description of the win98/INT 2E services (VMM/NTKERN.VxD) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ xlated from russian for MATRiX #2 E-Zine (x) 2000 Z0MBiE http://z0mbie.cjb.net [*] PREFACE Lets consider any win32 program. This program calls kernel api, and most of these api will pass control into ring0. Under win9X VMM/VWIN32.VxD provides special kernel services, which are called in the following way: kernel@int21: 015F:BFF712B9 push ecx push eax push 002A0010 ; <-- call kernel@ord0 ret kernel@ord0: 015F:BFF713D4 mov eax, [esp+4] pop dword ptr [esp] call far cs:[BFFC9734] ... 015F:BFF79734 dd 000003C8h ; offset dw 003Bh ; selector ... 003B:03C8 int 30h ... where is a special number of the service, for example 0x002A0010 for INT 21, 0x002A0029 for INT 31, etc. Should be said, these VWIN32 services are NOT the VxDcall services, and even if 002A means VWIN32, 0010 means here INT 21, but not VWIN32_ResetWin32Event. Full list of the VWIN32 services (numbers/names) may be found in the Matt Pietrek's book. But lets continue. Under WinNT/2000 ring-0 subroutines are called via INT 2E. And, as it turned out, in the win98's VMM there is a cool vxd, called NTKERN.VXD, which provides some NT's INT 2E services. Mmoreover, INT 2E is used when win98 is loading, at that time such functions as ntoskrnl!NtPowerInformation are called. Here is a description of how INT 2E service call may be performed: way 1 way 2 mov eax, service-number push param3 lea edx, stk push param2 int 2Eh push param1 ... mov edx, esp stk: dd param1 mov eax, service-number dd param2 int 2Eh dd param3 add esp, 4*n ... ... As you can see, when calling INT 2E, EAX contains service number and EDX contains pointer to the stack frame = block of DWORD-parameters, located on the stack or somewhere else. Before calling corresponding function, INT 2E handler will just copy some data from *EDX to the current stack. List of all the service numbers follows this text. ***IMPORTANT***: Most of these numbers and/or function parameters are not the same as in WinNT/2000. Here is a description of most interesting INT 2E functions. [*] Entering RING-0 -- PsCreateSystemThread This function will create thread right in ring-0. You can exit from such thread via RET, after that it will automatically killed by means of PsTerminateSystemThread. COMMENT: The only trouble is that sometimes this code generates a BUG, and i dunno how to fix it. Error is the followin: we're entering ring-0, but page at our ring-0 eip is absent in the current context. ... mov eax, i2E_PsCreateSystemThread lea edx, stk int 2Eh __cycle: cmp r0_finished, 1 jne __cycle ... stk: dd offset thread_handle ; 0 or *thread_handle dd 0 ; 0 or 0x1F03FF = ??? dd 0 ; 0 dd 0 ; 0 dd 0 ; 0 dd offset ring0 ; thread EIP, near proc dd 12345678h ; thread-parameter ; input: [ESP+4]=EDI=thread_parameter ring0: int 3 mov r0_finished, 1 nop ; harmful action ;-) ret [*] Entering RING-0 -- PoCallDriver Complete bullshit, no any drivers used here. This great function will simply pass control to the our ring0 code. Only trouble is that function requires lots of fucking parameters... Here is a stack frame: stk dd offset x1 dd offset x2 x1 db 8 dup (0) dd offset x3 x2 db 60h dup (0) dd offset x4+24h x4 db 18h dup (0) x3 db 38h dup (0) dd ring_0 And here is optimized ring0-entering subroutine. lea esi, r0proc call callring0 ... r0proc: int 3 ret ; subroutine: callring0 ; input: ESI=offset ring_0, proc NEAR callring0: pusha call @@X pusha call dword ptr [ecx] popa ret 8 @@X: sub esp, 14h xor eax, eax push eax lea edx, [esp+24h] push edx sub esp, 54h lea edx, [esp+38h] push edx push edx push esi mov edx, esp push edx push edx mov edx, esp mov al, i2E_PoCallDriver int 2Eh add esp, 88h popa ret [*] memory-access related functions All these functions means that you will pass some parameters into INT 2E, and memory operations will be performed in ring-0. In such way you can, for example, modify kernel or patch av vxds even without entering ring-0. [*] RtlCopyMemory, RtlMoveMemory The difference between these two functions is the following: RtlCopyMemory will simply copy memory using 'movs' command, but RtlMoveMemory will first analyze esi and edi, and only then copy buffer byte-by-byte, from the start to the end, or from the end to the start, depending on esi/edi. In such way RtlMoveMemory will correctly copy intersecting ranges [esi...esi+ecx] and [edi...edi+ecx]. mov eax, i2E_RtlCopyMemory ; or RtlMoveMemory lea edx, stk int 2Eh ... stk: dd 0BFF7xxxxh ; edi (destination) dd offset vir_code ; esi (source) dd vir_size ; ecx (length in bytes) [*] READ_REGISTER_BUFFER_UCHAR/ULONG/USHORT Action: REP MOVSB, REP MOVSD and REP MOVSW. push ecx push edi push esi mov edx, esp mov eax, i2E_READ_REGISTER_BUFFER_ULONG int 2Eh add esp, 3*4 [*] WRITE_REGISTER_BUFFER_UCHAR/ULONG/USHORT Action: REP MOVSB, REP MOVSD and REP MOVSW, but swapped source/destination. push ecx push esi push edi mov edx, esp mov eax, i2E_WRITE_REGISTER_BUFFER_ULONG int 2Eh add esp, 3*4 [*] READ_REGISTER_UCHAR/ULONG/USHORT Action: MOV AL,[ESI], MOV EAX,[ESI] and MOV AX,[ESI] Return values: EAX. push esi mov edx, esp mov eax, i2E_READ_REGISTER_UCHAR int 2Eh add esp, 1*4 [*] WRITE_REGISTER_UCHAR/ULONG/USHORT Action: MOV [EDI],AL, MOV [EDI],EAX and MOV [EDI],AX push eax push edi mov edx, esp mov eax, i2E_WRITE_REGISTER_UCHAR int 2Eh add esp, 2*4 [*] io-port access related functions [*] READ_PORT_BUFFER_UCHAR/ULONG/USHORT Action: REP INSB, REP INSD and REP INSW push ecx push edi push edx mov edx, esp mov eax, i2E_READ_PORT_BUFFER_ULONG int 2Eh add esp, 3*4 [*] WRITE_PORT_BUFFER_UCHAR/ULONG/USHORT Action: REP OUTSB, REP OUTSD and REP OUTSW push ecx push esi push edx mov edx, esp mov eax, i2E_WRITE_PORT_BUFFER_ULONG int 2Eh add esp, 3*4 [*] READ_PORT_UCHAR/ULONG/USHORT Action: IN AL,DX, IN EAX,DX and IN AX,DX push edx mov edx, esp mov eax, i2E_READ_PORT_ULONG int 2Eh add esp, 1*4 [*] WRITE_PORT_UCHAR/ULONG/USHORT Action: OUT DX,AL, OUT DX,EAX and OUT DX,AX push eax push edx mov edx, esp mov eax, i2E_WRITE_PORT_UCHAR int 2Eh add esp, 2*4 [*] Process/thread-related functions [*] IoGetCurrentProcess, PsGetCurrentProcess Both functions means the same handler. Action: return current process handle in EAX. mov eax, i2E_IoGetCurrentProcess int 2Eh GetCurrentProcess' handler performs the followin: call ntoskrnl!KeGetCurrentThread mov eax, [eax+4] ret [*] KeGetCurrentThread, PsGetCurrentThread The same handler again. Action: return current thread handle in EAX. mov eax, i2E_KeGetCurrentThread int 2Eh [*] Other functions [*] KeQuerySystemTime push offset systime mov edx, esp mov eax, i2E_KeQuerySystemTime int 2Eh add esp, 4 ... systime dq ? [*] Comments There are also file-io INT 2E functions, such as IoCreateFile, NtCreateFile, ZwCreateFile, ZwReadFile, ZwWriteFile, DeviceIoControlFile, etc. But parameters of these functions are mostly different from ones on winNT. There are registry-related functions, such as RtlDeleteRegistryValue, RtlQueryRegistryValues, RtlWriteRegistryValue, IoOpenDeviceInterfaceRegistryKey, IoOpenDeviceRegistryKey, may be -- ZwCreateKey, ZwDeleteKey, ZwEnumerateKey, ZwEnumerateValueKey, ZwOpenKey, etc. All of these functions points to normal code and, i hope, may be used. Most of functions which has no parameters (has '-' in the field) are INTERNAL, i.e. parameters to these functions passed not on the stack but in the registers, and you're unable to call'em bypassin registers modification in the INT 2E handler. Most of these functions are written in lowercase and/or begins with '_' character, such as memmove, memset, qsort, rand, sprintf, _except_handler2, _global_unwind2, etc. ---[begin NTOSKRNL.INC]------------------------------------------------------ ; INT 2E services (VMM/NTKERN.VxD) ; ================================ ; ; (x) 2000 Z0MBiE ; http://z0mbie.cjb.net ; ; 1. calling INT 2E service from PE file: ; ; mov eax, ; lea edx, stack_frame ; int 2Eh ; ... ;stack_frame: dd param1 ; size = ; dd param2 ; # of params = / 4 ; ... ; ; 2. service list: ; ---------- service name ------------- --index-- stk-size #params ; (hex) (dec) i2E_DbgBreakPoint equ 00000001h ; - - i2E_DbgPrint equ 00000139h ; - - i2E_ExAcquireFastMutexUnsafe equ 00000110h ; 4 1 i2E_ExAcquireResourceExclusiveLite equ 00000002h ; 8 2 i2E_ExAcquireResourceSharedLite equ 00000003h ; 8 2 i2E_ExAllocateFromPagedLookasideList equ 00000004h ; 4 1 i2E_ExAllocatePool equ 00000005h ; 8 2 i2E_ExAllocatePoolWithQuota equ 00000006h ; 8 2 i2E_ExAllocatePoolWithQuotaTag equ 00000007h ; 0C 3 i2E_ExAllocatePoolWithTag equ 00000008h ; 0C 3 i2E_ExCreateCallback equ 00000009h ; 10 4 i2E_ExDeletePagedLookasideList equ 0000000Ah ; 4 1 i2E_ExDeleteNPagedLookasideList equ 0000000Bh ; 4 1 i2E_ExDeleteResourceLite equ 0000000Ch ; 4 1 i2E_Exfi386InterlockedExchangeUlong equ 00000111h ; 8 2 i2E_ExfInterlockedAddUlong equ 00000112h ; 0C 3 i2E_ExfInterlockedInsertHeadList equ 00000113h ; 0C 3 i2E_ExfInterlockedInsertTailList equ 00000114h ; 0C 3 i2E_ExfInterlockedPopEntryList equ 00000115h ; 8 2 i2E_ExfInterlockedPushEntryList equ 00000116h ; 0C 3 i2E_ExfInterlockedRemoveHeadList equ 00000117h ; 8 2 i2E_ExFreePool equ 0000000Dh ; 4 1 i2E_ExFreeToPagedLookasideList equ 0000000Eh ; 8 2 i2E_ExGetExclusiveWaiterCount equ 0000000Fh ; 4 1 i2E_ExGetPreviousMode equ 00000010h ; - - i2E_ExGetSharedWaiterCount equ 00000011h ; 4 1 i2E_ExInitializePagedLookasideList equ 00000012h ; 1C 7 i2E_ExInitializeNPagedLookasideList equ 00000013h ; 1C 7 i2E_ExInitializeResourceLite equ 00000014h ; 4 1 i2E_ExInterlockedAddLargeStatistic equ 00000118h ; 8 2 i2E_ExInterlockedCompareExchange64 equ 00000119h ; 10 4 i2E_ExInterlockedPopEntrySList equ 0000011Ah ; 8 2 i2E_ExInterlockedPushEntrySList equ 0000011Bh ; 0C 3 i2E_ExIsResourceAcquiredExclusiveLite equ 00000015h ; 4 1 i2E_ExIsResourceAcquiredSharedLite equ 00000016h ; 4 1 i2E_ExNotifyCallback equ 00000017h ; 0C 3 i2E_ExQueueWorkItem equ 00000018h ; 8 2 i2E_ExRaiseAccessViolation equ 00000019h ; - - i2E_ExRaiseDatatypeMisalignment equ 0000001Ah ; - - i2E_ExRegisterCallback equ 0000001Bh ; 0C 3 i2E_ExReleaseFastMutexUnsafe equ 0000011Ch ; 4 1 i2E_ExRaiseStatus equ 0000001Ch ; 4 1 i2E_ExReinitializeResourceLite equ 0000001Dh ; 4 1 i2E_ExReleaseResourceLite equ 0000011Dh ; 4 1 i2E_ExTryToAcquireResourceExclusiveLite equ 0000001Eh ; 4 1 i2E_ExUnregisterCallback equ 0000001Fh ; 4 1 i2E_InterlockedCompareExchange equ 0000011Eh ; 0C 3 i2E_InterlockedDecrement equ 0000011Fh ; 4 1 i2E_InterlockedExchange equ 00000120h ; 8 2 i2E_InterlockedIncrement equ 00000121h ; 4 1 i2E_IoAcquireCancelSpinLock equ 00000020h ; 4 1 i2E_IoAllocateAdapterChannel equ 00000021h ; 14 5 i2E_IoAllocateDriverObjectExtension equ 0000013Ah ; 10 4 i2E_IoAllocateErrorLogEntry equ 00000022h ; 8 2 i2E_IoAllocateIrp equ 00000023h ; 8 2 i2E_IoAllocateMdl equ 00000024h ; 14 5 i2E_IoAttachDevice equ 00000025h ; 0C 3 i2E_IoAttachDeviceByPointer equ 00000026h ; 8 2 i2E_IoAttachDeviceToDeviceStack equ 00000027h ; 8 2 i2E_IoBuildAsynchronousFsdRequest equ 00000028h ; 18 6 i2E_IoBuildDeviceIoControlRequest equ 00000029h ; 24 9 i2E_IoBuildSynchronousFsdRequest equ 0000002Ah ; 1C 7 i2E_IoCancelIrp equ 0000002Bh ; 4 1 i2E_IoCheckShareAccess equ 0000002Ch ; 14 5 i2E_IoCompleteRequest equ 0000002Dh ; 8 2 i2E_IoConnectInterrupt equ 0000002Eh ; 2C 11 i2E_IoCreateDevice equ 0000002Fh ; 1C 7 i2E_IoCreateDriver equ 0000018Ch ; 8 2 i2E_IoCreateFile equ 0000012Dh ; 38 14 i2E_IoCreateSymbolicLink equ 00000030h ; 8 2 i2E_IoCreateUnprotectedSymbolicLink equ 00000031h ; 8 2 i2E_IoDeleteDevice equ 00000032h ; 4 1 i2E_IoDeleteSymbolicLink equ 00000033h ; 4 1 i2E_IoDetachDevice equ 00000034h ; 4 1 i2E_IoDisconnectInterrupt equ 00000035h ; 4 1 i2E_IoDriverObjectType equ 0000013Bh ; - - i2E_IofCallDriver equ 00000122h ; 8 2 i2E_IofCompleteRequest equ 00000123h ; 8 2 i2E_IoFreeIrp equ 00000036h ; 4 1 i2E_IoFreeMdl equ 00000037h ; 4 1 i2E_IoGetAttachedDeviceReference equ 0000013Ch ; 4 1 i2E_IoGetConfigurationInformation equ 00000038h ; - - i2E_IoGetCurrentIrpStackLocation equ 00000039h ; 4 1 i2E_IoGetCurrentProcess equ 0000003Ah ; - - i2E_IoGetDeviceInterfaceAlias equ 00000194h ; 0C 3 i2E_IoGetDeviceObjectPointer equ 0000003Bh ; 10 4 i2E_IoGetDriverObjectExtension equ 0000013Dh ; 8 2 i2E_IoGetRelatedDeviceObject equ 0000003Ch ; 4 1 i2E_IoInitializeIrp equ 0000003Dh ; 0C 3 i2E_IoInitializeTimer equ 0000003Eh ; 0C 3 i2E_IoRegisterShutdownNotification equ 00000040h ; 4 1 i2E_IoReleaseCancelSpinLock equ 00000041h ; 4 1 i2E_IoReportResourceUsage equ 00000042h ; 24 9 i2E_IoSetShareAccess equ 00000043h ; 10 4 i2E_IoStartNextPacket equ 00000044h ; 8 2 i2E_IoStartNextPacketByKey equ 00000045h ; 0C 3 i2E_IoStartPacket equ 00000046h ; 10 4 i2E_IoStartTimer equ 00000047h ; 4 1 i2E_IoStopTimer equ 00000048h ; 4 1 i2E_IoUnregisterDeviceInterface equ 00000195h ; 4 1 i2E_IoUnregisterShutdownNotification equ 00000049h ; 4 1 i2E_IoWMIRegistrationControl equ 00000190h ; 8 2 i2E_IoWMIAllocateInstanceIds equ 00000191h ; 0C 3 i2E_IoWMISuggestInstanceName equ 00000192h ; 10 4 i2E_IoWMIWriteEvent equ 00000193h ; 4 1 i2E_IoWriteErrorLogEntry equ 0000004Ah ; 4 1 i2E_KeBugCheckEx equ 0000004Bh ; 14 5 i2E_KeCancelTimer equ 0000004Ch ; 4 1 i2E_KeClearEvent equ 0000004Dh ; 4 1 i2E_KeDelayExecutionThread equ 0000004Eh ; 0C 3 i2E_KefAcquireSpinLockAtDpcLevel equ 00000124h ; 4 1 i2E_KeFlushWriteBuffer equ 00000125h ; - - i2E_KefReleaseSpinLockFromDpcLevel equ 00000126h ; 4 1 i2E_KeGetCurrentThread equ 0000004Fh ; - - i2E_KeInitializeApc equ 00000050h ; 20 8 i2E_KeInitializeDeviceQueue equ 00000051h ; 4 1 i2E_KeInitializeDpc equ 00000052h ; 0C 3 i2E_KeInitializeEvent equ 00000053h ; 0C 3 i2E_KeInitializeMutex equ 00000054h ; 8 2 i2E_KeInitializeSemaphore equ 00000055h ; 0C 3 i2E_KeInitializeSpinLock equ 00000056h ; 4 1 i2E_KeInitializeTimer equ 00000057h ; 4 1 i2E_KeInitializeTimerEx equ 00000058h ; 8 2 i2E_KeInsertByKeyDeviceQueue equ 00000059h ; 0C 3 i2E_KeInsertDeviceQueue equ 0000005Ah ; 8 2 i2E_KeInsertQueueApc equ 0000005Bh ; 10 4 i2E_KeInsertQueueDpc equ 0000005Ch ; 0C 3 i2E_KeQuerySystemTime equ 0000005Dh ; 4 1 i2E_KeQueryInterruptTime equ 00000198h ; - - i2E_KeQueryTimeIncrement equ 0000005Fh ; - - i2E_KeReadStateSemaphore equ 00000060h ; 4 1 i2E_KeReadStateTimer equ 00000061h ; 4 1 i2E_KeReleaseMutex equ 00000062h ; 8 2 i2E_KeReleaseSemaphore equ 00000063h ; 10 4 i2E_KeRemoveByKeyDeviceQueue equ 00000064h ; 8 2 i2E_KeRemoveDeviceQueue equ 00000065h ; 4 1 i2E_KeRemoveEntryDeviceQueue equ 00000066h ; 8 2 i2E_KeRemoveQueueApc equ 00000067h ; 4 1 i2E_KeRemoveQueueDpc equ 00000068h ; 4 1 i2E_KeResetEvent equ 00000069h ; 4 1 i2E_KeSetEvent equ 0000006Ah ; 0C 3 i2E_KeSetImportanceDpc equ 0000006Bh ; 8 2 i2E_KeSetPriorityThread equ 0000006Ch ; 8 2 i2E_KeSetTimer equ 0000006Dh ; 10 4 i2E_KeSetTimerEx equ 0000006Eh ; 14 5 i2E_KeSynchronizeExecution equ 0000006Fh ; 0C 3 i2E_KeTickCount equ 0000005Eh ; - - i2E_KeWaitForSingleObject equ 00000070h ; 14 5 i2E_KeWaitForMultipleObjects equ 00000071h ; 20 8 i2E_MmAllocateContiguousMemory equ 00000072h ; 0C 3 i2E_MmCreateMdl equ 00000073h ; 0C 3 i2E_MmBuildMdlForNonPagedPool equ 00000074h ; 4 1 i2E_MmFreeContiguousMemory equ 00000075h ; 4 1 i2E_MmGetPhysicalAddress equ 00000076h ; 4 1 i2E_MmLockPagableDataSection equ 00000077h ; 4 1 i2E_MmUnlockPagableImageSection equ 00000078h ; 4 1 i2E_MmMapIoSpace equ 00000079h ; 10 4 i2E_MmMapLockedPages equ 0000007Ah ; 8 2 i2E_MmPageEntireDriver equ 0000007Bh ; 4 1 i2E_MmProbeAndLockPages equ 0000007Ch ; 0C 3 i2E_MmProbeAndLockProcessPages equ 0000018Fh ; 10 4 i2E_MmResetDriverPaging equ 0000007Dh ; 4 1 i2E_MmQuerySystemSize equ 0000007Eh ; - - i2E_MmSizeOfMdl equ 0000007Fh ; 8 2 i2E_MmUnlockPages equ 00000080h ; 4 1 i2E_MmUnmapIoSpace equ 00000081h ; 8 2 i2E_MmUnmapLockedPages equ 00000082h ; 8 2 i2E_NtClose equ 00000083h ; 4 1 i2E_NtCreateFile equ 00000084h ; 2C 11 i2E_NtInitiatePowerAction equ 00000107h ; 10 4 i2E_NtLoadDriver equ 00000085h ; 4 1 i2E_NtPowerInformation equ 00000108h ; 14 5 i2E_NtRequestWakeupLatency equ 00000109h ; 4 1 i2E_NtSetThreadExecutionState equ 0000010Dh ; 8 2 i2E_NtSetSystemPowerState equ 0000010Bh ; 0C 3 i2E_NtGetDevnodeFromFileHandle equ 00000196h ; 8 2 i2E_ObDereferenceObject equ 00000086h ; 4 1 i2E_ObfDereferenceObject equ 00000127h ; 4 1 i2E_ObfReferenceObject equ 00000128h ; 4 1 i2E_ObReferenceObjectByHandle equ 00000087h ; 18 6 i2E_ObReferenceObjectByPointer equ 00000088h ; 10 4 i2E_ObReferenceObjectByName equ 00000089h ; 20 8 i2E_PoCallDriver equ 0000008Ah ; 8 2 i2E_PoSetPowerState equ 0000008Ch ; 0C 3 i2E_PoQueryPowerSequence equ 0000010Ch ; - - i2E_PoRegisterDeviceForIdleDetection equ 0000008Dh ; 10 4 i2E_PoRequestPowerIrp equ 000000FFh ; 18 6 i2E_PoStartNextPowerIrp equ 00000135h ; 4 1 i2E_ProbeForRead equ 0000008Fh ; 0C 3 i2E_ProbeForWrite equ 00000090h ; 0C 3 i2E_PsCreateSystemThread equ 00000091h ; 1C 7 i2E_PsGetCurrentProcess equ 00000092h ; - - i2E_PsGetCurrentThread equ 00000093h ; - - i2E_PsTerminateSystemThread equ 00000094h ; 4 1 i2E_READ_REGISTER_BUFFER_UCHAR equ 00000095h ; 0C 3 i2E_READ_REGISTER_BUFFER_ULONG equ 00000096h ; 0C 3 i2E_READ_REGISTER_BUFFER_USHORT equ 00000097h ; 0C 3 i2E_READ_REGISTER_UCHAR equ 00000098h ; 4 1 i2E_READ_REGISTER_ULONG equ 00000099h ; 4 1 i2E_READ_REGISTER_USHORT equ 0000009Ah ; 4 1 i2E_RtlAnsiStringToUnicodeString equ 0000009Bh ; 0C 3 i2E_RtlAppendUnicodeStringToString equ 0000009Ch ; 8 2 i2E_RtlAppendUnicodeToString equ 0000009Dh ; 8 2 i2E_RtlAssert equ 0000009Eh ; 10 4 i2E_RtlCompareMemory equ 0000009Fh ; 0C 3 i2E_RtlConvertLongToLargeInteger equ 0000008Bh ; 4 1 i2E_RtlConvertUlongToLargeInteger equ 0000008Eh ; 4 1 i2E_RtlCopyMemory equ 0000010Ah ; 0C 3 i2E_RtlCopyUnicodeString equ 00000134h ; 8 2 i2E_RtlDeleteRegistryValue equ 00000130h ; 0C 3 i2E_RtlEqualUnicodeString equ 00000131h ; 0C 3 i2E_RtlExtendedIntegerMultiply equ 00000132h ; 0C 3 i2E_RtlExtendedLargeIntegerDivide equ 00000133h ; 10 4 i2E_RtlExtendedMagicDivide equ 00000000h ; 14 5 i2E_RtlFreeAnsiString equ 000000A0h ; 4 1 i2E_RtlFreeUnicodeString equ 000000A1h ; 4 1 i2E_RtlGUIDFromString equ 0000012Eh ; 8 2 i2E_RtlInitAnsiString equ 000000A2h ; 8 2 i2E_RtlInitializeBitMap equ 000000A3h ; 0C 3 i2E_RtlInitString equ 000000A4h ; 8 2 i2E_RtlInitUnicodeString equ 000000A5h ; 8 2 i2E_RtlIntegerToUnicodeString equ 000000A6h ; 0C 3 i2E_RtlMoveMemory equ 000000A7h ; 0C 3 i2E_RtlQueryRegistryValues equ 000000A8h ; 14 5 i2E_RtlSetAllBits equ 000000A9h ; 4 1 i2E_RtlSetBits equ 000000AAh ; 0C 3 i2E_RtlStringFromGUID equ 0000012Fh ; 8 2 i2E_RtlTimeFieldsToTime equ 000000ABh ; 8 2 i2E_RtlTimeToTimeFields equ 000000ACh ; 8 2 i2E_RtlUnicodeStringToAnsiSize equ 000000ADh ; 4 1 i2E_RtlUnicodeStringToAnsiString equ 000000AEh ; 0C 3 i2E_RtlUnicodeStringToInteger equ 000000AFh ; 0C 3 i2E_RtlUnwind equ 000000B0h ; 10 4 i2E_RtlRaiseStatus equ 000000B1h ; 4 1 i2E_RtlRaiseException equ 000000B2h ; 4 1 i2E_RtlUnicodeToMultiByteN equ 00000136h ; 14 5 i2E_RtlWriteRegistryValue equ 000000B3h ; 18 6 i2E_RtlxAnsiStringToUnicodeSize equ 000000B4h ; 4 1 i2E_RtlxUnicodeStringToAnsiSize equ 000000B5h ; 4 1 i2E_RtlZeroMemory equ 000000B6h ; 8 2 i2E_RtlCompareUnicodeString equ 000000B7h ; 0C 3 i2E_SeAssignSecurity equ 000000B8h ; 1C 7 i2E_SeDeassignSecurity equ 000000B9h ; 4 1 i2E_WRITE_REGISTER_BUFFER_UCHAR equ 000000BAh ; 0C 3 i2E_WRITE_REGISTER_BUFFER_ULONG equ 000000BBh ; 0C 3 i2E_WRITE_REGISTER_BUFFER_USHORT equ 000000BCh ; 0C 3 i2E_WRITE_REGISTER_UCHAR equ 000000BDh ; 8 2 i2E_WRITE_REGISTER_ULONG equ 000000BEh ; 8 2 i2E_WRITE_REGISTER_USHORT equ 000000BFh ; 8 2 i2E_ZwAllocateVirtualMemory equ 000000C0h ; 18 6 i2E_ZwClearEvent equ 000000C1h ; 4 1 i2E_ZwClose equ 000000C2h ; 4 1 i2E_ZwCreateDirectoryObject equ 000000C3h ; 0C 3 i2E_ZwCreateEvent equ 000000C4h ; 14 5 i2E_ZwCreateFile equ 000000C5h ; 2C 11 i2E_ZwCreateKey equ 000000C6h ; 1C 7 i2E_ZwDeleteKey equ 000000C7h ; 4 1 i2E_ZwDeviceIoControlFile equ 000000C8h ; 28 10 i2E_ZwEnumerateKey equ 000000C9h ; 18 6 i2E_ZwEnumerateValueKey equ 000000CAh ; 18 6 i2E_ZwFreeVirtualMemory equ 000000CBh ; 4 1 i2E_ZwLoadDriver equ 000000CCh ; 4 1 i2E_ZwMakeTemporaryObject equ 000000CDh ; 4 1 i2E_ZwMapViewOfSection equ 000000CEh ; 28 10 i2E_ZwOpenEvent equ 000000CFh ; 0C 3 i2E_ZwOpenKey equ 000000D0h ; 0C 3 i2E_ZwOpenSection equ 000000D1h ; 0C 3 i2E_ZwPowerInformation equ 0000018Eh ; 14 5 i2E_ZwPulseEvent equ 000000D2h ; 8 2 i2E_ZwQueryEvent equ 000000D3h ; 14 5 i2E_ZwQueryKey equ 000000D4h ; 14 5 i2E_ZwQueryValueKey equ 000000D5h ; 18 6 i2E_ZwResetEvent equ 000000D6h ; 8 2 i2E_ZwSetEvent equ 000000D7h ; 8 2 i2E_ZwSetValueKey equ 000000D8h ; 18 6 i2E_ZwUnmapViewOfSection equ 000000D9h ; 8 2 i2E_ZwWaitForSingleObject equ 000000DAh ; 14 5 i2E_ZwReadFile equ 000000DBh ; 24 9 i2E_ZwWriteFile equ 00000137h ; 24 9 i2E__abnormal_termination equ 0000013Fh ; - - i2E__alldiv equ 00000140h ; - - i2E__allmul equ 00000141h ; - - i2E__allrem equ 00000142h ; - - i2E__allshl equ 00000143h ; - - i2E__allshr equ 00000144h ; - - i2E__aulldiv equ 00000145h ; - - i2E__aullrem equ 00000146h ; - - i2E__aullshr equ 00000147h ; - - i2E__except_handler2 equ 00000148h ; - - i2E__global_unwind2 equ 00000149h ; - - i2E__itoa equ 0000014Ah ; - - i2E__local_unwind2 equ 0000014Bh ; - - i2E__snprintf equ 0000014Dh ; - - i2E__snwprintf equ 0000014Eh ; - - i2E__stricmp equ 0000014Fh ; - - i2E__strlwr equ 00000150h ; - - i2E__strnicmp equ 00000151h ; - - i2E__strnset equ 00000152h ; - - i2E__strrev equ 00000153h ; - - i2E__strset equ 00000154h ; - - i2E__strupr equ 00000155h ; - - i2E__vsnprintf equ 00000156h ; - - i2E__wcsicmp equ 00000157h ; - - i2E__wcslwr equ 00000158h ; - - i2E__wcsnicmp equ 00000159h ; - - i2E__wcsnset equ 0000015Ah ; - - i2E__wcsrev equ 0000015Bh ; - - i2E__wcsupr equ 0000015Ch ; - - i2E_atoi equ 0000015Dh ; - - i2E_atol equ 0000015Eh ; - - i2E_isdigit equ 0000015Fh ; - - i2E_islower equ 00000160h ; - - i2E_isprint equ 00000161h ; - - i2E_isspace equ 00000162h ; - - i2E_isupper equ 00000163h ; - - i2E_isxdigit equ 00000164h ; - - i2E_mbstowcs equ 00000165h ; - - i2E_mbtowc equ 00000166h ; - - i2E_memchr equ 00000167h ; - - i2E_memcpy equ 00000168h ; - - i2E_memmove equ 00000169h ; - - i2E_memset equ 0000016Ah ; - - i2E_qsort equ 0000016Bh ; - - i2E_rand equ 0000016Ch ; - - i2E_sprintf equ 0000016Dh ; - - i2E_srand equ 0000016Eh ; - - i2E_strcat equ 0000016Fh ; - - i2E_strchr equ 00000170h ; - - i2E_strcmp equ 00000171h ; - - i2E_strcpy equ 00000172h ; - - i2E_strlen equ 00000173h ; - - i2E_strncat equ 00000174h ; - - i2E_strncmp equ 00000175h ; - - i2E_strncpy equ 00000176h ; - - i2E_strrchr equ 00000177h ; - - i2E_strspn equ 00000178h ; - - i2E_strstr equ 00000179h ; - - i2E_swprintf equ 0000017Ah ; - - i2E_tolower equ 0000017Bh ; - - i2E_toupper equ 0000017Ch ; - - i2E_towlower equ 0000017Dh ; - - i2E_towupper equ 0000017Eh ; - - i2E_vsprintf equ 0000017Fh ; - - i2E_wcscat equ 00000180h ; - - i2E_wcschr equ 00000181h ; - - i2E_wcscmp equ 00000182h ; - - i2E_wcscpy equ 00000183h ; - - i2E_wcscspn equ 00000184h ; - - i2E_wcslen equ 00000185h ; - - i2E_wcsncat equ 00000186h ; - - i2E_wcsncmp equ 00000187h ; - - i2E_wcsncpy equ 00000188h ; - - i2E_wcsrchr equ 00000189h ; - - i2E_wcsspn equ 0000018Ah ; - - i2E_wcsstr equ 0000018Bh ; - - i2E_wcstombs equ 0000013Eh ; - - i2E_wctomb equ 0000014Ch ; - - i2E_ExAcquireFastMutex equ 00000129h ; 4 1 i2E_ExReleaseFastMutex equ 0000012Ah ; 4 1 i2E_HalAllocateAdapterChannel equ 000000DCh ; 10 4 i2E_HalAllocateCommonBuffer equ 000000DDh ; 10 4 i2E_HalAssignSlotResources equ 000000DEh ; 20 8 i2E_HalFlushCommonBuffer equ 000000DFh ; 14 5 i2E_HalFreeCommonBuffer equ 000000E0h ; 18 6 i2E_HalGetAdapter equ 000000E1h ; 8 2 i2E_HalGetBusData equ 000000E2h ; 14 5 i2E_HalGetInterruptVector equ 000000E3h ; 18 6 i2E_HalReadDmaCounter equ 000000E4h ; 4 1 i2E_HalSetBusDataByOffset equ 000000E5h ; 18 6 i2E_HalTranslateBusAddress equ 000000E6h ; 18 6 i2E_IoFlushAdapterBuffers equ 000000E7h ; 18 6 i2E_IoFreeAdapterChannel equ 000000E8h ; 4 1 i2E_IoFreeMapRegisters equ 000000E9h ; 0C 3 i2E_IoMapTransfer equ 000000EAh ; 18 6 i2E_KeGetCurrentIrql equ 000000EBh ; - - i2E_KeQueryPerformanceCounter equ 000000ECh ; 4 1 i2E_KeStallExecutionProcessor equ 000000EDh ; 4 1 i2E_KfAcquireSpinLock equ 0000012Bh ; 4 1 i2E_KfLowerIrql equ 0000010Eh ; 4 1 i2E_KfRaiseIrql equ 0000010Fh ; 4 1 i2E_KfRaiseIrqlToDpcLevel equ 00000138h ; - - i2E_KfReleaseSpinLock equ 00000106h ; 8 2 i2E_READ_PORT_BUFFER_UCHAR equ 000000EEh ; 0C 3 i2E_READ_PORT_BUFFER_ULONG equ 000000EFh ; 0C 3 i2E_READ_PORT_BUFFER_USHORT equ 000000F0h ; 0C 3 i2E_READ_PORT_UCHAR equ 000000F1h ; 4 1 i2E_READ_PORT_ULONG equ 000000F2h ; 4 1 i2E_READ_PORT_USHORT equ 000000F3h ; 4 1 i2E_WRITE_PORT_BUFFER_UCHAR equ 000000F4h ; 0C 3 i2E_WRITE_PORT_BUFFER_ULONG equ 000000F5h ; 0C 3 i2E_WRITE_PORT_BUFFER_USHORT equ 000000F6h ; 0C 3 i2E_WRITE_PORT_UCHAR equ 000000F7h ; 8 2 i2E_WRITE_PORT_ULONG equ 000000F8h ; 8 2 i2E_WRITE_PORT_USHORT equ 000000F9h ; 8 2 i2E_IoInvalidateDeviceState equ 0000018Dh ; 4 1 i2E_IoInvalidateDeviceRelations equ 000000FAh ; 8 2 i2E_IoReportTargetDeviceChange equ 00000197h ; 8 2 i2E_IoCreateDriverObject equ 000000FBh ; 8 2 i2E_IoGetDeviceInterfaces equ 000000FCh ; 10 4 i2E_IoGetDeviceProperty equ 000000FDh ; 14 5 i2E_IoOpenDeviceInterfaceRegistryKey equ 0000012Ch ; 0C 3 i2E_IoOpenDeviceRegistryKey equ 000000FEh ; 10 4 i2E_IoRegisterDeviceInterface equ 00000100h ; 10 4 i2E_IoRegisterDeviceInterfaceByDevnode equ 0000003Fh ; 10 4 i2E_IoRegisterPlugPlayNotification equ 00000101h ; 1C 7 i2E_IoReportDeviceStatus equ 00000102h ; 8 2 i2E_IoSetDeviceInterfaceState equ 00000103h ; 8 2 i2E_IoSetDeviceProperty equ 00000104h ; 10 4 i2E_IoUnregisterPlugPlayNotification equ 00000105h ; 4 1 ; --- 0x199 services --- ---[end NTOSKRNL.INC]--------------------------------------------------------