffff800`01ab2440):
call to nt!PspCaptureCreateInfo (fffff800`01aad390)
nt!NtCreateUserProcess+0x2d1 (fffff800`01ab250a):
call to nt!ZwOpenFile (fffff800`01873480)
nt!NtCreateUserProcess+0x311 (fffff800`01ab254a):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!NtCreateUserProcess+0x378 (fffff800`01ab25b1):
call to nt!ZwCreateSection (fffff800`01873760)
nt!NtCreateUserProcess+0x3af (fffff800`01ab25e8):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt!NtCreateUserProcess+0x412 (fffff800`01ab264b):
call to nt!PspCaptureProcessParameters (fffff800`01aae128)
nt!NtCreateUserProcess+0x483 (fffff800`01ab26bc):
call to nt!PspAllocateProcess (fffff800`01aac690)
nt!NtCreateUserProcess+0x546 (fffff800`01ab277f):
call to nt!ObfReferenceObject (fffff800`01883250)
nt!NtCreateUserProcess+0x630 (fffff800`01ab2869):
call to nt!PspAllocateThread (fffff800`01af6338)
nt!NtCreateUserProcess+0x69f (fffff800`01ab28d8):
call to nt!PspInsertProcess (fffff800`01aa6520)
nt!NtCreateUserProcess+0x70e (fffff800`01ab2947):
call to nt!PspInsertThread (fffff800`01af4c10)
nt!NtCreateUserProcess+0x74f (fffff800`01ab2988):
call to nt!PspCreateObjectHandle (fffff800`01b01e10)
nt!NtCreateUserProcess+0x775 (fffff800`01ab29ae):
call to nt!memmove (fffff800`0186fce0)
nt!NtCreateUserProcess+0x7ca (fffff800`01ab2a03):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt!NtCreateUserProcess+0x7d9 (fffff800`01ab2a12):
call to nt!SeDeleteAccessState (fffff800`01b02f8c)
nt!NtCreateUserProcess+0x7e9 (fffff800`01ab2a22):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!NtCreateUserProcess+0x7f1 (fffff800`01ab2a2a):
call to nt!ObfDereferenceObject (fffff800`0187cde0)
nt!NtCreateUserProcess+0x7fe (fffff800`01ab2a37):
call to nt!PspDeleteCreateProcessContext (fffff800`01af68f0)
nt!NtCreateUserProcess+0x810 (fffff800`01ab2a49):
call to nt!_security_check_cookie (fffff800`01895e50)
nt!NtCreateUserProcess+0x862 (fffff800`01ab2a9b):
call to nt!ZwOpenFile (fffff800`01873480)
nt!NtCreateUserProcess+0x884 (fffff800`01ab2abd):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt! ?? ::NNGAKEGL::`string'+0x4f944 (fffff800`01b55164):
call to nt!ObReferenceObjectByHandle (fffff800`01ad8110)
nt! ?? ::NNGAKEGL::`string'+0x4f9a5 (fffff800`01b551c5):
call to nt!PspUpdateCreateInfo (fffff800`01aadc9c)
nt! ?? ::NNGAKEGL::`string'+0x4fa80 (fffff800`01b55298):
call to nt!PspGetContextThreadInternal (fffff800`01b02660)
nt! ?? ::NNGAKEGL::`string'+0x4faf3 (fffff800`01b55303):
call to nt!ExfTryToWakePushLock (fffff800`0186b924)
nt! ?? ::NNGAKEGL::`string'+0x4fb21 (fffff800`01b55325):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x4fb3e (fffff800`01b55342):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt! ?? ::NNGAKEGL::`string'+0x4fb92 (fffff800`01b55392):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x4fba0 (fffff800`01b553a0):
call to nt!PspDoHandleSweepSingle (fffff800`01b92770)
nt! ?? ::NNGAKEGL::`string'+0x4fbb2 (fffff800`01b553b2):
call to nt!PsTerminateProcess (fffff800`01b94140)
The check for import of disallowed API during post-process initialization (p. 361)
CsrCreateProcess (pp. 361 - 362) - Here’s a condensed view of top level function calls on x64 W2K8:
0: kd> uf /c CsrCreateProcess
CSRSRV!CsrCreateProcess (000007fe`fd8c76c8)
CSRSRV!CsrCreateProcess+0x18 (000007fe`fd8c76e0):
call to CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)
0: kd> uf /c CsrpCreateProcess
CSRSRV!CsrpCreateProcess (000007fe`fd8c7280)
CSRSRV!CsrpCreateProcess+0x2e (000007fe`fd8c72ae):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
CSRSRV!CsrpCreateProcess+0x66 (000007fe`fd8c72e6):
call to CSRSRV!CsrCreateThread (000007fe`fd8c77fc)
CSRSRV!CsrpCreateProcess+0x78 (000007fe`fd8c72f8):
call to ntdll!ZwClose (00000000`77476e00)
CSRSRV!CsrpCreateProcess+0x83 (000007fe`fd8c7303):
call to CSRSRV!CsrAllocateProcess (000007fe`fd8c715c)
CSRSRV!CsrpCreateProcess+0xa4 (000007fe`fd8c7324):
call to CSRSRV!CsrGetProcessLuid (000007fe`fd8c8790)
CSRSRV!CsrpCreateProcess+0x114 (000007fe`fd8c7394):
call to CSRSRV!memcpy (000007fe`fd8cadec)
CSRSRV!CsrpCreateProcess+0x1ab (000007fe`fd8c742b):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x1d2 (000007fe`fd8c7452):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x257 (000007fe`fd8c74d7):
call to ntdll!NtSetInformationProcess (00000000`77476ed0)
CSRSRV!CsrpCreateProcess+0x277 (000007fe`fd8c74f7):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x2d8 (000007fe`fd8c7558):
call to ntdll!NtQueryInformationThread (00000000`77476f60)
CSRSRV!CsrpCreateProcess+0x2f0 (000007fe`fd8c7570):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x2fd (000007fe`fd8c757d):
call to CSRSRV!CsrAllocateThread (000007fe`fd8c7b94)
CSRSRV!CsrpCreateProcess+0x32d (000007fe`fd8c75ad):
call to CSRSRV!CsrInsertThread (000007fe`fd8c7bfc)
CSRSRV!CsrpCreateProcess+0x344 (000007fe`fd8c75c4):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x356 (000007fe`fd8c75d6):
call to ntdll!RtlFreeHeap (00000000`77478c80)
CSRSRV!CsrpCreateProcess+0x365 (000007fe`fd8c75e5):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
CSRSRV!CsrpCreateProcess+0x393 (000007fe`fd8c7613):
call to CSRSRV!CsrSetBackgroundPriority (000007fe`fd8c712c)
CSRSRV!CsrpCreateProcess+0x3b6 (000007fe`fd8c7636):
call to CSRSRV!CsrInsertProcess (000007fe`fd8c71f0)
CSRSRV!CsrpCreateProcess+0x3d8 (000007fe`fd8c7658):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
No elevation, virtualization and compatibility checks for protected processes (p. 362)
KiThreadStartup (p. 363) - it looks like on x64 W2K8 it is KxStartUserThread that has this high-level call structure:
0: kd> uf /c nt!KxStartUserThread
nt!KxStartUserThread (fffff800`018b56e0)
nt!KiStartUserThread+0x12 (fffff800`018b5756):
unresolvable call: call qword ptr [rsp+10h]
nt!KiStartUserThread+0x9f (fffff800`018b57e3):
call to nt!KiInitiateUserApc (fffff800`0189d710)
nt!KiStartUserThread+0xbc (fffff800`018b5800):
call to nt!KiRestoreDebugRegisterState (fffff800`01878860)
PspUserThreadStartup (p. 363) - high-level call structure on x64 W2K8
0: kd> uf /c PspUserThreadStartup
nt!PspUserThreadStartup (fffff800`01b01ae4)
nt!PspUserThreadStartup+0xa1 (fffff800`01b01b85):
call to nt!MmGetSessionLocaleId (fffff800`01b028a4)
nt!PspUserThreadStartup+0xdc (fffff800`01b01bc0):
call to nt!DbgkCreateThread (fffff800`01b02cc0)
nt!PspUserThreadStartup+0x100 (fffff800`01b01be4):
call to nt!PfProcessCreateNotification (fffff800`01ab46cc)
nt!PspUserThreadStartup+0x121 (fffff800`01b01c05):
call to nt!PspInitializeThunkContext (fffff800`01b028e4)
nt! ?? ::NNGAKEGL::`string'+0x42263 (fffff800`01b48d5a):
call to nt!ExfAcquirePushLockExclusive (fffff800`0186aa60)
nt! ?? ::NNGAKEGL::`string'+0x4226b (fffff800`01b48d62):
call to nt!ExfReleasePushLockExclusive (fffff800`018c4b98)
nt! ?? ::NNGAKEGL::`string'+0x42283 (fffff800`01b48d7a):
call to nt!KiCheckForKernelApcDelivery (fffff800`0183c754)
nt! ?? ::NNGAKEGL::`string'+0x42299 (fffff800`01b48d90):
call to nt!PspTerminateThreadByPointer (fffff800`01ad30dc)
System-wide cookie in SharedUserData for pointer encoding/decoding API (p. 363)
LdrInitializeThunk (p. 364) - high-level call structure on x64 W2K8
0: kd> uf /c LdrInitializeThunk
ntdll!LdrInitializeThunk (00000000`774568d0)
ntdll!LdrInitializeThunk+0x9 (00000000`774568d9):
call to ntdll!LdrpInitialize (00000000`77456990)
ntdll!LdrInitializeThunk+0×13 (00000000`774568e3):
call to ntdll!ZwContinue (00000000`77477140)
ntdll!LdrInitializeThunk+0×1a (00000000`774568ea):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll!RtlAllocateActivationContextStack+0×29 (00000000`7745692d):
call to ntdll!RtlAllocateHeap (00000000`774789b0)
0: kd> uf /c LdrpInitialize
Matched: 00000000`774567f0 ntdll!LdrpInitialize = <no type information>
Matched: 00000000`77456990 ntdll!LdrpInitialize = <no type information>
Ambiguous symbol error at ‘LdrpInitialize’
0: kd> uf /c 00000000`77456990
Flow analysis was incomplete, some code may be missing
ntdll!LdrpInitialize (00000000`77456990)
ntdll!LdrpInitialize+0xaa (00000000`7745689a):
call to ntdll!LdrpInitializeThread (00000000`77470770)
ntdll!LdrpInitialize+0xaf (00000000`7745689f):
call to ntdll!ZwTestAlert (00000000`77478490)
ntdll! ?? ::FNODOBFM::`string’+0×20948 (00000000`7746bb8b):
call to ntdll!RtlInitializeSRWLock (00000000`774687f0)
ntdll! ?? ::FNODOBFM::`string’+0×20954 (00000000`7746bb97):
call to ntdll!LdrpInitializeProcess (00000000`7746ca20)
ntdll! ?? ::FNODOBFM::`string’+0×20b40 (00000000`7746d540):
call to ntdll!InitSecurityCookie (00000000`7746d560)
ntdll! ?? ::FNODOBFM::`string’+0×20ae4 (00000000`7746e52f):
call to ntdll!NtDelayExecution (00000000`77477050)
0: kd> uf /c ntdll!LdrpInitializeThread
ntdll!LdrpInitializeThread (00000000`77470770)
ntdll!LdrShutdownThread+0x139 (00000000`77437544):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrpInitializeThread+0x16d (00000000`774376f8):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrShutdownThread+0x124 (00000000`77448199):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrShutdownThread+0x149 (00000000`774481b5):
unresolvable call: call rsi
ntdll!LdrShutdownThread+0x151 (00000000`774481bd):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrShutdownThread+0x68 (00000000`77448238):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrShutdownThread+0x1cd (00000000`774483cf):
call to ntdll!LdrpFreeTls (00000000`774482f0)
ntdll!LdrShutdownThread+0x1e1 (00000000`774483e3):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrShutdownThread+0x1e6 (00000000`774483e8):
call to ntdll!LdrpCleanupThreadTlsData (00000000`77448490)
ntdll!LdrShutdownThread+0x213 (00000000`77448415):
call to ntdll!RtlFreeHeap (00000000`77478c80)
ntdll!LdrShutdownThread+0x246 (00000000`77448448):
call to ntdll!RtlFreeActivationContextStack (00000000`774480a0)
ntdll!LdrpInitializeThread+0x264 (00000000`774706bf):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrpInitializeThread+0x43 (00000000`774707b3):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
ntdll!LdrpInitializeThread+0x5f (00000000`774707cf):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrpInitializeThread+0x65 (00000000`774707d5):
call to ntdll!LdrpAllocateTls (00000000`774569d0)
ntdll!LdrpInitializeThread+0x13e (00000000`774708ae):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrpInitializeThread+0x161 (00000000`774708d5):
unresolvable call: call rsi
ntdll!LdrpInitializeThread+0x17c (00000000`774708e1):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrpInitializeThread+0x1a9 (00000000`7749017c):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll!LdrpInitializeThread+0x1b5 (00000000`77490188):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll!LdrpInitializeThread+0x1d0 (00000000`774901a3):
call to ntdll!NtDelayExecution (00000000`77477050)
ntdll!LdrpInitializeThread+0x1dc (00000000`774901af):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll!LdrpInitializeThread+0x233 (00000000`7749020a):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrpInitializeThread+0x245 (00000000`7749021c):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrpInitializeThread+0x250 (00000000`77490227):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll!LdrShutdownThread+0x1ab (00000000`7749027e):
call to ntdll!RtlActivateActivationContextUnsafeFast (00000000`77478bf0)
ntdll!LdrShutdownThread+0x1bd (00000000`77490290):
call to ntdll!LdrpCallTlsInitializers (00000000`77437630)
ntdll!LdrShutdownThread+0x1c8 (00000000`7749029b):
call to ntdll!RtlDeactivateActivationContextUnsafeFast (00000000`77478b00)
ntdll! ?? ::FNODOBFM::`string'+0x15c61 (00000000`774bd160):
call to ntdll!NtDelayExecution (00000000`77477050)
ntdll! ?? ::FNODOBFM::`string'+0x15c6e (00000000`774bd16d):
call to ntdll!RtlRaiseStatus (00000000`774e8fa0)
ntdll! ?? ::FNODOBFM::`string'+0x15cb0 (00000000`774bd1a6):
call to ntdll!RtlEnterCriticalSection (00000000`77478920)
ntdll! ?? ::FNODOBFM::`string'+0x15cbc (00000000`774bd1b2):
call to ntdll!RtlLeaveCriticalSection (00000000`77478960)
ntdll! ?? ::FNODOBFM::`string'+0x15cd7 (00000000`774bd1cd):
call to ntdll!RtlFreeHeap (00000000`77478c80)
ntdll! ?? ::FNODOBFM::`string'+0x15cfd (00000000`774bd1f3):
call to ntdll!RtlFreeHeap (00000000`77478c80)
0: kd> uf /c ntdll!LdrpInitializeProcess
Flow analysis was incomplete, some code may be missing
ntdll!LdrpInitializeProcess (00000000`7746ca20)
ntdll!LdrpInitializeProcess+0xf88 (00000000`7746bc0d):
call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0)
ntdll!LdrpInitializeProcess+0xf9c (00000000`7746bc21):
call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50)
ntdll!LdrpInitializeProcess+0xfa4 (00000000`7746bc29):
call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380)
ntdll!LdrpInitializeProcess+0x1098 (00000000`7746bc76):
call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00)
ntdll!LdrpInitializeProcess+0x10f1 (00000000`7746bccd):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0x110f (00000000`7746bceb):
call to ntdll!LdrpUpdateOrderLinks (00000000`774644c0)
ntdll!LdrpInitializeProcess+0x1123 (00000000`7746bcff):
call to ntdll!RtlInsertInvertedFunctionTable (00000000`77464e50)
ntdll!LdrpInitializeProcess+0x1128 (00000000`7746bd04):
call to ntdll!RtlInitializeHistoryTable (00000000`7746da90)
ntdll!LdrpInitializeProcess+0x11c9 (00000000`7746bd4f):
call to ntdll!RtlpInitCurrentDir (00000000`7746db70)
ntdll!LdrpInitializeProcess+0x1648 (00000000`7746bdca):
call to ntdll!LdrLoadDll (00000000`77463e30)
ntdll!LdrpInitializeProcess+0x16ba (00000000`7746bdf9):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x171f (00000000`7746be16):
call to ntdll!LdrpWalkImportDescriptor (00000000`77466390)
ntdll!LdrpInitializeProcess+0x18cd (00000000`7746be5b):
call to ntdll!LdrpInitializeTls (00000000`7746e380)
ntdll!LdrpInitializeProcess+0x1940 (00000000`7746be88):
call to ntdll!LdrpRunInitializeRoutines (00000000`77464650)
ntdll!LdrpInitializeProcess+0x138e (00000000`7746bedf):
call to ntdll!LdrLoadDll (00000000`77463e30)
ntdll!LdrpInitializeProcess+0x13ff (00000000`7746bf0d):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x1475 (00000000`7746bf3b):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x14eb (00000000`7746bf69):
call to ntdll!LdrGetProcedureAddressEx (00000000`7747dd10)
ntdll!LdrpInitializeProcess+0x19f5 (00000000`7746bfc5):
call to ntdll!_security_check_cookie (00000000`7747acb0)
ntdll!LdrpInitializeProcess+0x32 (00000000`7746ca52):
call to ntdll!RtlSetUnhandledExceptionFilter (00000000`7746c2d0)
ntdll!LdrpInitializeProcess+0xe9 (00000000`7746ca9a):
call to ntdll!RtlInitNlsTables (00000000`7746c920)
ntdll!LdrpInitializeProcess+0xf6 (00000000`7746caa7):
call to ntdll!RtlResetRtlTranslations (00000000`7746c410)
ntdll!LdrpInitializeProcess+0xfe (00000000`7746caaf):
call to ntdll!RtlpInitSRWLock (00000000`7746c530)
ntdll!LdrpInitializeProcess+0x103 (00000000`7746cab4):
call to ntdll!RtlpInitConditionVariable (00000000`7746c550)
ntdll!LdrpInitializeProcess+0x213 (00000000`7746cb7d):
call to ntdll!RtlImageNtHeader (00000000`774567b0)
ntdll!LdrpInitializeProcess+0x273 (00000000`7746cbd7):
call to ntdll!LdrpInitializeExecutionOptions (00000000`7746c6b0)
ntdll!LdrpInitializeProcess+0x353 (00000000`7746cc2f):
call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940)
ntdll!LdrpInitializeProcess+0x3cd (00000000`7746cc95):
call to ntdll!RtlNormalizeProcessParams (00000000`7746c2f0)
ntdll!LdrpInitializeProcess+0x423 (00000000`7746cce3):
call to ntdll!RtlImageDirectoryEntryToData (00000000`7746a940)
ntdll!LdrpInitializeProcess+0x448 (00000000`7746cd02):
call to ntdll!memset (00000000`77478830)
ntdll!LdrpInitializeProcess+0x58c (00000000`7746cd53):
call to ntdll!RtlpInitDeferredCriticalSection (00000000`7746c640)
ntdll!LdrpInitializeProcess+0x7d5 (00000000`7746ceb5):
call to ntdll!RtlInitializeCriticalSection (00000000`77455d20)
ntdll!LdrpInitializeProcess+0x7fb (00000000`7746cedb):
call to ntdll!RtlInitializeHeapManager (00000000`7746c7a0)
ntdll!LdrpInitializeProcess+0x84b (00000000`7746cf2a):
call to ntdll!RtlCreateHeap (00000000`77466ed0)
ntdll!LdrpInitializeProcess+0x8e2 (00000000`7746cf51):
call to ntdll!RtlAllocateActivationContextStack (00000000`77456900)
ntdll!LdrpInitializeProcess+0x8f6 (00000000`7746cf65):
call to ntdll!EtwpInitializeDll (00000000`7746c250)
ntdll!LdrpInitializeProcess+0x916 (00000000`7746cf85):
call to ntdll!RtlCreateTagHeap (00000000`7746d320)
ntdll!LdrpInitializeProcess+0x942 (00000000`7746cfb1):
call to ntdll!RtlCreateTagHeap (00000000`7746d320)
ntdll!LdrpInitializeProcess+0x962 (00000000`7746cfd1):
call to ntdll!RtlpInitEnvironmentBlock (00000000`7746d380)
ntdll!LdrpInitializeProcess+0x96f (00000000`7746cfde):
call to ntdll!RtlpInitParameterBlock (00000000`7746d7f0)
ntdll!LdrpInitializeProcess+0xa5e (00000000`7746d068):
call to ntdll!RtlInitUnicodeString (00000000`7747ad10)
ntdll!LdrpInitializeProcess+0xa73 (00000000`7746d07d):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0xa87 (00000000`7746d091):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0xaf0 (00000000`7746d0fe):
call to ntdll!ZwOpenDirectoryObject (00000000`77477290)
ntdll!LdrpInitializeProcess+0xc2a (00000000`7746d171):
call to ntdll!ZwOpenSymbolicLinkObject (00000000`77477cb0)
ntdll!LdrpInitializeProcess+0xc6b (00000000`7746d1b2):
call to ntdll!ZwQuerySymbolicLinkObject (00000000`77477f60)
ntdll!LdrpInitializeProcess+0xc7a (00000000`7746d1c1):
call to ntdll!ZwClose (00000000`77476e00)
ntdll!LdrpInitializeProcess+0xe50 (00000000`7746d24d):
call to ntdll!LdrpAllocateDataTableEntry (00000000`77464380)
ntdll!LdrpInitializeProcess+0xee4 (00000000`7746d289):
call to ntdll!RtlImageNtHeaderEx (00000000`7747dc00)
ntdll!LdrpInitializeProcess+0x30d (00000000`77473eb0):
call to ntdll!NtQueryInformationProcess (00000000`77476ea0)
ntdll!LdrpInitializeProcess+0x635 (00000000`77473ef0):
call to ntdll!RtlSetBits (00000000`77466c00)
ntdll!LdrpInitializeProcess+0x873 (00000000`77473f19):
call to ntdll!RtlCreateHeap (00000000`77466ed0)
ntdll!LdrpInitializeProcess+0xbb8 (00000000`774744f9):
call to ntdll!ZwOpenDirectoryObject (00000000`77477290)
ntdll!LdrpInitializeProcess+0xe10 (00000000`77474554):
call to ntdll!RtlAppendUnicodeStringToString (00000000`774574b0)
ntdll!LdrpInitializeProcess+0x77 (00000000`77490a96):
call to ntdll!NtQueryVirtualMemory (00000000`77476f40)
ntdll!LdrpInitializeProcess+0xb3 (00000000`77490ad2):
call to ntdll!NtQueryVirtualMemory (00000000`77476f40)
ntdll!LdrpInitializeProcess+0x2d2 (00000000`77490b92):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x2db (00000000`77490b9d):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x720 (00000000`77490d34):
call to ntdll!LdrQueryImageFileExecutionOptions (00000000`77473260)
ntdll!LdrpInitializeProcess+0x790 (00000000`77490da4):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x79a (00000000`77490dae):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x7c6 (00000000`77490dda):
call to ntdll!RtlControlStackTraceDataBase (00000000`774e3cd0)
ntdll!LdrpInitializeProcess+0x8ac (00000000`77490e27):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0x8bf (00000000`77490e3a):
call to ntdll!DbgBreakPoint (00000000`77476060)
ntdll!LdrpInitializeProcess+0x9ff (00000000`77490e8c):
call to ntdll!RtlQueryImageFileKeyOption (00000000`77473320)
ntdll!LdrpInitializeProcess+0xb0f (00000000`77490ee2):
call to ntdll!RtlInitUnicodeString (00000000`7747ad10)
ntdll!LdrpInitializeProcess+0xcea (00000000`77490f57):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0xd01 (00000000`77490f6e):
call to ntdll!LdrpInitializationFailure (00000000`774ed120)
ntdll!LdrpInitializeProcess+0xd3f (00000000`77490f82):
call to ntdll!RtlAllocateHeap (00000000`774789b0)
ntdll!LdrpInitializeProcess+0xd7d (00000000`77490fc0):
call to ntdll!LdrpLogDbgPrint (00000000`774ec5a0)
ntdll!LdrpInitializeProcess+0xd90 (00000000`77490fd3):
call to ntdll!DbgBreakPoint (00000000`77476060)
Private vs. shared assemblies (p. 365)