Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Description of the win98/INT 2E services (VMM/NTKERN.VxD)

Z0mbie
2000

[Back to index] [Comments]

xlated from russian for MATRiX #2 E-Zine

Preface

Lets consider any win32 program. This program calls kernel api, and most of these api will pass control into ring0. Under win9X VMM/VWIN32.VxD provides special kernel services, which are called in the following way:

       [email protected]:
  015F:BFF712B9  push    ecx
                 push    eax
                 push    002A0010    ; <-- <service-number>
                 call    [email protected]
                 ret
       [email protected]:
  015F:BFF713D4  mov     eax, [esp+4]
                 pop     dword ptr [esp]
                 call    far cs:[BFFC9734]
                 ...
  015F:BFF79734  dd      000003C8h   ; offset
                 dw      003Bh       ; selector
                 ...
  003B:03C8      int     30h
                 ...

where <service-number> is a special number of the service, for example 0x002A0010 for INT 21, 0x002A0029 for INT 31, etc.

Should be said, these VWIN32 services are NOT the VxDcall services, and even if 002A means VWIN32, 0010 means here INT 21, but not VWIN32_ResetWin32Event. Full list of the VWIN32 services (numbers/names) may be found in the Matt Pietrek's book.

But lets continue. Under WinNT/2000 ring-0 subroutines are called via INT 2E.

And, as it turned out, in the win98's VMM there is a cool vxd, called NTKERN.VXD, which provides some NT's INT 2E services. Mmoreover, INT 2E is used when win98 is loading, at that time such functions as ntoskrnl!NtPowerInformation are called.

Here is a description of how INT 2E service call may be performed:

        way 1                              way 2

        mov     eax, service-number        push    param3
        lea     edx, stk                   push    param2
        int     2Eh                        push    param1
        ...                                mov     edx, esp
stk:    dd      param1                     mov     eax, service-number
        dd      param2                     int     2Eh
        dd      param3                     add     esp, 4*n
        ...                                ...

As you can see, when calling INT 2E, EAX contains service number and EDX contains pointer to the stack frame = block of DWORD-parameters, located on the stack or somewhere else. Before calling corresponding function, INT 2E handler will just copy some data from *EDX to the current stack.

List of all the service numbers follows this text.

IMPORTANT: Most of these numbers and/or function parameters are not the same as in WinNT/2000.

Here is a description of most interesting INT 2E functions.

Entering RING-0 -- PsCreateSystemThread

This function will create thread right in ring-0. You can exit from such thread via RET, after that it will automatically killed by means of PsTerminateSystemThread.

COMMENT: The only trouble is that sometimes this code generates a BUG, and i dunno how to fix it. Error is the followin: we're entering ring-0, but page at our ring-0 eip is absent in the current context.

                        ...
                        mov     eax, i2E_PsCreateSystemThread
                        lea     edx, stk
                        int     2Eh

__cycle:                cmp     r0_finished, 1
                        jne     __cycle
                        ...

stk:                    dd      offset thread_handle ; 0 or *thread_handle
                        dd      0               ; 0 or 0x1F03FF = ALL_ACCESS
                        dd      0               ; 0
                        dd      0               ; 0
                        dd      0               ; 0
                        dd      offset ring0    ; thread EIP, near proc
                        dd      12345678h       ; thread-parameter

; input: [ESP+4]=EDI=thread_parameter

ring0:                  int 3
                        mov     r0_finished, 1

                        nop                     ; harmful action ;-)

                        ret

Entering RING-0 -- PoCallDriver

Complete bullshit, no any drivers used here. This great function will simply pass control to the our ring0 code. Only trouble is that function requires lots of fucking parameters...

Here is a stack frame:

stk                     dd      offset x1
                        dd      offset x2
x1                      db      8 dup (0)
                        dd      offset x3
x2                      db      60h dup (0)
                        dd      offset x4+24h
x4                      db      18h dup (0)
x3                      db      38h dup (0)
                        dd      ring_0

And here is optimized ring0-entering subroutine.

                        lea     esi, r0proc
                        call    callring0
                        ...
r0proc:                 int 3
                        ret

; subroutine: callring0
; input:      ESI=offset ring_0, proc NEAR

callring0:              pusha
                        call    @@X
                        pusha
                        call    dword ptr [ecx]
                        popa
                        ret     8
@@X:                    sub     esp, 14h
                        xor     eax, eax
                        push    eax
                        lea     edx, [esp+24h]
                        push    edx
                        sub     esp, 54h
                        lea     edx, [esp+38h]
                        push    edx
                        push    edx
                        push    esi
                        mov     edx, esp
                        push    edx
                        push    edx
                        mov     edx, esp
                        mov     al, i2E_PoCallDriver
                        int     2Eh
                        add     esp, 88h
                        popa
                        ret

Memory-access related functions

All these functions means that you will pass some parameters into INT 2E, and memory operations will be performed in ring-0. In such way you can, for example, modify kernel or patch av vxds even without entering ring-0.

RtlCopyMemory, RtlMoveMemory

The difference between these two functions is the following: RtlCopyMemory will simply copy memory using 'movs' command, but RtlMoveMemory will first analyze esi and edi, and only then copy buffer byte-by-byte, from the start to the end, or from the end to the start, depending on esi/edi. In such way RtlMoveMemory will correctly copy intersecting ranges [esi...esi+ecx] and [edi...edi+ecx].

                        mov     eax, i2E_RtlCopyMemory  ; or RtlMoveMemory
                        lea     edx, stk
                        int     2Eh
                        ...
stk:                    dd      0BFF7xxxxh      ; edi (destination)
                        dd      offset vir_code ; esi (source)
                        dd      vir_size        ; ecx (length in bytes)

READ_REGISTER_BUFFER_UCHAR/ULONG/USHORT

Action: REP MOVSB, REP MOVSD and REP MOVSW.

                        push    ecx
                        push    edi
                        push    esi
                        mov     edx, esp
                        mov     eax, i2E_READ_REGISTER_BUFFER_ULONG
                        int     2Eh
                        add     esp, 3*4

WRITE_REGISTER_BUFFER_UCHAR/ULONG/USHORT

Action: REP MOVSB, REP MOVSD and REP MOVSW, but swapped source/destination.

                        push    ecx
                        push    esi
                        push    edi
                        mov     edx, esp
                        mov     eax, i2E_WRITE_REGISTER_BUFFER_ULONG
                        int     2Eh
                        add     esp, 3*4

READ_REGISTER_UCHAR/ULONG/USHORT

Action: MOV AL,[ESI], MOV EAX,[ESI] and MOV AX,[ESI]

Return values: EAX.

                        push    esi
                        mov     edx, esp
                        mov     eax, i2E_READ_REGISTER_UCHAR
                        int     2Eh
                        add     esp, 1*4

WRITE_REGISTER_UCHAR/ULONG/USHORT

Action: MOV [EDI],AL, MOV [EDI],EAX and MOV [EDI],AX

                        push    eax
                        push    edi
                        mov     edx, esp
                        mov     eax, i2E_WRITE_REGISTER_UCHAR
                        int     2Eh
                        add     esp, 2*4

io-port access related functions

READ_PORT_BUFFER_UCHAR/ULONG/USHORT

Action: REP INSB, REP INSD and REP INSW

                        push    ecx
                        push    edi
                        push    edx
                        mov     edx, esp
                        mov     eax, i2E_READ_PORT_BUFFER_ULONG
                        int     2Eh
                        add     esp, 3*4

WRITE_PORT_BUFFER_UCHAR/ULONG/USHORT

Action: REP OUTSB, REP OUTSD and REP OUTSW

                        push    ecx
                        push    esi
                        push    edx
                        mov     edx, esp
                        mov     eax, i2E_WRITE_PORT_BUFFER_ULONG
                        int     2Eh
                        add     esp, 3*4

READ_PORT_UCHAR/ULONG/USHORT

Action: IN AL,DX, IN EAX,DX and IN AX,DX

                        push    edx
                        mov     edx, esp
                        mov     eax, i2E_READ_PORT_ULONG
                        int     2Eh
                        add     esp, 1*4

WRITE_PORT_UCHAR/ULONG/USHORT

Action: OUT DX,AL, OUT DX,EAX and OUT DX,AX

                        push    eax
                        push    edx
                        mov     edx, esp
                        mov     eax, i2E_WRITE_PORT_UCHAR
                        int     2Eh
                        add     esp, 2*4

Process/thread-related functions

IoGetCurrentProcess, PsGetCurrentProcess

Both functions means the same handler.

Action: return current process handle in EAX.

                        mov     eax, i2E_IoGetCurrentProcess
                        int     2Eh

GetCurrentProcess' handler performs the followin:

                        call    ntoskrnl!KeGetCurrentThread
                        mov     eax, [eax+4]
                        ret

KeGetCurrentThread, PsGetCurrentThread

The same handler again.

Action: return current thread handle in EAX.

                        mov     eax, i2E_KeGetCurrentThread
                        int     2Eh

Other functions

KeQuerySystemTime

                        push    offset systime
                        mov     edx, esp
                        mov     eax, i2E_KeQuerySystemTime
                        int     2Eh
                        add     esp, 4
                        ...
systime                 dq      ?

Comments

There are also file-io INT 2E functions, such as IoCreateFile, NtCreateFile, ZwCreateFile, ZwReadFile, ZwWriteFile, DeviceIoControlFile, etc. But parameters of these functions are mostly different from ones on winNT.

There are registry-related functions, such as RtlDeleteRegistryValue, RtlQueryRegistryValues, RtlWriteRegistryValue, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, may be -- ZwCreateKey, ZwDeleteKey, ZwEnumerateKey, ZwEnumerateValueKey, ZwOpenKey, etc. All of these functions points to normal code and, i hope, may be used.

Most of functions which has no parameters (has '-' in the <number-of-parameters> field) are INTERNAL, i.e. parameters to these functions passed not on the stack but in the registers, and you're unable to call'em bypassin registers modification in the INT 2E handler. Most of these functions are written in lowercase and/or begins with '_' character, such as memmove, memset, qsort, rand, sprintf, _except_handler2, _global_unwind2, etc.

---[begin NTOSKRNL.INC]------------------------------------------------------
;                      INT 2E services (VMM/NTKERN.VxD)
;                      ================================
;
;                              (x) 2000 Z0MBiE
;                           http://z0mbie.cjb.net
;
;  1. calling INT 2E service from PE file:
;
;                mov     eax, <index>
;                lea     edx, stack_frame
;                int     2Eh
;                ...
;stack_frame:    dd      param1          ; size = <stk-size>
;                dd      param2          ; # of params = <stk-size> / 4
;                ...
;
;  2. service list:

; ---------- service name -------------         --index--   stk-size  #params
;                                                              (hex)  (dec)
i2E_DbgBreakPoint                       equ     00000001h     ;  -     -
i2E_DbgPrint                            equ     00000139h     ;  -     -
i2E_ExAcquireFastMutexUnsafe            equ     00000110h     ;  4     1
i2E_ExAcquireResourceExclusiveLite      equ     00000002h     ;  8     2
i2E_ExAcquireResourceSharedLite         equ     00000003h     ;  8     2
i2E_ExAllocateFromPagedLookasideList    equ     00000004h     ;  4     1
i2E_ExAllocatePool                      equ     00000005h     ;  8     2
i2E_ExAllocatePoolWithQuota             equ     00000006h     ;  8     2
i2E_ExAllocatePoolWithQuotaTag          equ     00000007h     ; 0C     3
i2E_ExAllocatePoolWithTag               equ     00000008h     ; 0C     3
i2E_ExCreateCallback                    equ     00000009h     ; 10     4
i2E_ExDeletePagedLookasideList          equ     0000000Ah     ;  4     1
i2E_ExDeleteNPagedLookasideList         equ     0000000Bh     ;  4     1
i2E_ExDeleteResourceLite                equ     0000000Ch     ;  4     1
i2E_Exfi386InterlockedExchangeUlong     equ     00000111h     ;  8     2
i2E_ExfInterlockedAddUlong              equ     00000112h     ; 0C     3
i2E_ExfInterlockedInsertHeadList        equ     00000113h     ; 0C     3
i2E_ExfInterlockedInsertTailList        equ     00000114h     ; 0C     3
i2E_ExfInterlockedPopEntryList          equ     00000115h     ;  8     2
i2E_ExfInterlockedPushEntryList         equ     00000116h     ; 0C     3
i2E_ExfInterlockedRemoveHeadList        equ     00000117h     ;  8     2
i2E_ExFreePool                          equ     0000000Dh     ;  4     1
i2E_ExFreeToPagedLookasideList          equ     0000000Eh     ;  8     2
i2E_ExGetExclusiveWaiterCount           equ     0000000Fh     ;  4     1
i2E_ExGetPreviousMode                   equ     00000010h     ;  -     -
i2E_ExGetSharedWaiterCount              equ     00000011h     ;  4     1
i2E_ExInitializePagedLookasideList      equ     00000012h     ; 1C     7
i2E_ExInitializeNPagedLookasideList     equ     00000013h     ; 1C     7
i2E_ExInitializeResourceLite            equ     00000014h     ;  4     1
i2E_ExInterlockedAddLargeStatistic      equ     00000118h     ;  8     2
i2E_ExInterlockedCompareExchange64      equ     00000119h     ; 10     4
i2E_ExInterlockedPopEntrySList          equ     0000011Ah     ;  8     2
i2E_ExInterlockedPushEntrySList         equ     0000011Bh     ; 0C     3
i2E_ExIsResourceAcquiredExclusiveLite   equ     00000015h     ;  4     1
i2E_ExIsResourceAcquiredSharedLite      equ     00000016h     ;  4     1
i2E_ExNotifyCallback                    equ     00000017h     ; 0C     3
i2E_ExQueueWorkItem                     equ     00000018h     ;  8     2
i2E_ExRaiseAccessViolation              equ     00000019h     ;  -     -
i2E_ExRaiseDatatypeMisalignment         equ     0000001Ah     ;  -     -
i2E_ExRegisterCallback                  equ     0000001Bh     ; 0C     3
i2E_ExReleaseFastMutexUnsafe            equ     0000011Ch     ;  4     1
i2E_ExRaiseStatus                       equ     0000001Ch     ;  4     1
i2E_ExReinitializeResourceLite          equ     0000001Dh     ;  4     1
i2E_ExReleaseResourceLite               equ     0000011Dh     ;  4     1
i2E_ExTryToAcquireResourceExclusiveLite equ     0000001Eh     ;  4     1
i2E_ExUnregisterCallback                equ     0000001Fh     ;  4     1
i2E_InterlockedCompareExchange          equ     0000011Eh     ; 0C     3
i2E_InterlockedDecrement                equ     0000011Fh     ;  4     1
i2E_InterlockedExchange                 equ     00000120h     ;  8     2
i2E_InterlockedIncrement                equ     00000121h     ;  4     1
i2E_IoAcquireCancelSpinLock             equ     00000020h     ;  4     1
i2E_IoAllocateAdapterChannel            equ     00000021h     ; 14     5
i2E_IoAllocateDriverObjectExtension     equ     0000013Ah     ; 10     4
i2E_IoAllocateErrorLogEntry             equ     00000022h     ;  8     2
i2E_IoAllocateIrp                       equ     00000023h     ;  8     2
i2E_IoAllocateMdl                       equ     00000024h     ; 14     5
i2E_IoAttachDevice                      equ     00000025h     ; 0C     3
i2E_IoAttachDeviceByPointer             equ     00000026h     ;  8     2
i2E_IoAttachDeviceToDeviceStack         equ     00000027h     ;  8     2
i2E_IoBuildAsynchronousFsdRequest       equ     00000028h     ; 18     6
i2E_IoBuildDeviceIoControlRequest       equ     00000029h     ; 24     9
i2E_IoBuildSynchronousFsdRequest        equ     0000002Ah     ; 1C     7
i2E_IoCancelIrp                         equ     0000002Bh     ;  4     1
i2E_IoCheckShareAccess                  equ     0000002Ch     ; 14     5
i2E_IoCompleteRequest                   equ     0000002Dh     ;  8     2
i2E_IoConnectInterrupt                  equ     0000002Eh     ; 2C    11
i2E_IoCreateDevice                      equ     0000002Fh     ; 1C     7
i2E_IoCreateDriver                      equ     0000018Ch     ;  8     2
i2E_IoCreateFile                        equ     0000012Dh     ; 38    14
i2E_IoCreateSymbolicLink                equ     00000030h     ;  8     2
i2E_IoCreateUnprotectedSymbolicLink     equ     00000031h     ;  8     2
i2E_IoDeleteDevice                      equ     00000032h     ;  4     1
i2E_IoDeleteSymbolicLink                equ     00000033h     ;  4     1
i2E_IoDetachDevice                      equ     00000034h     ;  4     1
i2E_IoDisconnectInterrupt               equ     00000035h     ;  4     1
i2E_IoDriverObjectType                  equ     0000013Bh     ;  -     -
i2E_IofCallDriver                       equ     00000122h     ;  8     2
i2E_IofCompleteRequest                  equ     00000123h     ;  8     2
i2E_IoFreeIrp                           equ     00000036h     ;  4     1
i2E_IoFreeMdl                           equ     00000037h     ;  4     1
i2E_IoGetAttachedDeviceReference        equ     0000013Ch     ;  4     1
i2E_IoGetConfigurationInformation       equ     00000038h     ;  -     -
i2E_IoGetCurrentIrpStackLocation        equ     00000039h     ;  4     1
i2E_IoGetCurrentProcess                 equ     0000003Ah     ;  -     -
i2E_IoGetDeviceInterfaceAlias           equ     00000194h     ; 0C     3
i2E_IoGetDeviceObjectPointer            equ     0000003Bh     ; 10     4
i2E_IoGetDriverObjectExtension          equ     0000013Dh     ;  8     2
i2E_IoGetRelatedDeviceObject            equ     0000003Ch     ;  4     1
i2E_IoInitializeIrp                     equ     0000003Dh     ; 0C     3
i2E_IoInitializeTimer                   equ     0000003Eh     ; 0C     3
i2E_IoRegisterShutdownNotification      equ     00000040h     ;  4     1
i2E_IoReleaseCancelSpinLock             equ     00000041h     ;  4     1
i2E_IoReportResourceUsage               equ     00000042h     ; 24     9
i2E_IoSetShareAccess                    equ     00000043h     ; 10     4
i2E_IoStartNextPacket                   equ     00000044h     ;  8     2
i2E_IoStartNextPacketByKey              equ     00000045h     ; 0C     3
i2E_IoStartPacket                       equ     00000046h     ; 10     4
i2E_IoStartTimer                        equ     00000047h     ;  4     1
i2E_IoStopTimer                         equ     00000048h     ;  4     1
i2E_IoUnregisterDeviceInterface         equ     00000195h     ;  4     1
i2E_IoUnregisterShutdownNotification    equ     00000049h     ;  4     1
i2E_IoWMIRegistrationControl            equ     00000190h     ;  8     2
i2E_IoWMIAllocateInstanceIds            equ     00000191h     ; 0C     3
i2E_IoWMISuggestInstanceName            equ     00000192h     ; 10     4
i2E_IoWMIWriteEvent                     equ     00000193h     ;  4     1
i2E_IoWriteErrorLogEntry                equ     0000004Ah     ;  4     1
i2E_KeBugCheckEx                        equ     0000004Bh     ; 14     5
i2E_KeCancelTimer                       equ     0000004Ch     ;  4     1
i2E_KeClearEvent                        equ     0000004Dh     ;  4     1
i2E_KeDelayExecutionThread              equ     0000004Eh     ; 0C     3
i2E_KefAcquireSpinLockAtDpcLevel        equ     00000124h     ;  4     1
i2E_KeFlushWriteBuffer                  equ     00000125h     ;  -     -
i2E_KefReleaseSpinLockFromDpcLevel      equ     00000126h     ;  4     1
i2E_KeGetCurrentThread                  equ     0000004Fh     ;  -     -
i2E_KeInitializeApc                     equ     00000050h     ; 20     8
i2E_KeInitializeDeviceQueue             equ     00000051h     ;  4     1
i2E_KeInitializeDpc                     equ     00000052h     ; 0C     3
i2E_KeInitializeEvent                   equ     00000053h     ; 0C     3
i2E_KeInitializeMutex                   equ     00000054h     ;  8     2
i2E_KeInitializeSemaphore               equ     00000055h     ; 0C     3
i2E_KeInitializeSpinLock                equ     00000056h     ;  4     1
i2E_KeInitializeTimer                   equ     00000057h     ;  4     1
i2E_KeInitializeTimerEx                 equ     00000058h     ;  8     2
i2E_KeInsertByKeyDeviceQueue            equ     00000059h     ; 0C     3
i2E_KeInsertDeviceQueue                 equ     0000005Ah     ;  8     2
i2E_KeInsertQueueApc                    equ     0000005Bh     ; 10     4
i2E_KeInsertQueueDpc                    equ     0000005Ch     ; 0C     3
i2E_KeQuerySystemTime                   equ     0000005Dh     ;  4     1
i2E_KeQueryInterruptTime                equ     00000198h     ;  -     -
i2E_KeQueryTimeIncrement                equ     0000005Fh     ;  -     -
i2E_KeReadStateSemaphore                equ     00000060h     ;  4     1
i2E_KeReadStateTimer                    equ     00000061h     ;  4     1
i2E_KeReleaseMutex                      equ     00000062h     ;  8     2
i2E_KeReleaseSemaphore                  equ     00000063h     ; 10     4
i2E_KeRemoveByKeyDeviceQueue            equ     00000064h     ;  8     2
i2E_KeRemoveDeviceQueue                 equ     00000065h     ;  4     1
i2E_KeRemoveEntryDeviceQueue            equ     00000066h     ;  8     2
i2E_KeRemoveQueueApc                    equ     00000067h     ;  4     1
i2E_KeRemoveQueueDpc                    equ     00000068h     ;  4     1
i2E_KeResetEvent                        equ     00000069h     ;  4     1
i2E_KeSetEvent                          equ     0000006Ah     ; 0C     3
i2E_KeSetImportanceDpc                  equ     0000006Bh     ;  8     2
i2E_KeSetPriorityThread                 equ     0000006Ch     ;  8     2
i2E_KeSetTimer                          equ     0000006Dh     ; 10     4
i2E_KeSetTimerEx                        equ     0000006Eh     ; 14     5
i2E_KeSynchronizeExecution              equ     0000006Fh     ; 0C     3
i2E_KeTickCount                         equ     0000005Eh     ;  -     -
i2E_KeWaitForSingleObject               equ     00000070h     ; 14     5
i2E_KeWaitForMultipleObjects            equ     00000071h     ; 20     8
i2E_MmAllocateContiguousMemory          equ     00000072h     ; 0C     3
i2E_MmCreateMdl                         equ     00000073h     ; 0C     3
i2E_MmBuildMdlForNonPagedPool           equ     00000074h     ;  4     1
i2E_MmFreeContiguousMemory              equ     00000075h     ;  4     1
i2E_MmGetPhysicalAddress                equ     00000076h     ;  4     1
i2E_MmLockPagableDataSection            equ     00000077h     ;  4     1
i2E_MmUnlockPagableImageSection         equ     00000078h     ;  4     1
i2E_MmMapIoSpace                        equ     00000079h     ; 10     4
i2E_MmMapLockedPages                    equ     0000007Ah     ;  8     2
i2E_MmPageEntireDriver                  equ     0000007Bh     ;  4     1
i2E_MmProbeAndLockPages                 equ     0000007Ch     ; 0C     3
i2E_MmProbeAndLockProcessPages          equ     0000018Fh     ; 10     4
i2E_MmResetDriverPaging                 equ     0000007Dh     ;  4     1
i2E_MmQuerySystemSize                   equ     0000007Eh     ;  -     -
i2E_MmSizeOfMdl                         equ     0000007Fh     ;  8     2
i2E_MmUnlockPages                       equ     00000080h     ;  4     1
i2E_MmUnmapIoSpace                      equ     00000081h     ;  8     2
i2E_MmUnmapLockedPages                  equ     00000082h     ;  8     2
i2E_NtClose                             equ     00000083h     ;  4     1
i2E_NtCreateFile                        equ     00000084h     ; 2C    11
i2E_NtInitiatePowerAction               equ     00000107h     ; 10     4
i2E_NtLoadDriver                        equ     00000085h     ;  4     1
i2E_NtPowerInformation                  equ     00000108h     ; 14     5
i2E_NtRequestWakeupLatency              equ     00000109h     ;  4     1
i2E_NtSetThreadExecutionState           equ     0000010Dh     ;  8     2
i2E_NtSetSystemPowerState               equ     0000010Bh     ; 0C     3
i2E_NtGetDevnodeFromFileHandle          equ     00000196h     ;  8     2
i2E_ObDereferenceObject                 equ     00000086h     ;  4     1
i2E_ObfDereferenceObject                equ     00000127h     ;  4     1
i2E_ObfReferenceObject                  equ     00000128h     ;  4     1
i2E_ObReferenceObjectByHandle           equ     00000087h     ; 18     6
i2E_ObReferenceObjectByPointer          equ     00000088h     ; 10     4
i2E_ObReferenceObjectByName             equ     00000089h     ; 20     8
i2E_PoCallDriver                        equ     0000008Ah     ;  8     2
i2E_PoSetPowerState                     equ     0000008Ch     ; 0C     3
i2E_PoQueryPowerSequence                equ     0000010Ch     ;  -     -
i2E_PoRegisterDeviceForIdleDetection    equ     0000008Dh     ; 10     4
i2E_PoRequestPowerIrp                   equ     000000FFh     ; 18     6
i2E_PoStartNextPowerIrp                 equ     00000135h     ;  4     1
i2E_ProbeForRead                        equ     0000008Fh     ; 0C     3
i2E_ProbeForWrite                       equ     00000090h     ; 0C     3
i2E_PsCreateSystemThread                equ     00000091h     ; 1C     7
i2E_PsGetCurrentProcess                 equ     00000092h     ;  -     -
i2E_PsGetCurrentThread                  equ     00000093h     ;  -     -
i2E_PsTerminateSystemThread             equ     00000094h     ;  4     1
i2E_READ_REGISTER_BUFFER_UCHAR          equ     00000095h     ; 0C     3
i2E_READ_REGISTER_BUFFER_ULONG          equ     00000096h     ; 0C     3
i2E_READ_REGISTER_BUFFER_USHORT         equ     00000097h     ; 0C     3
i2E_READ_REGISTER_UCHAR                 equ     00000098h     ;  4     1
i2E_READ_REGISTER_ULONG                 equ     00000099h     ;  4     1
i2E_READ_REGISTER_USHORT                equ     0000009Ah     ;  4     1
i2E_RtlAnsiStringToUnicodeString        equ     0000009Bh     ; 0C     3
i2E_RtlAppendUnicodeStringToString      equ     0000009Ch     ;  8     2
i2E_RtlAppendUnicodeToString            equ     0000009Dh     ;  8     2
i2E_RtlAssert                           equ     0000009Eh     ; 10     4
i2E_RtlCompareMemory                    equ     0000009Fh     ; 0C     3
i2E_RtlConvertLongToLargeInteger        equ     0000008Bh     ;  4     1
i2E_RtlConvertUlongToLargeInteger       equ     0000008Eh     ;  4     1
i2E_RtlCopyMemory                       equ     0000010Ah     ; 0C     3
i2E_RtlCopyUnicodeString                equ     00000134h     ;  8     2
i2E_RtlDeleteRegistryValue              equ     00000130h     ; 0C     3
i2E_RtlEqualUnicodeString               equ     00000131h     ; 0C     3
i2E_RtlExtendedIntegerMultiply          equ     00000132h     ; 0C     3
i2E_RtlExtendedLargeIntegerDivide       equ     00000133h     ; 10     4
i2E_RtlExtendedMagicDivide              equ     00000000h     ; 14     5
i2E_RtlFreeAnsiString                   equ     000000A0h     ;  4     1
i2E_RtlFreeUnicodeString                equ     000000A1h     ;  4     1
i2E_RtlGUIDFromString                   equ     0000012Eh     ;  8     2
i2E_RtlInitAnsiString                   equ     000000A2h     ;  8     2
i2E_RtlInitializeBitMap                 equ     000000A3h     ; 0C     3
i2E_RtlInitString                       equ     000000A4h     ;  8     2
i2E_RtlInitUnicodeString                equ     000000A5h     ;  8     2
i2E_RtlIntegerToUnicodeString           equ     000000A6h     ; 0C     3
i2E_RtlMoveMemory                       equ     000000A7h     ; 0C     3
i2E_RtlQueryRegistryValues              equ     000000A8h     ; 14     5
i2E_RtlSetAllBits                       equ     000000A9h     ;  4     1
i2E_RtlSetBits                          equ     000000AAh     ; 0C     3
i2E_RtlStringFromGUID                   equ     0000012Fh     ;  8     2
i2E_RtlTimeFieldsToTime                 equ     000000ABh     ;  8     2
i2E_RtlTimeToTimeFields                 equ     000000ACh     ;  8     2
i2E_RtlUnicodeStringToAnsiSize          equ     000000ADh     ;  4     1
i2E_RtlUnicodeStringToAnsiString        equ     000000AEh     ; 0C     3
i2E_RtlUnicodeStringToInteger           equ     000000AFh     ; 0C     3
i2E_RtlUnwind                           equ     000000B0h     ; 10     4
i2E_RtlRaiseStatus                      equ     000000B1h     ;  4     1
i2E_RtlRaiseException                   equ     000000B2h     ;  4     1
i2E_RtlUnicodeToMultiByteN              equ     00000136h     ; 14     5
i2E_RtlWriteRegistryValue               equ     000000B3h     ; 18     6
i2E_RtlxAnsiStringToUnicodeSize         equ     000000B4h     ;  4     1
i2E_RtlxUnicodeStringToAnsiSize         equ     000000B5h     ;  4     1
i2E_RtlZeroMemory                       equ     000000B6h     ;  8     2
i2E_RtlCompareUnicodeString             equ     000000B7h     ; 0C     3
i2E_SeAssignSecurity                    equ     000000B8h     ; 1C     7
i2E_SeDeassignSecurity                  equ     000000B9h     ;  4     1
i2E_WRITE_REGISTER_BUFFER_UCHAR         equ     000000BAh     ; 0C     3
i2E_WRITE_REGISTER_BUFFER_ULONG         equ     000000BBh     ; 0C     3
i2E_WRITE_REGISTER_BUFFER_USHORT        equ     000000BCh     ; 0C     3
i2E_WRITE_REGISTER_UCHAR                equ     000000BDh     ;  8     2
i2E_WRITE_REGISTER_ULONG                equ     000000BEh     ;  8     2
i2E_WRITE_REGISTER_USHORT               equ     000000BFh     ;  8     2
i2E_ZwAllocateVirtualMemory             equ     000000C0h     ; 18     6
i2E_ZwClearEvent                        equ     000000C1h     ;  4     1
i2E_ZwClose                             equ     000000C2h     ;  4     1
i2E_ZwCreateDirectoryObject             equ     000000C3h     ; 0C     3
i2E_ZwCreateEvent                       equ     000000C4h     ; 14     5
i2E_ZwCreateFile                        equ     000000C5h     ; 2C    11
i2E_ZwCreateKey                         equ     000000C6h     ; 1C     7
i2E_ZwDeleteKey                         equ     000000C7h     ;  4     1
i2E_ZwDeviceIoControlFile               equ     000000C8h     ; 28    10
i2E_ZwEnumerateKey                      equ     000000C9h     ; 18     6
i2E_ZwEnumerateValueKey                 equ     000000CAh     ; 18     6
i2E_ZwFreeVirtualMemory                 equ     000000CBh     ;  4     1
i2E_ZwLoadDriver                        equ     000000CCh     ;  4     1
i2E_ZwMakeTemporaryObject               equ     000000CDh     ;  4     1
i2E_ZwMapViewOfSection                  equ     000000CEh     ; 28    10
i2E_ZwOpenEvent                         equ     000000CFh     ; 0C     3
i2E_ZwOpenKey                           equ     000000D0h     ; 0C     3
i2E_ZwOpenSection                       equ     000000D1h     ; 0C     3
i2E_ZwPowerInformation                  equ     0000018Eh     ; 14     5
i2E_ZwPulseEvent                        equ     000000D2h     ;  8     2
i2E_ZwQueryEvent                        equ     000000D3h     ; 14     5
i2E_ZwQueryKey                          equ     000000D4h     ; 14     5
i2E_ZwQueryValueKey                     equ     000000D5h     ; 18     6
i2E_ZwResetEvent                        equ     000000D6h     ;  8     2
i2E_ZwSetEvent                          equ     000000D7h     ;  8     2
i2E_ZwSetValueKey                       equ     000000D8h     ; 18     6
i2E_ZwUnmapViewOfSection                equ     000000D9h     ;  8     2
i2E_ZwWaitForSingleObject               equ     000000DAh     ; 14     5
i2E_ZwReadFile                          equ     000000DBh     ; 24     9
i2E_ZwWriteFile                         equ     00000137h     ; 24     9
i2E__abnormal_termination               equ     0000013Fh     ;  -     -
i2E__alldiv                             equ     00000140h     ;  -     -
i2E__allmul                             equ     00000141h     ;  -     -
i2E__allrem                             equ     00000142h     ;  -     -
i2E__allshl                             equ     00000143h     ;  -     -
i2E__allshr                             equ     00000144h     ;  -     -
i2E__aulldiv                            equ     00000145h     ;  -     -
i2E__aullrem                            equ     00000146h     ;  -     -
i2E__aullshr                            equ     00000147h     ;  -     -
i2E__except_handler2                    equ     00000148h     ;  -     -
i2E__global_unwind2                     equ     00000149h     ;  -     -
i2E__itoa                               equ     0000014Ah     ;  -     -
i2E__local_unwind2                      equ     0000014Bh     ;  -     -
i2E__snprintf                           equ     0000014Dh     ;  -     -
i2E__snwprintf                          equ     0000014Eh     ;  -     -
i2E__stricmp                            equ     0000014Fh     ;  -     -
i2E__strlwr                             equ     00000150h     ;  -     -
i2E__strnicmp                           equ     00000151h     ;  -     -
i2E__strnset                            equ     00000152h     ;  -     -
i2E__strrev                             equ     00000153h     ;  -     -
i2E__strset                             equ     00000154h     ;  -     -
i2E__strupr                             equ     00000155h     ;  -     -
i2E__vsnprintf                          equ     00000156h     ;  -     -
i2E__wcsicmp                            equ     00000157h     ;  -     -
i2E__wcslwr                             equ     00000158h     ;  -     -
i2E__wcsnicmp                           equ     00000159h     ;  -     -
i2E__wcsnset                            equ     0000015Ah     ;  -     -
i2E__wcsrev                             equ     0000015Bh     ;  -     -
i2E__wcsupr                             equ     0000015Ch     ;  -     -
i2E_atoi                                equ     0000015Dh     ;  -     -
i2E_atol                                equ     0000015Eh     ;  -     -
i2E_isdigit                             equ     0000015Fh     ;  -     -
i2E_islower                             equ     00000160h     ;  -     -
i2E_isprint                             equ     00000161h     ;  -     -
i2E_isspace                             equ     00000162h     ;  -     -
i2E_isupper                             equ     00000163h     ;  -     -
i2E_isxdigit                            equ     00000164h     ;  -     -
i2E_mbstowcs                            equ     00000165h     ;  -     -
i2E_mbtowc                              equ     00000166h     ;  -     -
i2E_memchr                              equ     00000167h     ;  -     -
i2E_memcpy                              equ     00000168h     ;  -     -
i2E_memmove                             equ     00000169h     ;  -     -
i2E_memset                              equ     0000016Ah     ;  -     -
i2E_qsort                               equ     0000016Bh     ;  -     -
i2E_rand                                equ     0000016Ch     ;  -     -
i2E_sprintf                             equ     0000016Dh     ;  -     -
i2E_srand                               equ     0000016Eh     ;  -     -
i2E_strcat                              equ     0000016Fh     ;  -     -
i2E_strchr                              equ     00000170h     ;  -     -
i2E_strcmp                              equ     00000171h     ;  -     -
i2E_strcpy                              equ     00000172h     ;  -     -
i2E_strlen                              equ     00000173h     ;  -     -
i2E_strncat                             equ     00000174h     ;  -     -
i2E_strncmp                             equ     00000175h     ;  -     -
i2E_strncpy                             equ     00000176h     ;  -     -
i2E_strrchr                             equ     00000177h     ;  -     -
i2E_strspn                              equ     00000178h     ;  -     -
i2E_strstr                              equ     00000179h     ;  -     -
i2E_swprintf                            equ     0000017Ah     ;  -     -
i2E_tolower                             equ     0000017Bh     ;  -     -
i2E_toupper                             equ     0000017Ch     ;  -     -
i2E_towlower                            equ     0000017Dh     ;  -     -
i2E_towupper                            equ     0000017Eh     ;  -     -
i2E_vsprintf                            equ     0000017Fh     ;  -     -
i2E_wcscat                              equ     00000180h     ;  -     -
i2E_wcschr                              equ     00000181h     ;  -     -
i2E_wcscmp                              equ     00000182h     ;  -     -
i2E_wcscpy                              equ     00000183h     ;  -     -
i2E_wcscspn                             equ     00000184h     ;  -     -
i2E_wcslen                              equ     00000185h     ;  -     -
i2E_wcsncat                             equ     00000186h     ;  -     -
i2E_wcsncmp                             equ     00000187h     ;  -     -
i2E_wcsncpy                             equ     00000188h     ;  -     -
i2E_wcsrchr                             equ     00000189h     ;  -     -
i2E_wcsspn                              equ     0000018Ah     ;  -     -
i2E_wcsstr                              equ     0000018Bh     ;  -     -
i2E_wcstombs                            equ     0000013Eh     ;  -     -
i2E_wctomb                              equ     0000014Ch     ;  -     -
i2E_ExAcquireFastMutex                  equ     00000129h     ;  4     1
i2E_ExReleaseFastMutex                  equ     0000012Ah     ;  4     1
i2E_HalAllocateAdapterChannel           equ     000000DCh     ; 10     4
i2E_HalAllocateCommonBuffer             equ     000000DDh     ; 10     4
i2E_HalAssignSlotResources              equ     000000DEh     ; 20     8
i2E_HalFlushCommonBuffer                equ     000000DFh     ; 14     5
i2E_HalFreeCommonBuffer                 equ     000000E0h     ; 18     6
i2E_HalGetAdapter                       equ     000000E1h     ;  8     2
i2E_HalGetBusData                       equ     000000E2h     ; 14     5
i2E_HalGetInterruptVector               equ     000000E3h     ; 18     6
i2E_HalReadDmaCounter                   equ     000000E4h     ;  4     1
i2E_HalSetBusDataByOffset               equ     000000E5h     ; 18     6
i2E_HalTranslateBusAddress              equ     000000E6h     ; 18     6
i2E_IoFlushAdapterBuffers               equ     000000E7h     ; 18     6
i2E_IoFreeAdapterChannel                equ     000000E8h     ;  4     1
i2E_IoFreeMapRegisters                  equ     000000E9h     ; 0C     3
i2E_IoMapTransfer                       equ     000000EAh     ; 18     6
i2E_KeGetCurrentIrql                    equ     000000EBh     ;  -     -
i2E_KeQueryPerformanceCounter           equ     000000ECh     ;  4     1
i2E_KeStallExecutionProcessor           equ     000000EDh     ;  4     1
i2E_KfAcquireSpinLock                   equ     0000012Bh     ;  4     1
i2E_KfLowerIrql                         equ     0000010Eh     ;  4     1
i2E_KfRaiseIrql                         equ     0000010Fh     ;  4     1
i2E_KfRaiseIrqlToDpcLevel               equ     00000138h     ;  -     -
i2E_KfReleaseSpinLock                   equ     00000106h     ;  8     2
i2E_READ_PORT_BUFFER_UCHAR              equ     000000EEh     ; 0C     3
i2E_READ_PORT_BUFFER_ULONG              equ     000000EFh     ; 0C     3
i2E_READ_PORT_BUFFER_USHORT             equ     000000F0h     ; 0C     3
i2E_READ_PORT_UCHAR                     equ     000000F1h     ;  4     1
i2E_READ_PORT_ULONG                     equ     000000F2h     ;  4     1
i2E_READ_PORT_USHORT                    equ     000000F3h     ;  4     1
i2E_WRITE_PORT_BUFFER_UCHAR             equ     000000F4h     ; 0C     3
i2E_WRITE_PORT_BUFFER_ULONG             equ     000000F5h     ; 0C     3
i2E_WRITE_PORT_BUFFER_USHORT            equ     000000F6h     ; 0C     3
i2E_WRITE_PORT_UCHAR                    equ     000000F7h     ;  8     2
i2E_WRITE_PORT_ULONG                    equ     000000F8h     ;  8     2
i2E_WRITE_PORT_USHORT                   equ     000000F9h     ;  8     2
i2E_IoInvalidateDeviceState             equ     0000018Dh     ;  4     1
i2E_IoInvalidateDeviceRelations         equ     000000FAh     ;  8     2
i2E_IoReportTargetDeviceChange          equ     00000197h     ;  8     2
i2E_IoCreateDriverObject                equ     000000FBh     ;  8     2
i2E_IoGetDeviceInterfaces               equ     000000FCh     ; 10     4
i2E_IoGetDeviceProperty                 equ     000000FDh     ; 14     5
i2E_IoOpenDeviceInterfaceRegistryKey    equ     0000012Ch     ; 0C     3
i2E_IoOpenDeviceRegistryKey             equ     000000FEh     ; 10     4
i2E_IoRegisterDeviceInterface           equ     00000100h     ; 10     4
i2E_IoRegisterDeviceInterfaceByDevnode  equ     0000003Fh     ; 10     4
i2E_IoRegisterPlugPlayNotification      equ     00000101h     ; 1C     7
i2E_IoReportDeviceStatus                equ     00000102h     ;  8     2
i2E_IoSetDeviceInterfaceState           equ     00000103h     ;  8     2
i2E_IoSetDeviceProperty                 equ     00000104h     ; 10     4
i2E_IoUnregisterPlugPlayNotification    equ     00000105h     ;  4     1

; --- 0x199 services ---

---[end NTOSKRNL.INC]--------------------------------------------------------
[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua