From 0f4ef3b0516e05ea5aeef602564ae823e43c5dfa Mon Sep 17 00:00:00 2001 From: tdeerenberg Date: Tue, 8 Apr 2025 17:25:09 +0200 Subject: [PATCH] Changed example output --- .../example-output/Syscalls-asm.x64.asm | 563 - SysWhispers3/example-output/Syscalls.h | 487 - .../{Syscalls.c => syscalls_all.c} | 4 +- SysWhispers3/example-output/syscalls_all.h | 4056 +++++++ .../example-output/syscalls_all_-asm.x64.asm | 9647 +++++++++++++++++ 5 files changed, 13705 insertions(+), 1052 deletions(-) delete mode 100644 SysWhispers3/example-output/Syscalls-asm.x64.asm delete mode 100644 SysWhispers3/example-output/Syscalls.h rename SysWhispers3/example-output/{Syscalls.c => syscalls_all.c} (99%) create mode 100644 SysWhispers3/example-output/syscalls_all.h create mode 100644 SysWhispers3/example-output/syscalls_all_-asm.x64.asm diff --git a/SysWhispers3/example-output/Syscalls-asm.x64.asm b/SysWhispers3/example-output/Syscalls-asm.x64.asm deleted file mode 100644 index fe50ca9..0000000 --- a/SysWhispers3/example-output/Syscalls-asm.x64.asm +++ /dev/null @@ -1,563 +0,0 @@ -.code - -EXTERN SW3_GetSyscallNumber: PROC - -NtCreateProcess PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 029943818h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtCreateProcess ENDP - -NtCreateThreadEx PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 052B6124Eh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtCreateThreadEx ENDP - -NtOpenProcess PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 00DD60C24h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtOpenProcess ENDP - -NtOpenProcessToken PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0C3914A8Dh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtOpenProcessToken ENDP - -NtTestAlert PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 02EB45D3Ah ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtTestAlert ENDP - -NtOpenThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 075426DE5h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtOpenThread ENDP - -NtSuspendProcess PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0F022DFBFh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtSuspendProcess ENDP - -NtSuspendThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 00F3F9E0Dh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtSuspendThread ENDP - -NtResumeProcess PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 041D54040h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtResumeProcess ENDP - -NtResumeThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0B28FAC35h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtResumeThread ENDP - -NtGetContextThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0BB97FF4Fh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtGetContextThread ENDP - -NtSetContextThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 093B3CF03h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtSetContextThread ENDP - -NtClose PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 04B1B40BBh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtClose ENDP - -NtReadVirtualMemory PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 009824143h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtReadVirtualMemory ENDP - -NtWriteVirtualMemory PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 08E108490h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtWriteVirtualMemory ENDP - -NtAllocateVirtualMemory PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0C253FAF2h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtAllocateVirtualMemory ENDP - -NtProtectVirtualMemory PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0C0603A1Dh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtProtectVirtualMemory ENDP - -NtFreeVirtualMemory PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 087118D83h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtFreeVirtualMemory ENDP - -NtQuerySystemInformation PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0A4069EABh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQuerySystemInformation ENDP - -NtQueryDirectoryFile PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 09533C586h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQueryDirectoryFile ENDP - -NtQueryInformationFile PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0AC3E2418h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQueryInformationFile ENDP - -NtQueryInformationProcess PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 002AC0B33h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQueryInformationProcess ENDP - -NtQueryInformationThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0745A2EE3h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQueryInformationThread ENDP - -NtCreateSection PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0F42FD4F1h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtCreateSection ENDP - -NtOpenSection PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 064CE6A2Fh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtOpenSection ENDP - -NtMapViewOfSection PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0508A5019h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtMapViewOfSection ENDP - -NtUnmapViewOfSection PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0DF54DBCEh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtUnmapViewOfSection ENDP - -NtAdjustPrivilegesToken PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 05DC34340h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtAdjustPrivilegesToken ENDP - -NtDeviceIoControlFile PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0D1DAE373h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtDeviceIoControlFile ENDP - -NtQueueApcThread PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 0E851AAFFh ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtQueueApcThread ENDP - -NtWaitForMultipleObjects PROC - mov [rsp +8], rcx ; Save registers. - mov [rsp+16], rdx - mov [rsp+24], r8 - mov [rsp+32], r9 - sub rsp, 28h - mov ecx, 003837B11h ; Load function hash into ECX. - call SW3_GetSyscallNumber ; Resolve function hash into syscall number. - add rsp, 28h - mov rcx, [rsp+8] ; Restore registers. - mov rdx, [rsp+16] - mov r8, [rsp+24] - mov r9, [rsp+32] - mov r10, rcx - syscall ; Invoke system call. - ret -NtWaitForMultipleObjects ENDP - -end \ No newline at end of file diff --git a/SysWhispers3/example-output/Syscalls.h b/SysWhispers3/example-output/Syscalls.h deleted file mode 100644 index fb0fc27..0000000 --- a/SysWhispers3/example-output/Syscalls.h +++ /dev/null @@ -1,487 +0,0 @@ -#pragma once - -// Code below is adapted from @modexpblog. Read linked article for more details. -// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams - -#ifndef SW3_HEADER_H_ -#define SW3_HEADER_H_ - -#include - -#define SW3_SEED 0x769430A3 -#define SW3_ROL8(v) (v << 8 | v >> 24) -#define SW3_ROR8(v) (v >> 8 | v << 24) -#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) -#define SW3_MAX_ENTRIES 500 -#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) - -// Typedefs are prefixed to avoid pollution. - -typedef struct _SW3_SYSCALL_ENTRY -{ - DWORD Hash; - DWORD Address; - PVOID SyscallAddress; -} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; - -typedef struct _SW3_SYSCALL_LIST -{ - DWORD Count; - SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; -} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; - -typedef struct _SW3_PEB_LDR_DATA { - BYTE Reserved1[8]; - PVOID Reserved2[3]; - LIST_ENTRY InMemoryOrderModuleList; -} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; - -typedef struct _SW3_LDR_DATA_TABLE_ENTRY { - PVOID Reserved1[2]; - LIST_ENTRY InMemoryOrderLinks; - PVOID Reserved2[2]; - PVOID DllBase; -} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; - -typedef struct _SW3_PEB { - BYTE Reserved1[2]; - BYTE BeingDebugged; - BYTE Reserved2[1]; - PVOID Reserved3[2]; - PSW3_PEB_LDR_DATA Ldr; -} SW3_PEB, *PSW3_PEB; - -DWORD SW3_HashSyscall(PCSTR FunctionName); -BOOL SW3_PopulateSyscallList(); -EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); -EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); -EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); -typedef struct _SYSTEM_HANDLE -{ - ULONG ProcessId; - BYTE ObjectTypeNumber; - BYTE Flags; - USHORT Handle; - PVOID Object; - ACCESS_MASK GrantedAccess; -} SYSTEM_HANDLE, *PSYSTEM_HANDLE; - -typedef struct _IO_STATUS_BLOCK -{ - union - { - NTSTATUS Status; - VOID* Pointer; - }; - ULONG_PTR Information; -} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; - -typedef struct _SYSTEM_HANDLE_INFORMATION -{ - ULONG HandleCount; - SYSTEM_HANDLE Handles[1]; -} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; - -typedef VOID(KNORMAL_ROUTINE) ( - IN PVOID NormalContext, - IN PVOID SystemArgument1, - IN PVOID SystemArgument2); - -typedef struct _PS_ATTRIBUTE -{ - ULONG Attribute; - SIZE_T Size; - union - { - ULONG Value; - PVOID ValuePtr; - } u1; - PSIZE_T ReturnLength; -} PS_ATTRIBUTE, *PPS_ATTRIBUTE; - -typedef struct _UNICODE_STRING -{ - USHORT Length; - USHORT MaximumLength; - PWSTR Buffer; -} UNICODE_STRING, *PUNICODE_STRING; - -#ifndef InitializeObjectAttributes -#define InitializeObjectAttributes( p, n, a, r, s ) { \ - (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ - (p)->RootDirectory = r; \ - (p)->Attributes = a; \ - (p)->ObjectName = n; \ - (p)->SecurityDescriptor = s; \ - (p)->SecurityQualityOfService = NULL; \ -} -#endif - -typedef struct _OBJECT_ATTRIBUTES -{ - ULONG Length; - HANDLE RootDirectory; - PUNICODE_STRING ObjectName; - ULONG Attributes; - PVOID SecurityDescriptor; - PVOID SecurityQualityOfService; -} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; - -typedef struct _CLIENT_ID -{ - HANDLE UniqueProcess; - HANDLE UniqueThread; -} CLIENT_ID, *PCLIENT_ID; - -typedef enum _SYSTEM_INFORMATION_CLASS -{ - SystemBasicInformation = 0, - SystemPerformanceInformation = 2, - SystemTimeOfDayInformation = 3, - SystemProcessInformation = 5, - SystemProcessorPerformanceInformation = 8, - SystemHandleInformation = 16, - SystemInterruptInformation = 23, - SystemExceptionInformation = 33, - SystemRegistryQuotaInformation = 37, - SystemLookasideInformation = 45, - SystemCodeIntegrityInformation = 103, - SystemPolicyInformation = 134, -} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; - -typedef enum _PROCESSINFOCLASS -{ - ProcessBasicInformation = 0, - ProcessDebugPort = 7, - ProcessWow64Information = 26, - ProcessImageFileName = 27, - ProcessBreakOnTermination = 29 -} PROCESSINFOCLASS, *PPROCESSINFOCLASS; - -typedef enum _WAIT_TYPE -{ - WaitAll = 0, - WaitAny = 1 -} WAIT_TYPE, *PWAIT_TYPE; - -typedef VOID(NTAPI* PIO_APC_ROUTINE) ( - IN PVOID ApcContext, - IN PIO_STATUS_BLOCK IoStatusBlock, - IN ULONG Reserved); - -typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; - -typedef enum _THREADINFOCLASS -{ - ThreadBasicInformation, - ThreadTimes, - ThreadPriority, - ThreadBasePriority, - ThreadAffinityMask, - ThreadImpersonationToken, - ThreadDescriptorTableEntry, - ThreadEnableAlignmentFaultFixup, - ThreadEventPair_Reusable, - ThreadQuerySetWin32StartAddress, - ThreadZeroTlsCell, - ThreadPerformanceCount, - ThreadAmILastThread, - ThreadIdealProcessor, - ThreadPriorityBoost, - ThreadSetTlsArrayAddress, - ThreadIsIoPending, - ThreadHideFromDebugger, - ThreadBreakOnTermination, - MaxThreadInfoClass -} THREADINFOCLASS, *PTHREADINFOCLASS; - -typedef enum _SECTION_INHERIT -{ - ViewShare = 1, - ViewUnmap = 2 -} SECTION_INHERIT, *PSECTION_INHERIT; - -typedef enum _FILE_INFORMATION_CLASS -{ - FileDirectoryInformation = 1, - FileFullDirectoryInformation = 2, - FileBothDirectoryInformation = 3, - FileBasicInformation = 4, - FileStandardInformation = 5, - FileInternalInformation = 6, - FileEaInformation = 7, - FileAccessInformation = 8, - FileNameInformation = 9, - FileRenameInformation = 10, - FileLinkInformation = 11, - FileNamesInformation = 12, - FileDispositionInformation = 13, - FilePositionInformation = 14, - FileFullEaInformation = 15, - FileModeInformation = 16, - FileAlignmentInformation = 17, - FileAllInformation = 18, - FileAllocationInformation = 19, - FileEndOfFileInformation = 20, - FileAlternateNameInformation = 21, - FileStreamInformation = 22, - FilePipeInformation = 23, - FilePipeLocalInformation = 24, - FilePipeRemoteInformation = 25, - FileMailslotQueryInformation = 26, - FileMailslotSetInformation = 27, - FileCompressionInformation = 28, - FileObjectIdInformation = 29, - FileCompletionInformation = 30, - FileMoveClusterInformation = 31, - FileQuotaInformation = 32, - FileReparsePointInformation = 33, - FileNetworkOpenInformation = 34, - FileAttributeTagInformation = 35, - FileTrackingInformation = 36, - FileIdBothDirectoryInformation = 37, - FileIdFullDirectoryInformation = 38, - FileValidDataLengthInformation = 39, - FileShortNameInformation = 40, - FileIoCompletionNotificationInformation = 41, - FileIoStatusBlockRangeInformation = 42, - FileIoPriorityHintInformation = 43, - FileSfioReserveInformation = 44, - FileSfioVolumeInformation = 45, - FileHardLinkInformation = 46, - FileProcessIdsUsingFileInformation = 47, - FileNormalizedNameInformation = 48, - FileNetworkPhysicalNameInformation = 49, - FileIdGlobalTxDirectoryInformation = 50, - FileIsRemoteDeviceInformation = 51, - FileUnusedInformation = 52, - FileNumaNodeInformation = 53, - FileStandardLinkInformation = 54, - FileRemoteProtocolInformation = 55, - FileRenameInformationBypassAccessCheck = 56, - FileLinkInformationBypassAccessCheck = 57, - FileVolumeNameInformation = 58, - FileIdInformation = 59, - FileIdExtdDirectoryInformation = 60, - FileReplaceCompletionInformation = 61, - FileHardLinkFullIdInformation = 62, - FileIdExtdBothDirectoryInformation = 63, - FileDispositionInformationEx = 64, - FileRenameInformationEx = 65, - FileRenameInformationExBypassAccessCheck = 66, - FileMaximumInformation = 67, -} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; - -typedef struct _PS_ATTRIBUTE_LIST -{ - SIZE_T TotalLength; - PS_ATTRIBUTE Attributes[1]; -} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; - -EXTERN_C NTSTATUS NtCreateProcess( - OUT PHANDLE ProcessHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - IN HANDLE ParentProcess, - IN BOOLEAN InheritObjectTable, - IN HANDLE SectionHandle OPTIONAL, - IN HANDLE DebugPort OPTIONAL, - IN HANDLE ExceptionPort OPTIONAL); - -EXTERN_C NTSTATUS NtCreateThreadEx( - OUT PHANDLE ThreadHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - IN HANDLE ProcessHandle, - IN PVOID StartRoutine, - IN PVOID Argument OPTIONAL, - IN ULONG CreateFlags, - IN SIZE_T ZeroBits, - IN SIZE_T StackSize, - IN SIZE_T MaximumStackSize, - IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); - -EXTERN_C NTSTATUS NtOpenProcess( - OUT PHANDLE ProcessHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN PCLIENT_ID ClientId OPTIONAL); - -EXTERN_C NTSTATUS NtOpenProcessToken( - IN HANDLE ProcessHandle, - IN ACCESS_MASK DesiredAccess, - OUT PHANDLE TokenHandle); - -EXTERN_C NTSTATUS NtTestAlert(); - -EXTERN_C NTSTATUS NtOpenThread( - OUT PHANDLE ThreadHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes, - IN PCLIENT_ID ClientId OPTIONAL); - -EXTERN_C NTSTATUS NtSuspendProcess( - IN HANDLE ProcessHandle); - -EXTERN_C NTSTATUS NtSuspendThread( - IN HANDLE ThreadHandle, - OUT PULONG PreviousSuspendCount); - -EXTERN_C NTSTATUS NtResumeProcess( - IN HANDLE ProcessHandle); - -EXTERN_C NTSTATUS NtResumeThread( - IN HANDLE ThreadHandle, - IN OUT PULONG PreviousSuspendCount OPTIONAL); - -EXTERN_C NTSTATUS NtGetContextThread( - IN HANDLE ThreadHandle, - IN OUT PCONTEXT ThreadContext); - -EXTERN_C NTSTATUS NtSetContextThread( - IN HANDLE ThreadHandle, - IN PCONTEXT Context); - -EXTERN_C NTSTATUS NtClose( - IN HANDLE Handle); - -EXTERN_C NTSTATUS NtReadVirtualMemory( - IN HANDLE ProcessHandle, - IN PVOID BaseAddress OPTIONAL, - OUT PVOID Buffer, - IN SIZE_T BufferSize, - OUT PSIZE_T NumberOfBytesRead OPTIONAL); - -EXTERN_C NTSTATUS NtWriteVirtualMemory( - IN HANDLE ProcessHandle, - IN PVOID BaseAddress, - IN PVOID Buffer, - IN SIZE_T NumberOfBytesToWrite, - OUT PSIZE_T NumberOfBytesWritten OPTIONAL); - -EXTERN_C NTSTATUS NtAllocateVirtualMemory( - IN HANDLE ProcessHandle, - IN OUT PVOID * BaseAddress, - IN ULONG ZeroBits, - IN OUT PSIZE_T RegionSize, - IN ULONG AllocationType, - IN ULONG Protect); - -EXTERN_C NTSTATUS NtProtectVirtualMemory( - IN HANDLE ProcessHandle, - IN OUT PVOID * BaseAddress, - IN OUT PSIZE_T RegionSize, - IN ULONG NewProtect, - OUT PULONG OldProtect); - -EXTERN_C NTSTATUS NtFreeVirtualMemory( - IN HANDLE ProcessHandle, - IN OUT PVOID * BaseAddress, - IN OUT PSIZE_T RegionSize, - IN ULONG FreeType); - -EXTERN_C NTSTATUS NtQuerySystemInformation( - IN SYSTEM_INFORMATION_CLASS SystemInformationClass, - IN OUT PVOID SystemInformation, - IN ULONG SystemInformationLength, - OUT PULONG ReturnLength OPTIONAL); - -EXTERN_C NTSTATUS NtQueryDirectoryFile( - IN HANDLE FileHandle, - IN HANDLE Event OPTIONAL, - IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, - IN PVOID ApcContext OPTIONAL, - OUT PIO_STATUS_BLOCK IoStatusBlock, - OUT PVOID FileInformation, - IN ULONG Length, - IN FILE_INFORMATION_CLASS FileInformationClass, - IN BOOLEAN ReturnSingleEntry, - IN PUNICODE_STRING FileName OPTIONAL, - IN BOOLEAN RestartScan); - -EXTERN_C NTSTATUS NtQueryInformationFile( - IN HANDLE FileHandle, - OUT PIO_STATUS_BLOCK IoStatusBlock, - OUT PVOID FileInformation, - IN ULONG Length, - IN FILE_INFORMATION_CLASS FileInformationClass); - -EXTERN_C NTSTATUS NtQueryInformationProcess( - IN HANDLE ProcessHandle, - IN PROCESSINFOCLASS ProcessInformationClass, - OUT PVOID ProcessInformation, - IN ULONG ProcessInformationLength, - OUT PULONG ReturnLength OPTIONAL); - -EXTERN_C NTSTATUS NtQueryInformationThread( - IN HANDLE ThreadHandle, - IN THREADINFOCLASS ThreadInformationClass, - OUT PVOID ThreadInformation, - IN ULONG ThreadInformationLength, - OUT PULONG ReturnLength OPTIONAL); - -EXTERN_C NTSTATUS NtCreateSection( - OUT PHANDLE SectionHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, - IN PLARGE_INTEGER MaximumSize OPTIONAL, - IN ULONG SectionPageProtection, - IN ULONG AllocationAttributes, - IN HANDLE FileHandle OPTIONAL); - -EXTERN_C NTSTATUS NtOpenSection( - OUT PHANDLE SectionHandle, - IN ACCESS_MASK DesiredAccess, - IN POBJECT_ATTRIBUTES ObjectAttributes); - -EXTERN_C NTSTATUS NtMapViewOfSection( - IN HANDLE SectionHandle, - IN HANDLE ProcessHandle, - IN OUT PVOID BaseAddress, - IN ULONG ZeroBits, - IN SIZE_T CommitSize, - IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, - IN OUT PSIZE_T ViewSize, - IN SECTION_INHERIT InheritDisposition, - IN ULONG AllocationType, - IN ULONG Win32Protect); - -EXTERN_C NTSTATUS NtUnmapViewOfSection( - IN HANDLE ProcessHandle, - IN PVOID BaseAddress); - -EXTERN_C NTSTATUS NtAdjustPrivilegesToken( - IN HANDLE TokenHandle, - IN BOOLEAN DisableAllPrivileges, - IN PTOKEN_PRIVILEGES NewState OPTIONAL, - IN ULONG BufferLength, - OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, - OUT PULONG ReturnLength OPTIONAL); - -EXTERN_C NTSTATUS NtDeviceIoControlFile( - IN HANDLE FileHandle, - IN HANDLE Event OPTIONAL, - IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, - IN PVOID ApcContext OPTIONAL, - OUT PIO_STATUS_BLOCK IoStatusBlock, - IN ULONG IoControlCode, - IN PVOID InputBuffer OPTIONAL, - IN ULONG InputBufferLength, - OUT PVOID OutputBuffer OPTIONAL, - IN ULONG OutputBufferLength); - -EXTERN_C NTSTATUS NtQueueApcThread( - IN HANDLE ThreadHandle, - IN PKNORMAL_ROUTINE ApcRoutine, - IN PVOID ApcArgument1 OPTIONAL, - IN PVOID ApcArgument2 OPTIONAL, - IN PVOID ApcArgument3 OPTIONAL); - -EXTERN_C NTSTATUS NtWaitForMultipleObjects( - IN ULONG Count, - IN PHANDLE Handles, - IN WAIT_TYPE WaitType, - IN BOOLEAN Alertable, - IN PLARGE_INTEGER Timeout OPTIONAL); - -#endif diff --git a/SysWhispers3/example-output/Syscalls.c b/SysWhispers3/example-output/syscalls_all.c similarity index 99% rename from SysWhispers3/example-output/Syscalls.c rename to SysWhispers3/example-output/syscalls_all.c index 1806273..a2fad4d 100644 --- a/SysWhispers3/example-output/Syscalls.c +++ b/SysWhispers3/example-output/syscalls_all.c @@ -1,9 +1,9 @@ -#include "Syscalls.h" +#include "syscalls_all.h" #include //#define DEBUG -// JUMPER +#define JUMPER #ifdef _M_IX86 diff --git a/SysWhispers3/example-output/syscalls_all.h b/SysWhispers3/example-output/syscalls_all.h new file mode 100644 index 0000000..0dcd9fa --- /dev/null +++ b/SysWhispers3/example-output/syscalls_all.h @@ -0,0 +1,4056 @@ +#pragma once + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +#ifndef SW3_HEADER_H_ +#define SW3_HEADER_H_ + +#include + +#ifndef _NTDEF_ +typedef _Return_type_success_(return >= 0) LONG NTSTATUS; +typedef NTSTATUS* PNTSTATUS; +#endif + +#define SW3_SEED 0x9B66FD02 +#define SW3_ROL8(v) (v << 8 | v >> 24) +#define SW3_ROR8(v) (v >> 8 | v << 24) +#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) +#define SW3_MAX_ENTRIES 600 +#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) + +// Typedefs are prefixed to avoid pollution. + +typedef struct _SW3_SYSCALL_ENTRY +{ + DWORD Hash; + DWORD Address; + PVOID SyscallAddress; +} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; + +typedef struct _SW3_SYSCALL_LIST +{ + DWORD Count; + SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; +} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; + +typedef struct _SW3_PEB_LDR_DATA { + BYTE Reserved1[8]; + PVOID Reserved2[3]; + LIST_ENTRY InMemoryOrderModuleList; +} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; + +typedef struct _SW3_LDR_DATA_TABLE_ENTRY { + PVOID Reserved1[2]; + LIST_ENTRY InMemoryOrderLinks; + PVOID Reserved2[2]; + PVOID DllBase; +} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; + +typedef struct _SW3_PEB { + BYTE Reserved1[2]; + BYTE BeingDebugged; + BYTE Reserved2[1]; + PVOID Reserved3[2]; + PSW3_PEB_LDR_DATA Ldr; +} SW3_PEB, *PSW3_PEB; + +DWORD SW3_HashSyscall(PCSTR FunctionName); +BOOL SW3_PopulateSyscallList(); +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_HANDLE +{ + ULONG ProcessId; + BYTE ObjectTypeNumber; + BYTE Flags; + USHORT Handle; + PVOID Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ + PVOID pValue; + ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ + ULONG64 Version; + UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ + GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef enum _KCONTINUE_TYPE +{ + KCONTINUE_UNWIND, + KCONTINUE_RESUME, + KCONTINUE_LONGJUMP, + KCONTINUE_SET, + KCONTINUE_LAST +} KCONTINUE_TYPE; + +typedef struct _IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + VOID* Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG HandleCount; + SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ + HardwareProfileChangeEvent, + TargetDeviceChangeEvent, + DeviceClassChangeEvent, + CustomDeviceEvent, + DeviceInstallEvent, + DeviceArrivalEvent, + PowerEvent, + VetoEvent, + BlockedDriverEvent, + InvalidIDEvent, + MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE +{ + PNP_VetoTypeUnknown, // unspecified + PNP_VetoLegacyDevice, // instance path + PNP_VetoPendingClose, // instance path + PNP_VetoWindowsApp, // module + PNP_VetoWindowsService, // service + PNP_VetoOutstandingOpen, // instance path + PNP_VetoDevice, // instance path + PNP_VetoDriver, // driver service name + PNP_VetoIllegalDeviceRequest, // instance path + PNP_VetoInsufficientPower, // unspecified + PNP_VetoNonDisableable, // instance path + PNP_VetoLegacyDriver, // service + PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + PLONG64 pInt64; + PULONG64 pUint64; + PUNICODE_STRING pString; + PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef VOID(KNORMAL_ROUTINE) ( + IN PVOID NormalContext, + IN PVOID SystemArgument1, + IN PVOID SystemArgument2); + +typedef struct _PS_ATTRIBUTE +{ + ULONG Attribute; + SIZE_T Size; + union + { + ULONG Value; + PVOID ValuePtr; + } u1; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _WNF_STATE_NAME +{ + ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef struct _KEY_VALUE_ENTRY +{ + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ + KeyWriteTimeInformation, + KeyWow64FlagsInformation, + KeyControlFlagsInformation, + KeySetVirtualizationInformation, + KeySetDebugInformation, + KeySetHandleTagsInformation, + MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation = 0, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemProcessInformation = 5, + SystemProcessorPerformanceInformation = 8, + SystemHandleInformation = 16, + SystemInterruptInformation = 23, + SystemExceptionInformation = 33, + SystemRegistryQuotaInformation = 37, + SystemLookasideInformation = 45, + SystemCodeIntegrityInformation = 103, + SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation = 0, + ProcessDebugPort = 7, + ProcessWow64Information = 26, + ProcessImageFileName = 27, + ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ + PVOID VirtualAddress; + SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ + ULONG Version; + ULONG Reserved; + LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER QuotaUsed; + LARGE_INTEGER QuotaThreshold; + LARGE_INTEGER QuotaLimit; + SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; + ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ + FilterBootOptionOperationOpenSystemStore, + FilterBootOptionOperationSetElement, + FilterBootOptionOperationDeleteElement, + FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef enum _EVENT_TYPE +{ + NotificationEvent = 0, + SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ + ULONG NextEntryOffset; + UCHAR Flags; + UCHAR EaNameLength; + USHORT EaValueLength; + CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ + ULONG NextEntryOffset; + BYTE EaNameLength; + CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef enum _WNF_DATA_SCOPE +{ + WnfDataScopeSystem = 0, + WnfDataScopeSession = 1, + WnfDataScopeUser = 2, + WnfDataScopeProcess = 3, + WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ + WnfWellKnownStateName = 0, + WnfPermanentStateName = 1, + WnfPersistentStateName = 2, + WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ + VmPrefetchInformation, + VmPagePriorityInformation, + VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef enum _IO_SESSION_EVENT +{ + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _PORT_INFORMATION_CLASS +{ + PortBasicInformation, +#if DEVL + PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ + PlugPlayControlEnumerateDevice, + PlugPlayControlRegisterNewDevice, + PlugPlayControlDeregisterDevice, + PlugPlayControlInitializeDevice, + PlugPlayControlStartDevice, + PlugPlayControlUnlockDevice, + PlugPlayControlQueryAndRemoveDevice, + PlugPlayControlUserResponse, + PlugPlayControlGenerateLegacyDevice, + PlugPlayControlGetInterfaceDeviceList, + PlugPlayControlProperty, + PlugPlayControlDeviceClassAssociation, + PlugPlayControlGetRelatedDevice, + PlugPlayControlGetInterfaceDeviceAlias, + PlugPlayControlDeviceStatus, + PlugPlayControlGetDeviceDepth, + PlugPlayControlQueryDeviceRelations, + PlugPlayControlTargetDeviceRelation, + PlugPlayControlQueryConflictList, + PlugPlayControlRetrieveDock, + PlugPlayControlResetDevice, + PlugPlayControlHaltDevice, + PlugPlayControlGetBlockedDriverList, + MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _VDMSERVICECLASS +{ + VdmStartExecution, + VdmQueueInterrupt, + VdmDelayInterrupt, + VdmInitialize, + VdmFeatures, + VdmSetInt21Handler, + VdmQueryDir, + VdmPrinterDirectIoOpen, + VdmPrinterDirectIoClose, + VdmPrinterInitialize, + VdmSetLdtEntries, + VdmSetProcessLdtInfo, + VdmAdlibEmulation, + VdmPMCliControl, + VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + // PsCreateInitialState + struct { + union { + ULONG InitFlags; + struct { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + }; + }; + ACCESS_MASK AdditionalFileAccess; + } InitState; + // PsCreateFailOnSectionCreate + struct { + HANDLE FileHandle; + } FailSection; + // PsCreateFailExeFormat + struct { + USHORT DllCharacteristics; + } ExeFormat; + // PsCreateFailExeName + struct { + HANDLE IFEOKey; + } ExeName; + // PsCreateSuccess + struct { + union { + ULONG OutputFlags; + struct { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; // from Image File Execution Options + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + }; + }; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetInformation, + MemoryMappedFilenameInformation, + MemoryRegionInformation, + MemoryWorkingSetExInformation, + MemorySharedCommitInformation, + MemoryImageInformation, + MemoryRegionInformationEx, + MemoryPrivilegedBasicInformation, + MemoryEnclaveImageInformation, + MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ + AlpcBasicInformation, + AlpcPortInformation, + AlpcAssociateCompletionPortInformation, + AlpcConnectedSIDInformation, + AlpcServerInformation, + AlpcMessageZoneInformation, + AlpcRegisterCompletionListInformation, + AlpcUnregisterCompletionListInformation, + AlpcAdjustCompletionListConcurrencyCountInformation, + AlpcRegisterCallbackInformation, + AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _ALPC_CONTEXT_ATTR +{ + PVOID PortContext; + PVOID MessageContext; + ULONG SequenceNumber; + ULONG MessageID; + ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ + ULONG Flags; + HANDLE SectionHandle; + PVOID ViewBase; + SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef struct _ALPC_SECURITY_ATTR +{ + ULONG Flags; + PSECURITY_QUALITY_OF_SERVICE SecurityQos; + HANDLE ContextHandle; + ULONG Reserved1; + ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef PVOID* PPVOID; + +typedef enum _KPROFILE_SOURCE +{ + ProfileTime = 0, + ProfileAlignmentFixup = 1, + ProfileTotalIssues = 2, + ProfilePipelineDry = 3, + ProfileLoadInstructions = 4, + ProfilePipelineFrozen = 5, + ProfileBranchInstructions = 6, + ProfileTotalNonissues = 7, + ProfileDcacheMisses = 8, + ProfileIcacheMisses = 9, + ProfileCacheMisses = 10, + ProfileBranchMispredictions = 11, + ProfileStoreInstructions = 12, + ProfileFpInstructions = 13, + ProfileIntegerInstructions = 14, + Profile2Issue = 15, + Profile3Issue = 16, + Profile4Issue = 17, + ProfileSpecialInstructions = 18, + ProfileTotalCycles = 19, + ProfileIcacheIssues = 20, + ProfileDcacheAccesses = 21, + ProfileMemoryBarrierCycles = 22, + ProfileLoadLinkedIssues = 23, + ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ + AlpcMessageSidInformation, + AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, + WorkerFactoryRetryTimeout, + WorkerFactoryIdleTimeout, + WorkerFactoryBindingCount, + WorkerFactoryThreadMinimum, + WorkerFactoryThreadMaximum, + WorkerFactoryPaused, + WorkerFactoryBasicInformation, + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, + MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ + SystemMemoryPartitionInformation, + SystemMemoryPartitionMoveMemory, + SystemMemoryPartitionAddPagefile, + SystemMemoryPartitionCombineMemory, + SystemMemoryPartitionInitialAddMemory, + SystemMemoryPartitionGetMemoryEvents, + SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +typedef enum _MUTANT_INFORMATION_CLASS +{ + MutantBasicInformation, + MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ + AtomBasicInformation, + AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _SHUTDOWN_ACTION { + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( + IN PVOID TimerContext, + IN ULONG TimerLowValue, + IN LONG TimerHighValue); + +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation = 0, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef LANGID* PLANGID; + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ + GUID EventGuid; + PLUGPLAY_EVENT_CATEGORY EventCategory; + PULONG Result; + ULONG Flags; + ULONG TotalSize; + PVOID DeviceObject; + + union + { + struct + { + GUID ClassGuid; + WCHAR SymbolicLinkName[1]; + } DeviceClass; + struct + { + WCHAR DeviceIds[1]; + } TargetDevice; + struct + { + WCHAR DeviceId[1]; + } InstallDevice; + struct + { + PVOID NotificationStructure; + WCHAR DeviceIds[1]; + } CustomNotification; + struct + { + PVOID Notification; + } ProfileNotification; + struct + { + ULONG NotificationCode; + ULONG NotificationData; + } PowerNotification; + struct + { + PNP_VETO_TYPE VetoType; + WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName + } VetoNotification; + struct + { + GUID BlockedDriverGuid; + } BlockedDriverNotification; + struct + { + WCHAR ParentId[1]; + } InvalidIDNotification; + } u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved); + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ + DirectoryNotifyInformation = 1, + DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_INFORMATION_CLASS +{ + EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ + unsigned long AllocatedAttributes; + unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ + ULONG Flags; + SECURITY_QUALITY_OF_SERVICE SecurityQos; + SIZE_T MaxMessageLength; + SIZE_T MemoryBandwidth; + SIZE_T MaxPoolUsage; + SIZE_T MaxSectionSize; + SIZE_T MaxViewSize; + SIZE_T MaxTotalSectionSize; + ULONG DupObjectTypes; +#ifdef _WIN64 + ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _IO_SESSION_STATE +{ + IoSessionStateCreated = 1, + IoSessionStateInitialized = 2, + IoSessionStateConnected = 3, + IoSessionStateDisconnected = 4, + IoSessionStateDisconnectedLoggedOn = 5, + IoSessionStateLoggedOn = 6, + IoSessionStateLoggedOff = 7, + IoSessionStateTerminated = 8, + IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ + unsigned __int64 SubscriptionId; + WNF_STATE_NAME StateName; + unsigned long ChangeStamp; + unsigned long StateDataSize; + unsigned long EventMask; + WNF_TYPE_ID TypeId; + unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef enum _DEBUG_CONTROL_CODE +{ + SysDbgQueryModuleInformation = 0, + SysDbgQueryTraceInformation = 1, + SysDbgSetTracePoint = 2, + SysDbgSetSpecialCall = 3, + SysDbgClearSpecialCalls = 4, + SysDbgQuerySpecialCalls = 5, + SysDbgBreakPoint = 6, + SysDbgQueryVersion = 7, + SysDbgReadVirtual = 8, + SysDbgWriteVirtual = 9, + SysDbgReadPhysical = 10, + SysDbgWritePhysical = 11, + SysDbgReadControlSpace = 12, + SysDbgWriteControlSpace = 13, + SysDbgReadIoSpace = 14, + SysDbgWriteIoSpace = 15, + SysDbgReadMsr = 16, + SysDbgWriteMsr = 17, + SysDbgReadBusData = 18, + SysDbgWriteBusData = 19, + SysDbgCheckLowMemory = 20, + SysDbgEnableKernelDebugger = 21, + SysDbgDisableKernelDebugger = 22, + SysDbgGetAutoKdEnable = 23, + SysDbgSetAutoKdEnable = 24, + SysDbgGetPrintBufferSize = 25, + SysDbgSetPrintBufferSize = 26, + SysDbgGetKdUmExceptionEnable = 27, + SysDbgSetKdUmExceptionEnable = 28, + SysDbgGetTriageDump = 29, + SysDbgGetKdBlockEnable = 30, + SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef struct _PORT_MESSAGE +{ + union + { + union + { + struct + { + short DataLength; + short TotalLength; + } s1; + unsigned long Length; + }; + } u1; + union + { + union + { + struct + { + short Type; + short DataInfoOffset; + } s2; + unsigned long ZeroInit; + }; + } u2; + union + { + CLIENT_ID ClientId; + double DoNotUseThisField; + }; + unsigned long MessageId; + union + { + unsigned __int64 ClientViewSize; + struct + { + unsigned long CallbackId; + long __PADDING__[1]; + }; + }; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_READ +{ + ULONG Length; + ULONG ViewSize; + ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _PORT_SECTION_WRITE +{ + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef enum _TIMER_TYPE +{ + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _BOOT_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ + TimerSetCoalescableTimer, + MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, + FileFsLabelInformation = 2, + FileFsSizeInformation = 3, + FileFsDeviceInformation = 4, + FileFsAttributeInformation = 5, + FileFsControlInformation = 6, + FileFsFullSizeInformation = 7, + FileFsObjectIdInformation = 8, + FileFsDriverPathInformation = 9, + FileFsVolumeFlagsInformation = 10, + FileFsSectorSizeInformation = 11, + FileFsDataCopyInformation = 12, + FileFsMetadataSizeInformation = 13, + FileFsFullSizeInformationEx = 14, + FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _WAIT_TYPE +{ + WaitAll = 0, + WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _USER_STACK +{ + PVOID FixedStackBase; + PVOID FixedStackLimit; + PVOID ExpandableStackBase; + PVOID ExpandableStackLimit; + PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, + SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef enum _APPHELPCACHESERVICECLASS +{ + ApphelpCacheServiceLookup = 0, + ApphelpCacheServiceRemove = 1, + ApphelpCacheServiceUpdate = 2, + ApphelpCacheServiceFlush = 3, + ApphelpCacheServiceDump = 4, + ApphelpDBGReadRegistry = 0x100, + ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + union + { + PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllTypesInformation, + ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation = 2, + FileBothDirectoryInformation = 3, + FileBasicInformation = 4, + FileStandardInformation = 5, + FileInternalInformation = 6, + FileEaInformation = 7, + FileAccessInformation = 8, + FileNameInformation = 9, + FileRenameInformation = 10, + FileLinkInformation = 11, + FileNamesInformation = 12, + FileDispositionInformation = 13, + FilePositionInformation = 14, + FileFullEaInformation = 15, + FileModeInformation = 16, + FileAlignmentInformation = 17, + FileAllInformation = 18, + FileAllocationInformation = 19, + FileEndOfFileInformation = 20, + FileAlternateNameInformation = 21, + FileStreamInformation = 22, + FilePipeInformation = 23, + FilePipeLocalInformation = 24, + FilePipeRemoteInformation = 25, + FileMailslotQueryInformation = 26, + FileMailslotSetInformation = 27, + FileCompressionInformation = 28, + FileObjectIdInformation = 29, + FileCompletionInformation = 30, + FileMoveClusterInformation = 31, + FileQuotaInformation = 32, + FileReparsePointInformation = 33, + FileNetworkOpenInformation = 34, + FileAttributeTagInformation = 35, + FileTrackingInformation = 36, + FileIdBothDirectoryInformation = 37, + FileIdFullDirectoryInformation = 38, + FileValidDataLengthInformation = 39, + FileShortNameInformation = 40, + FileIoCompletionNotificationInformation = 41, + FileIoStatusBlockRangeInformation = 42, + FileIoPriorityHintInformation = 43, + FileSfioReserveInformation = 44, + FileSfioVolumeInformation = 45, + FileHardLinkInformation = 46, + FileProcessIdsUsingFileInformation = 47, + FileNormalizedNameInformation = 48, + FileNetworkPhysicalNameInformation = 49, + FileIdGlobalTxDirectoryInformation = 50, + FileIsRemoteDeviceInformation = 51, + FileUnusedInformation = 52, + FileNumaNodeInformation = 53, + FileStandardLinkInformation = 54, + FileRemoteProtocolInformation = 55, + FileRenameInformationBypassAccessCheck = 56, + FileLinkInformationBypassAccessCheck = 57, + FileVolumeNameInformation = 58, + FileIdInformation = 59, + FileIdExtdDirectoryInformation = 60, + FileReplaceCompletionInformation = 61, + FileHardLinkFullIdInformation = 62, + FileIdExtdBothDirectoryInformation = 63, + FileDispositionInformationEx = 64, + FileRenameInformationEx = 65, + FileRenameInformationExBypassAccessCheck = 66, + FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation = 0, + KeyNodeInformation = 1, + KeyFullInformation = 2, + KeyNameInformation = 3, + KeyCachedInformation = 4, + KeyFlagsInformation = 5, + KeyVirtualizationInformation = 6, + KeyHandleTagsInformation = 7, + MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef struct _KCONTINUE_ARGUMENT +{ + KCONTINUE_TYPE ContinueType; + ULONG ContinueFlags; + ULONGLONG Reserved[2]; +} KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; + +EXTERN_C NTSTATUS Sw3NtAccessCheck( + IN PSECURITY_DESCRIPTOR pSecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiaredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS Sw3NtWorkerFactoryWorkerReady( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtAcceptConnectPort( + OUT PHANDLE ServerPortHandle, + IN ULONG AlternativeReceivePortHandle OPTIONAL, + IN PPORT_MESSAGE ConnectionReply, + IN BOOLEAN AcceptConnection, + IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, + OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPagesScatter( + IN PVOID VirtualAddresses, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForSingleObject( + IN HANDLE ObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallbackReturn( + IN PVOID OutputBuffer OPTIONAL, + IN ULONG OutputLength, + IN NTSTATUS Status); + +EXTERN_C NTSTATUS Sw3NtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + OUT PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeviceIoControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletion( + IN HANDLE IoCompletionHandle, + OUT PULONG KeyContext, + OUT PULONG ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseSemaphore( + IN HANDLE SemaphoreHandle, + IN LONG ReleaseCount, + OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS Sw3NtReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtSetInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtClose( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtQueryObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation OPTIONAL, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtEnumerateValueKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtFindAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultLocale( + IN BOOLEAN UserProfile, + OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtQueryKey( + IN HANDLE KeyHandle, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN ULONG ZeroBits, + IN OUT PSIZE_T RegionSize, + IN ULONG AllocationType, + IN ULONG Protect); + +EXTERN_C NTSTATUS Sw3NtQueryInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects32( + IN ULONG ObjectCount, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteFileGather( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFreeVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG FreeType); + +EXTERN_C NTSTATUS Sw3NtImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS Sw3NtReleaseMutant( + IN HANDLE MutantHandle, + OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage, + OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtQueryVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN SIZE_T MemoryInformationLength, + OUT PSIZE_T ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSection( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG ZeroBits, + IN SIZE_T CommitSize, + IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, + IN OUT PSIZE_T ViewSize, + IN SECTION_INHERIT InheritDisposition, + IN ULONG AllocationType, + IN ULONG Win32Protect); + +EXTERN_C NTSTATUS Sw3NtAccessCheckAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSection( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT PULONG PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtSetEventBoostPriority( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadFileScatter( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadTokenEx( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenProcessTokenEx( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryPerformanceCounter( + OUT PLARGE_INTEGER PerformanceCounter, + OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtEnumerateKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtOpenFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtDelayExecution( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN BOOLEAN ReturnSingleEntry, + IN PUNICODE_STRING FileName OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtQueryTimer( + IN HANDLE TimerHandle, + IN TIMER_INFORMATION_CLASS TimerInformationClass, + OUT PVOID TimerInformation, + IN ULONG TimerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFsControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG FsControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN SIZE_T NumberOfBytesToWrite, + OUT PSIZE_T NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCloseObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDuplicateObject( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN HANDLE TargetProcessHandle OPTIONAL, + OUT PHANDLE TargetHandle OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Options); + +EXTERN_C NTSTATUS Sw3NtQueryAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtClearEvent( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT PSIZE_T NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAdjustPrivilegesToken( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState OPTIONAL, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtContinue( + IN PCONTEXT ContextRecord, + IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultUILanguage( + OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtYieldExecution(); + +EXTERN_C NTSTATUS Sw3NtAddAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS Sw3NtQueryVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FsInformation, + IN ULONG Length, + IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS Sw3NtCreateSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtApphelpCacheControl( + IN APPHELPCACHESERVICECLASS Service, + IN PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtCreateProcessEx( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL, + IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS Sw3NtCreateThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PUSER_STACK InitialTeb, + IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS Sw3NtIsProcessInJob( + IN HANDLE ProcessHandle, + IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG NewProtect, + OUT PULONG OldProtect); + +EXTERN_C NTSTATUS Sw3NtQuerySection( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN ULONG SectionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResumeThread( + IN HANDLE ThreadHandle, + IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateThread( + IN HANDLE ThreadHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtReadRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + OUT PVOID Buffer, + IN ULONG BufferSize, + OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER AllocationSize OPTIONAL, + IN ULONG FileAttributes, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN PVOID EaBuffer OPTIONAL, + IN ULONG EaLength); + +EXTERN_C NTSTATUS Sw3NtQueryEvent( + IN HANDLE EventHandle, + IN EVENT_INFORMATION_CLASS EventInformationClass, + OUT PVOID EventInformation, + IN ULONG EventInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Request, + IN ULONG DataIndex, + IN PVOID Buffer, + IN ULONG Length, + OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects( + IN ULONG Count, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtCancelIoFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtTraceEvent( + IN HANDLE TraceHandle, + IN ULONG Flags, + IN ULONG FieldSize, + IN PVOID Fields); + +EXTERN_C NTSTATUS Sw3NtPowerInformation( + IN POWER_INFORMATION_LEVEL InformationLevel, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID SystemData, + IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtCancelTimer( + IN HANDLE TimerHandle, + OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, + IN PVOID TimerContext OPTIONAL, + IN BOOLEAN ResumeTimer, + IN LONG Period OPTIONAL, + OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByType( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ULONG DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultList( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS Sw3NtAddAtomEx( + IN PWSTR AtomName, + IN ULONG Length, + IN PRTL_ATOM Atom, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAddBootEntry( + IN PBOOT_ENTRY BootEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAddDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAdjustGroupsToken( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState OPTIONAL, + IN ULONG BufferLength OPTIONAL, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtAdjustTokenClaimsAndDeviceGroups( + IN HANDLE TokenHandle, + IN BOOLEAN UserResetToDefault, + IN BOOLEAN DeviceResetToDefault, + IN BOOLEAN DeviceGroupsResetToDefault, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, + IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, + IN ULONG UserBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, + IN ULONG DeviceBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, + IN ULONG DeviceGroupsBufferLength, + OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, + OUT PULONG UserReturnLength OPTIONAL, + OUT PULONG DeviceReturnLength OPTIONAL, + OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertThread( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtAlertThreadByThreadId( + IN ULONG ThreadId); + +EXTERN_C NTSTATUS Sw3NtAllocateLocallyUniqueId( + OUT PLUID Luid); + +EXTERN_C NTSTATUS Sw3NtAllocateReserveObject( + OUT PHANDLE MemoryReserveHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS Sw3NtAllocateUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtAllocateUuids( + OUT PLARGE_INTEGER Time, + OUT PULONG Range, + OUT PULONG Sequence, + OUT PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemoryEx( + IN HANDLE ProcessHandle, + IN OUT PPVOID lpAddress, + IN ULONG_PTR ZeroBits, + IN OUT PSIZE_T pSize, + IN ULONG flAllocationType, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtAlpcAcceptConnectPort( + OUT PHANDLE PortHandle, + IN HANDLE ConnectionPortHandle, + IN ULONG Flags, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ConnectionRequest, + IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, + IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS Sw3NtAlpcCancelMessage( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PULONG BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPortEx( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, + IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN SIZE_T SectionSize, + OUT PHANDLE AlpcSectionHandle, + OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN SIZE_T MessageSize, + OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS Sw3NtAlpcDeletePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PVOID ViewBase); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDisconnectPort( + IN HANDLE PortHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientContainerOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN PVOID Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderProcess( + OUT PHANDLE ProcessHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderThread( + OUT PHANDLE ThreadHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformation( + IN HANDLE PortHandle OPTIONAL, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformationMessage( + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, + OUT PVOID MessageInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcRevokeSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcSendWaitReceivePort( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PPORT_MESSAGE SendMessage OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcSetInformation( + IN HANDLE PortHandle, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN PVOID PortInformation OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtAreMappedFilesTheSame( + IN PVOID File1MappedAsAnImage, + IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS Sw3NtAssignProcessToJobObject( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtAssociateWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN HANDLE IoCompletionHandle, + IN HANDLE TargetObjectHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation, + OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallEnclave( + IN PENCLAVE_ROUTINE Routine, + IN PVOID Parameter, + IN BOOLEAN WaitForThread, + IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCancelIoFileEx( + IN HANDLE FileHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelSynchronousIoFile( + IN HANDLE ThreadHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelTimer2( + IN HANDLE TimerHandle, + IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtCancelWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS Sw3NtCommitComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtCommitTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtCompactKeys( + IN ULONG Count, + IN HANDLE KeyArray); + +EXTERN_C NTSTATUS Sw3NtCompareObjects( + IN HANDLE FirstObjectHandle, + IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS Sw3NtCompareSigningLevels( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS Sw3NtCompareTokens( + IN HANDLE FirstTokenHandle, + IN HANDLE SecondTokenHandle, + OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS Sw3NtCompleteConnectPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtCompressKey( + IN HANDLE Key); + +EXTERN_C NTSTATUS Sw3NtConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtCreateDebugObject( + OUT PHANDLE DebugObjectHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObjectEx( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ShadowDirectoryHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateEnclave( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG_PTR ZeroBits, + IN SIZE_T Size, + IN SIZE_T InitialCommitment, + IN ULONG EnclaveType, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN HANDLE TransactionHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN NOTIFICATION_MASK NotificationMask, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateIRTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobSet( + IN ULONG NumJob, + IN PJOB_SET_ARRAY UserJobSet, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + IN HANDLE TransactionHandle, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateLowBoxToken( + OUT PHANDLE TokenHandle, + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PSID PackageSid, + IN ULONG CapabilityCount, + IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, + IN ULONG HandleCount, + IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateMailslotFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CreateOptions, + IN ULONG MailslotQuota, + IN ULONG MaximumMessageSize, + IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS Sw3NtCreateMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS Sw3NtCreateNamedPipeFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN BOOLEAN NamedPipeType, + IN BOOLEAN ReadMode, + IN BOOLEAN CompletionMode, + IN ULONG MaximumInstances, + IN ULONG InboundQuota, + IN ULONG OutboundQuota, + IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePagingFile( + IN PUNICODE_STRING PageFileName, + IN PULARGE_INTEGER MinimumSize, + IN PULARGE_INTEGER MaximumSize, + IN ULONG Priority); + +EXTERN_C NTSTATUS Sw3NtCreatePartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG PreferredNode); + +EXTERN_C NTSTATUS Sw3NtCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN BOOLEAN InheritObjectTable, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateProfile( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN ULONG ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN ULONG Affinity); + +EXTERN_C NTSTATUS Sw3NtCreateProfileEx( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN SIZE_T ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN USHORT GroupCount, + IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS Sw3NtCreateRegistryTransaction( + OUT PHANDLE Handle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN DWORD Flags); + +EXTERN_C NTSTATUS Sw3NtCreateResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID RmGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LONG InitialCount, + IN LONG MaximumCount); + +EXTERN_C NTSTATUS Sw3NtCreateSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS Sw3NtCreateThreadEx( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + IN PVOID StartRoutine, + IN PVOID Argument OPTIONAL, + IN ULONG CreateFlags, + IN SIZE_T ZeroBits, + IN SIZE_T StackSize, + IN SIZE_T MaximumStackSize, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS Sw3NtCreateTimer2( + OUT PHANDLE TimerHandle, + IN PVOID Reserved1 OPTIONAL, + IN PVOID Reserved2 OPTIONAL, + IN ULONG Attributes, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateToken( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTokenEx( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS DeviceGroups OPTIONAL, + IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LPGUID Uow OPTIONAL, + IN HANDLE TmHandle OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG IsolationLevel OPTIONAL, + IN ULONG IsolationFlags OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateUserProcess( + OUT PHANDLE ProcessHandle, + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK ProcessDesiredAccess, + IN ACCESS_MASK ThreadDesiredAccess, + IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, + IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, + IN ULONG ProcessFlags, + IN ULONG ThreadFlags, + IN PVOID ProcessParameters OPTIONAL, + IN OUT PPS_CREATE_INFO CreateInfo, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitCompletionPacket( + OUT PHANDLE WaitCompletionPacketHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWnfStateName( + OUT PCWNF_STATE_NAME StateName, + IN WNF_STATE_NAME_LIFETIME NameLifetime, + IN WNF_DATA_SCOPE DataScope, + IN BOOLEAN PersistData, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN ULONG MaximumStateSize, + IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateWorkerFactory( + OUT PHANDLE WorkerFactoryHandleReturn, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE CompletionPortHandle, + IN HANDLE WorkerProcessHandle, + IN PVOID StartRoutine, + IN PVOID StartParameter OPTIONAL, + IN ULONG MaxThreadCount OPTIONAL, + IN SIZE_T StackReserve OPTIONAL, + IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDebugActiveProcess( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtDebugContinue( + IN HANDLE DebugObjectHandle, + IN PCLIENT_ID ClientId, + IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS Sw3NtDeleteAtom( + IN USHORT Atom); + +EXTERN_C NTSTATUS Sw3NtDeleteBootEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteDriverEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteFile( + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtDeleteKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDeletePrivateNamespace( + IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateName( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtDisplayString( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtDrawText( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtEnumerateBootEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateDriverEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateSystemEnvironmentValuesEx( + IN ULONG InformationClass, + OUT PVOID Buffer, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateTransactionObject( + IN HANDLE RootObjectHandle OPTIONAL, + IN KTMOBJECT_TYPE QueryType, + IN OUT PKTMOBJECT_CURSOR ObjectCursor, + IN ULONG ObjectCursorLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtExtendSection( + IN HANDLE SectionHandle, + IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS Sw3NtFilterBootOption( + IN FILTER_BOOT_OPTION_OPERATION FilterOperation, + IN ULONG ObjectType, + IN ULONG ElementType, + IN PVOID SystemData OPTIONAL, + IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtFilterToken( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFilterTokenEx( + IN HANDLE TokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + IN ULONG DisableUserClaimsCount, + IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, + IN ULONG DisableDeviceClaimsCount, + IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, + IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFileEx( + IN HANDLE FileHandle, + IN ULONG Flags, + IN PVOID Parameters, + IN ULONG ParametersSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushInstallUILanguage( + IN LANGID InstallUILanguage, + IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS Sw3NtFlushInstructionCache( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtFlushKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS Sw3NtFlushVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN OUT PULONG RegionSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS Sw3NtFreeUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtFreezeRegistry( + IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS Sw3NtFreezeTransactions( + IN PLARGE_INTEGER FreezeTimeout, + IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS Sw3NtGetCachedSigningLevel( + IN HANDLE File, + OUT PULONG Flags, + OUT PSE_SIGNING_LEVEL SigningLevel, + OUT PUCHAR Thumbprint OPTIONAL, + IN OUT PULONG ThumbprintSize OPTIONAL, + OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetCompleteWnfStateSubscription( + IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, + IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, + IN ULONG OldDescriptorEventMask OPTIONAL, + IN ULONG OldDescriptorStatus OPTIONAL, + OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, + IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS Sw3NtGetContextThread( + IN HANDLE ThreadHandle, + IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumberEx( + OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetDevicePowerState( + IN HANDLE Device, + OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS Sw3NtGetMUIRegistryInfo( + IN ULONG Flags, + IN OUT PULONG DataSize, + OUT PVOID SystemData); + +EXTERN_C NTSTATUS Sw3NtGetNextProcess( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS Sw3NtGetNextThread( + IN HANDLE ProcessHandle, + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS Sw3NtGetNlsSectionPtr( + IN ULONG SectionType, + IN ULONG SectionData, + IN PVOID ContextData, + OUT PVOID SectionPointer, + OUT PULONG SectionSize); + +EXTERN_C NTSTATUS Sw3NtGetNotificationResourceManager( + IN HANDLE ResourceManagerHandle, + OUT PTRANSACTION_NOTIFICATION TransactionNotification, + IN ULONG NotificationLength, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PULONG ReturnLength OPTIONAL, + IN ULONG Asynchronous, + IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetWriteWatch( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN ULONG RegionSize, + OUT PULONG UserAddressArray, + IN OUT PULONG EntriesInUserAddressArray, + OUT PULONG Granularity); + +EXTERN_C NTSTATUS Sw3NtImpersonateAnonymousToken( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtImpersonateThread( + IN HANDLE ServerThreadHandle, + IN HANDLE ClientThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS Sw3NtInitializeEnclave( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtInitializeNlsFiles( + OUT PVOID BaseAddress, + OUT PLCID DefaultLocaleId, + OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS Sw3NtInitializeRegistry( + IN USHORT BootCondition); + +EXTERN_C NTSTATUS Sw3NtInitiatePowerAction( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE LightestSystemState, + IN ULONG Flags, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS Sw3NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS Sw3NtListenPort( + IN HANDLE PortHandle, + OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS Sw3NtLoadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtLoadEnclaveData( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN SIZE_T BufferSize, + IN ULONG Protect, + IN PVOID PageInformation, + IN ULONG PageInformationLength, + OUT PSIZE_T NumberOfBytesWritten OPTIONAL, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLoadHotPatch( + IN PUNICODE_STRING HotPatchName, + IN ULONG LoadFlag); + +EXTERN_C NTSTATUS Sw3NtLoadKey( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS Sw3NtLoadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtLoadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags, + IN HANDLE TrustClassKey OPTIONAL, + IN HANDLE Event OPTIONAL, + IN ACCESS_MASK DesiredAccess OPTIONAL, + OUT PHANDLE RootHandle OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key, + IN BOOLEAN FailImmediately, + IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS Sw3NtLockProductActivationKeys( + IN OUT PULONG pPrivateVer OPTIONAL, + OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockRegistryKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtLockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PULONG RegionSize, + IN ULONG MapType); + +EXTERN_C NTSTATUS Sw3NtMakePermanentObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtMakeTemporaryObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtManagePartition( + IN HANDLE TargetHandle, + IN HANDLE SourceHandle, + IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, + IN OUT PVOID PartitionInformation, + IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS Sw3NtMapCMFModule( + IN ULONG What, + IN ULONG Index, + OUT PULONG CacheIndexOut OPTIONAL, + OUT PULONG CacheFlagsOut OPTIONAL, + OUT PULONG ViewSizeOut OPTIONAL, + OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPages( + IN PVOID VirtualAddress, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSectionEx( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PLARGE_INTEGER SectionOffset, + IN OUT PPVOID BaseAddress, + IN OUT PSIZE_T ViewSize, + IN ULONG AllocationType, + IN ULONG Protect, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtModifyBootEntry( + IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS Sw3NtModifyDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_NOTIFY_INFORMATION Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeKey( + IN HANDLE KeyHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeMultipleKeys( + IN HANDLE MasterKeyHandle, + IN ULONG Count OPTIONAL, + IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeSession( + IN HANDLE SessionHandle, + IN ULONG ChangeSequenceNumber, + IN PLARGE_INTEGER ChangeTimeStamp, + IN IO_SESSION_EVENT Event, + IN IO_SESSION_STATE NewState, + IN IO_SESSION_STATE PreviousState, + IN PVOID Payload OPTIONAL, + IN ULONG PayloadSize); + +EXTERN_C NTSTATUS Sw3NtOpenEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN LPGUID EnlistmentGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenKeyEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransactedEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN PPRIVILEGE_SET Privileges OPTIONAL, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtOpenPartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenPrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenRegistryTransaction( + OUT PHANDLE RegistryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID ResourceManagerGuid OPTIONAL, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSession( + OUT PHANDLE SessionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN LPGUID Uow, + IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN LPGUID TmIdentity OPTIONAL, + IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPlugPlayControl( + IN PLUGPLAY_CONTROL_CLASS PnPControlClass, + IN OUT PVOID PnPControlData, + IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS Sw3NtPrePrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrePrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrivilegeCheck( + IN HANDLE ClientToken, + IN OUT PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS Sw3NtPrivilegeObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPrivilegedServiceAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPropagationComplete( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN ULONG BufferLength, + IN PVOID Buffer); + +EXTERN_C NTSTATUS Sw3NtPropagationFailed( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS Sw3NtPulseEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryAuxiliaryCounterFrequency( + OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS Sw3NtQueryBootEntryOrder( + OUT PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryBootOptions( + OUT PBOOT_OPTIONS BootOptions OPTIONAL, + IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS Sw3NtQueryDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN ULONG QueryFlags, + IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryObject( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer OPTIONAL, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDriverEntryOrder( + IN PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_FULL_EA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, + IN ULONG EaListLength, + IN PULONG EaIndex OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtQueryInformationAtom( + IN USHORT Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationByName( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtQueryInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + OUT PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + OUT PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + OUT PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + OUT PVOID TransactionInformation, + IN ULONG TransactionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransactionManager( + IN HANDLE TransactionManagerHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + OUT PVOID TransactionManagerInformation, + IN ULONG TransactionManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + OUT PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInstallUILanguage( + OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueryIntervalProfile( + IN KPROFILE_SOURCE ProfileSource, + OUT PULONG Interval); + +EXTERN_C NTSTATUS Sw3NtQueryIoCompletion( + IN HANDLE IoCompletionHandle, + IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + OUT PVOID IoCompletionInformation, + IN ULONG IoCompletionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryLicenseValue( + IN PUNICODE_STRING ValueName, + OUT PULONG Type OPTIONAL, + OUT PVOID SystemData OPTIONAL, + IN ULONG DataSize, + OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS Sw3NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueEntries, + IN ULONG EntryCount, + OUT PVOID ValueBuffer, + IN PULONG BufferLength, + OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryMutant( + IN HANDLE MutantHandle, + IN MUTANT_INFORMATION_CLASS MutantInformationClass, + OUT PVOID MutantInformation, + IN ULONG MutantInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES TargetKey, + OUT PULONG HandleCount); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeysEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG BufferLength, + OUT PVOID Buffer, + OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS Sw3NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS Sw3NtQueryQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, + IN ULONG SidListLength, + IN PSID StartSid OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityAttributesToken( + IN HANDLE TokenHandle, + IN PUNICODE_STRING Attributes OPTIONAL, + IN ULONG NumberOfAttributes, + OUT PVOID Buffer, + IN ULONG Length, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN ULONG Length, + OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityPolicy( + IN ULONG_PTR UnknownParameter1, + IN ULONG_PTR UnknownParameter2, + IN ULONG_PTR UnknownParameter3, + IN ULONG_PTR UnknownParameter4, + IN ULONG_PTR UnknownParameter5, + IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS Sw3NtQuerySemaphore( + IN HANDLE SemaphoreHandle, + IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + OUT PVOID SemaphoreInformation, + IN ULONG SemaphoreInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySymbolicLinkObject( + IN HANDLE LinkHandle, + IN OUT PUNICODE_STRING LinkTarget, + OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + OUT PVOID VariableValue, + IN ULONG ValueLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + OUT PVOID Value OPTIONAL, + IN OUT PULONG ValueLength, + OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformationEx( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT PVOID SystemInformation OPTIONAL, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryTimerResolution( + OUT PULONG MaximumTime, + OUT PULONG MinimumTime, + OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + OUT PWNF_CHANGE_STAMP ChangeStamp, + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateNameInformation( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID NameInfoClass, + IN PVOID ExplicitScope OPTIONAL, + OUT PVOID InfoBuffer, + IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS Sw3NtQueueApcThreadEx( + IN HANDLE ThreadHandle, + IN HANDLE UserApcReserveHandle OPTIONAL, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRaiseException( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord, + IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS Sw3NtRaiseHardError( + IN NTSTATUS ErrorStatus, + IN ULONG NumberOfParameters, + IN ULONG UnicodeStringParameterMask, + IN PULONG_PTR Parameters, + IN ULONG ValidResponseOptions, + OUT PULONG Response); + +EXTERN_C NTSTATUS Sw3NtReadOnlyEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverEnlistment( + IN HANDLE EnlistmentHandle, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverResourceManager( + IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRecoverTransactionManager( + IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRegisterProtocolAddressInformation( + IN HANDLE ResourceManager, + IN LPGUID ProtocolId, + IN ULONG ProtocolInformationSize, + IN PVOID ProtocolInformation, + IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRegisterThreadTerminatePort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtReleaseKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseWorkerFactoryWorker( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletionEx( + IN HANDLE IoCompletionHandle, + OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + IN ULONG Count, + OUT PULONG NumEntriesRemoved, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS Sw3NtRemoveProcessDebug( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS Sw3NtRenameTransactionManager( + IN PUNICODE_STRING LogFileName, + IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS Sw3NtReplaceKey( + IN POBJECT_ATTRIBUTES NewFile, + IN HANDLE TargetHandle, + IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS Sw3NtReplacePartitionUnit( + IN PUNICODE_STRING TargetInstancePath, + IN PUNICODE_STRING SpareInstancePath, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtRequestPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS Sw3NtResetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResetWriteWatch( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN ULONG RegionSize); + +EXTERN_C NTSTATUS Sw3NtRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtResumeProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS Sw3NtRollbackComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtRollbackTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtRollforwardTransactionManager( + IN HANDLE TransactionManagerHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSaveKeyEx( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Format); + +EXTERN_C NTSTATUS Sw3NtSaveMergedKeys( + IN HANDLE HighPrecedenceKeyHandle, + IN HANDLE LowPrecedenceKeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSecureConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSerializeBoot(); + +EXTERN_C NTSTATUS Sw3NtSetBootEntryOrder( + IN PULONG Ids, + IN ULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetBootOptions( + IN PBOOT_OPTIONS BootOptions, + IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel( + IN ULONG Flags, + IN SE_SIGNING_LEVEL InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel2( + IN ULONG Flags, + IN ULONG InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL, + IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetContextThread( + IN HANDLE ThreadHandle, + IN PCONTEXT Context); + +EXTERN_C NTSTATUS Sw3NtSetDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State); + +EXTERN_C NTSTATUS Sw3NtSetDefaultHardErrorPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtSetDefaultLocale( + IN BOOLEAN UserProfile, + IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtSetDefaultUILanguage( + IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtSetDriverEntryOrder( + IN PULONG Ids, + IN PULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_FULL_EA_INFORMATION EaBuffer, + IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS Sw3NtSetHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetHighWaitLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetIRTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationDebugObject( + IN HANDLE DebugObject, + IN DEBUGOBJECTINFOCLASS InformationClass, + IN PVOID Information, + IN ULONG InformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + IN PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + IN PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, + IN PVOID KeySetInformation, + IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + IN PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationSymbolicLink( + IN HANDLE Handle, + IN ULONG Class, + IN PVOID Buffer, + IN ULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransactionManager( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationVirtualMemory( + IN HANDLE ProcessHandle, + IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, + IN ULONG_PTR NumberOfEntries, + IN PMEMORY_RANGE_ENTRY VirtualAddresses, + IN PVOID VmInformation, + IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + IN PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetIntervalProfile( + IN ULONG Interval, + IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletion( + IN HANDLE IoCompletionHandle, + IN ULONG CompletionKey, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN NTSTATUS CompletionStatus, + IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletionEx( + IN HANDLE IoCompletionHandle, + IN HANDLE IoCompletionPacketHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS Sw3NtSetLdtEntries( + IN ULONG Selector0, + IN ULONG Entry0Low, + IN ULONG Entry0Hi, + IN ULONG Selector1, + IN ULONG Entry1Low, + IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS Sw3NtSetLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetLowWaitHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + IN PVOID Value OPTIONAL, + IN ULONG ValueLength, + IN ULONG Attributes); + +EXTERN_C NTSTATUS Sw3NtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetSystemPowerState( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE MinSystemState, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtSetSystemTime( + IN PLARGE_INTEGER SystemTime, + OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetThreadExecutionState( + IN EXECUTION_STATE ExecutionState, + OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS Sw3NtSetTimer2( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PLARGE_INTEGER Period OPTIONAL, + IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtSetTimerEx( + IN HANDLE TimerHandle, + IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + IN OUT PVOID TimerSetInformation OPTIONAL, + IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetTimerResolution( + IN ULONG DesiredResolution, + IN BOOLEAN SetResolution, + OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS Sw3NtSetUuidSeed( + IN PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtSetVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileSystemInformation, + IN ULONG Length, + IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS Sw3NtSetWnfProcessNotificationEvent( + IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS Sw3NtShutdownSystem( + IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS Sw3NtShutdownWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS Sw3NtSignalAndWaitForSingleObject( + IN HANDLE hObjectToSignal, + IN HANDLE hObjectToWaitOn, + IN BOOLEAN bAlertable, + IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSinglePhaseReject( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtStartProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtStopProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtSubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName, + IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, + IN ULONG EventMask, + OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSuspendProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtSuspendThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS Sw3NtSystemDebugControl( + IN DEBUG_CONTROL_CODE Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateEnclave( + IN PVOID BaseAddress, + IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS Sw3NtTerminateJobObject( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtTestAlert(); + +EXTERN_C NTSTATUS Sw3NtThawRegistry(); + +EXTERN_C NTSTATUS Sw3NtThawTransactions(); + +EXTERN_C NTSTATUS Sw3NtTraceControl( + IN ULONG FunctionCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtTranslateFilePath( + IN PFILE_PATH InputFilePath, + IN ULONG OutputType, + OUT PFILE_PATH OutputFilePath OPTIONAL, + IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUmsThreadYield( + IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS Sw3NtUnloadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey( + IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnloadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUnlockFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key); + +EXTERN_C NTSTATUS Sw3NtUnlockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID * BaseAddress, + IN PSIZE_T NumberOfBytesToUnlock, + IN ULONG LockType); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSectionEx( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnsubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtUpdateWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID Buffer OPTIONAL, + IN ULONG Length OPTIONAL, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + IN WNF_CHANGE_STAMP MatchingChangeStamp, + IN ULONG CheckStamp); + +EXTERN_C NTSTATUS Sw3NtVdmControl( + IN VDMSERVICECLASS Service, + IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtWaitForAlertByThreadId( + IN HANDLE Handle, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForDebugEvent( + IN HANDLE DebugObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS Sw3NtWaitForKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID Key, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForWorkViaWorkerFactory( + IN HANDLE WorkerFactoryHandle, + OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS Sw3NtWaitHighEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtWaitLowEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtAcquireCMFViewOwnership( + OUT BOOLEAN TimeStamp, + OUT BOOLEAN TokenTaken, + IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS Sw3NtCancelDeviceWakeupRequest( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtClearAllSavepointsTransaction( + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtClearSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtRollbackSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Flag, + OUT ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointComplete( + IN HANDLE TransactionHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSectionEx( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL, + IN PMEM_EXTENDED_PARAMETER ExtendedParameters, + IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS Sw3NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS Sw3NtGetPlugPlayEvent( + IN HANDLE EventHandle, + IN PVOID Context OPTIONAL, + OUT PPLUGPLAY_EVENT_BLOCK EventBlock, + IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS Sw3NtListTransactions(); + +EXTERN_C NTSTATUS Sw3NtMarshallTransaction(); + +EXTERN_C NTSTATUS Sw3NtPullTransaction(); + +EXTERN_C NTSTATUS Sw3NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS Sw3NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS Sw3NtStartTm(); + +EXTERN_C NTSTATUS Sw3NtSetInformationProcess( + IN HANDLE DeviceHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtRequestDeviceWakeup( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtRequestWakeupLatency( + IN ULONG LatencyTime); + +EXTERN_C NTSTATUS Sw3NtQuerySystemTime( + OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS Sw3NtManageHotPatch( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtContinueEx( + IN PCONTEXT ContextRecord, + IN PKCONTINUE_ARGUMENT ContinueArgument); + +#endif diff --git a/SysWhispers3/example-output/syscalls_all_-asm.x64.asm b/SysWhispers3/example-output/syscalls_all_-asm.x64.asm new file mode 100644 index 0000000..43c7670 --- /dev/null +++ b/SysWhispers3/example-output/syscalls_all_-asm.x64.asm @@ -0,0 +1,9647 @@ +.code + +EXTERN SW3_GetSyscallNumber: PROC + +EXTERN SW3_GetSyscallAddress: PROC + +Sw3NtAccessCheck PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C965F2CBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C965F2CBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheck ENDP + +Sw3NtWorkerFactoryWorkerReady PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 081A87FD1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 081A87FD1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWorkerFactoryWorkerReady ENDP + +Sw3NtAcceptConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0204E19ECh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0204E19ECh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAcceptConnectPort ENDP + +Sw3NtMapUserPhysicalPagesScatter PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A3A2E771h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A3A2E771h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMapUserPhysicalPagesScatter ENDP + +Sw3NtWaitForSingleObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A09ED260h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A09ED260h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForSingleObject ENDP + +Sw3NtCallbackReturn PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00A9FC9CEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00A9FC9CEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCallbackReturn ENDP + +Sw3NtReadFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A57BC5ABh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A57BC5ABh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReadFile ENDP + +Sw3NtDeviceIoControlFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E83EF884h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E83EF884h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeviceIoControlFile ENDP + +Sw3NtWriteFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0729A044Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0729A044Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWriteFile ENDP + +Sw3NtRemoveIoCompletion PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01E16E01Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01E16E01Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRemoveIoCompletion ENDP + +Sw3NtReleaseSemaphore PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01C8E0E1Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01C8E0E1Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReleaseSemaphore ENDP + +Sw3NtReplyWaitReceivePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E170E2FFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E170E2FFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplyWaitReceivePort ENDP + +Sw3NtReplyPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0803183BEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0803183BEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplyPort ENDP + +Sw3NtSetInformationThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A41F2701h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A41F2701h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationThread ENDP + +Sw3NtSetEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01183F3F5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01183F3F5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetEvent ENDP + +Sw3NtClose PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E4944492h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E4944492h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtClose ENDP + +Sw3NtQueryObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 006DE3A75h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 006DE3A75h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryObject ENDP + +Sw3NtQueryInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02A9AB4AEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02A9AB4AEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationFile ENDP + +Sw3NtOpenKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 021144EF1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 021144EF1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenKey ENDP + +Sw3NtEnumerateValueKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0011D32A4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0011D32A4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateValueKey ENDP + +Sw3NtFindAtom PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0ED7EEEEBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0ED7EEEEBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFindAtom ENDP + +Sw3NtQueryDefaultLocale PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0812ECFFDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0812ECFFDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDefaultLocale ENDP + +Sw3NtQueryKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FC79CFC2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FC79CFC2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryKey ENDP + +Sw3NtQueryValueKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08F9EB228h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08F9EB228h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryValueKey ENDP + +Sw3NtAllocateVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 003933D25h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 003933D25h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateVirtualMemory ENDP + +Sw3NtQueryInformationProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0822B83A7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0822B83A7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationProcess ENDP + +Sw3NtWaitForMultipleObjects32 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0168F3166h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0168F3166h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForMultipleObjects32 ENDP + +Sw3NtWriteFileGather PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0318E5D1Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0318E5D1Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWriteFileGather ENDP + +Sw3NtCreateKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08DFFB044h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08DFFB044h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateKey ENDP + +Sw3NtFreeVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04C580299h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04C580299h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFreeVirtualMemory ENDP + +Sw3NtImpersonateClientOfPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078F042BEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078F042BEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtImpersonateClientOfPort ENDP + +Sw3NtReleaseMutant PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B929ECF1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B929ECF1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReleaseMutant ENDP + +Sw3NtQueryInformationToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0994887C4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0994887C4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationToken ENDP + +Sw3NtRequestWaitReplyPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A8314B5Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A8314B5Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRequestWaitReplyPort ENDP + +Sw3NtQueryVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09B098F85h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09B098F85h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryVirtualMemory ENDP + +Sw3NtOpenThreadToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D38625C6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D38625C6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenThreadToken ENDP + +Sw3NtQueryInformationThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 012CE4873h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 012CE4873h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationThread ENDP + +Sw3NtOpenProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CDAFCA3Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CDAFCA3Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenProcess ENDP + +Sw3NtSetInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09B104927h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09B104927h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationFile ENDP + +Sw3NtMapViewOfSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 014CC1651h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 014CC1651h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMapViewOfSection ENDP + +Sw3NtAccessCheckAndAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FA551E04h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FA551E04h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckAndAuditAlarm ENDP + +Sw3NtUnmapViewOfSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09EC65C93h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09EC65C93h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnmapViewOfSection ENDP + +Sw3NtReplyWaitReceivePortEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0858E67F5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0858E67F5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplyWaitReceivePortEx ENDP + +Sw3NtTerminateProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05F872F8Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05F872F8Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTerminateProcess ENDP + +Sw3NtSetEventBoostPriority PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04716739Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04716739Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetEventBoostPriority ENDP + +Sw3NtReadFileScatter PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 021A8372Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 021A8372Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReadFileScatter ENDP + +Sw3NtOpenThreadTokenEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07440CA75h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07440CA75h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenThreadTokenEx ENDP + +Sw3NtOpenProcessTokenEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078430AB8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078430AB8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenProcessTokenEx ENDP + +Sw3NtQueryPerformanceCounter PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05B8C6521h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05B8C6521h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryPerformanceCounter ENDP + +Sw3NtEnumerateKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A2DEB744h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A2DEB744h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateKey ENDP + +Sw3NtOpenFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0051DF979h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0051DF979h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenFile ENDP + +Sw3NtDelayExecution PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01AB47C2Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01AB47C2Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDelayExecution ENDP + +Sw3NtQueryDirectoryFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078D88BC0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078D88BC0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDirectoryFile ENDP + +Sw3NtQuerySystemInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00916218Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00916218Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySystemInformation ENDP + +Sw3NtOpenSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04EA93643h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04EA93643h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenSection ENDP + +Sw3NtQueryTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 035AF616Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 035AF616Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryTimer ENDP + +Sw3NtFsControlFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A31A69BFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A31A69BFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFsControlFile ENDP + +Sw3NtWriteVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03DAE29C3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03DAE29C3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWriteVirtualMemory ENDP + +Sw3NtCloseObjectAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B6384DB0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B6384DB0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCloseObjectAuditAlarm ENDP + +Sw3NtDuplicateObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C31CC380h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C31CC380h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDuplicateObject ENDP + +Sw3NtQueryAttributesFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07AB8701Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07AB8701Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryAttributesFile ENDP + +Sw3NtClearEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F863E3F4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F863E3F4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtClearEvent ENDP + +Sw3NtReadVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 015A90125h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 015A90125h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReadVirtualMemory ENDP + +Sw3NtOpenEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 038812924h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 038812924h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenEvent ENDP + +Sw3NtAdjustPrivilegesToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 005A20B3Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 005A20B3Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAdjustPrivilegesToken ENDP + +Sw3NtDuplicateToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0AB95D777h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0AB95D777h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDuplicateToken ENDP + +Sw3NtContinue PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01486710Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01486710Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtContinue ENDP + +Sw3NtQueryDefaultUILanguage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D38C35CDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D38C35CDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDefaultUILanguage ENDP + +Sw3NtQueueApcThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08AACC278h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08AACC278h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueueApcThread ENDP + +Sw3NtYieldExecution PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0095609C1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0095609C1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtYieldExecution ENDP + +Sw3NtAddAtom PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 025BC202Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 025BC202Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAddAtom ENDP + +Sw3NtCreateEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C8F775DEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C8F775DEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateEvent ENDP + +Sw3NtQueryVolumeInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 044D3BD41h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 044D3BD41h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryVolumeInformationFile ENDP + +Sw3NtCreateSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0429D4009h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0429D4009h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateSection ENDP + +Sw3NtFlushBuffersFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 022B4FAF2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 022B4FAF2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushBuffersFile ENDP + +Sw3NtApphelpCacheControl PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00BA6033Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00BA6033Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtApphelpCacheControl ENDP + +Sw3NtCreateProcessEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A7AA6BFEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A7AA6BFEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateProcessEx ENDP + +Sw3NtCreateThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CE961430h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CE961430h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateThread ENDP + +Sw3NtIsProcessInJob PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 069135941h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 069135941h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtIsProcessInJob ENDP + +Sw3NtProtectVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 003930D15h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 003930D15h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtProtectVirtualMemory ENDP + +Sw3NtQuerySection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08F23AFB1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08F23AFB1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySection ENDP + +Sw3NtResumeThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 088AE0A87h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 088AE0A87h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtResumeThread ENDP + +Sw3NtTerminateThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09920819Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09920819Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTerminateThread ENDP + +Sw3NtReadRequestData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05609B846h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05609B846h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReadRequestData ENDP + +Sw3NtCreateFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02A7BCB3Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02A7BCB3Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateFile ENDP + +Sw3NtQueryEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0608A651Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0608A651Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryEvent ENDP + +Sw3NtWriteRequestData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00DCFDDF3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00DCFDDF3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWriteRequestData ENDP + +Sw3NtOpenDirectoryObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 066BA8EE7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 066BA8EE7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenDirectoryObject ENDP + +Sw3NtAccessCheckByTypeAndAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 030B7D22Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 030B7D22Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckByTypeAndAuditAlarm ENDP + +Sw3NtWaitForMultipleObjects PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D2ACC223h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D2ACC223h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForMultipleObjects ENDP + +Sw3NtSetInformationObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B629C6C5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B629C6C5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationObject ENDP + +Sw3NtCancelIoFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B9218E7Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B9218E7Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelIoFile ENDP + +Sw3NtTraceEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DB562323h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DB562323h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTraceEvent ENDP + +Sw3NtPowerInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00AD3208Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00AD3208Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPowerInformation ENDP + +Sw3NtSetValueKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01E552BE8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01E552BE8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetValueKey ENDP + +Sw3NtCancelTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 083BB1CB1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 083BB1CB1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelTimer ENDP + +Sw3NtSetTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01CAFE1C4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01CAFE1C4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetTimer ENDP + +Sw3NtAccessCheckByType PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FCB2F61Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FCB2F61Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckByType ENDP + +Sw3NtAccessCheckByTypeResultList PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 035B05FAEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 035B05FAEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckByTypeResultList ENDP + +Sw3NtAccessCheckByTypeResultListAndAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00E50CC00h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00E50CC00h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckByTypeResultListAndAuditAlarm ENDP + +Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09B97A302h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09B97A302h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle ENDP + +Sw3NtAcquireProcessActivityReference PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 028EB6556h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 028EB6556h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAcquireProcessActivityReference ENDP + +Sw3NtAddAtomEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C59532EDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C59532EDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAddAtomEx ENDP + +Sw3NtAddBootEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00F961B3Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00F961B3Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAddBootEntry ENDP + +Sw3NtAddDriverEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 009903534h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 009903534h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAddDriverEntry ENDP + +Sw3NtAdjustGroupsToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08F99FB18h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08F99FB18h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAdjustGroupsToken ENDP + +Sw3NtAdjustTokenClaimsAndDeviceGroups PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 053BD5F27h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 053BD5F27h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAdjustTokenClaimsAndDeviceGroups ENDP + +Sw3NtAlertResumeThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078D2666Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078D2666Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlertResumeThread ENDP + +Sw3NtAlertThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FA5CE4DDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FA5CE4DDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlertThread ENDP + +Sw3NtAlertThreadByThreadId PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04CB57E62h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04CB57E62h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlertThreadByThreadId ENDP + +Sw3NtAllocateLocallyUniqueId PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 097B4F33Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 097B4F33Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateLocallyUniqueId ENDP + +Sw3NtAllocateReserveObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0089598B9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0089598B9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateReserveObject ENDP + +Sw3NtAllocateUserPhysicalPages PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09FAEE84Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09FAEE84Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateUserPhysicalPages ENDP + +Sw3NtAllocateUuids PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0298D4F75h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0298D4F75h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateUuids ENDP + +Sw3NtAllocateVirtualMemoryEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B4B1EE63h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B4B1EE63h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAllocateVirtualMemoryEx ENDP + +Sw3NtAlpcAcceptConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02CB5171Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02CB5171Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcAcceptConnectPort ENDP + +Sw3NtAlpcCancelMessage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09242536Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09242536Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCancelMessage ENDP + +Sw3NtAlpcConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03EA1DD3Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03EA1DD3Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcConnectPort ENDP + +Sw3NtAlpcConnectPortEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0639D9F19h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0639D9F19h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcConnectPortEx ENDP + +Sw3NtAlpcCreatePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 064BF632Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 064BF632Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCreatePort ENDP + +Sw3NtAlpcCreatePortSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0726952FBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0726952FBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCreatePortSection ENDP + +Sw3NtAlpcCreateResourceReserve PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F2AC5EE2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F2AC5EE2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCreateResourceReserve ENDP + +Sw3NtAlpcCreateSectionView PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0923A83A1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0923A83A1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCreateSectionView ENDP + +Sw3NtAlpcCreateSecurityContext PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D742D2D3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D742D2D3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcCreateSecurityContext ENDP + +Sw3NtAlpcDeletePortSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E00FE09Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E00FE09Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcDeletePortSection ENDP + +Sw3NtAlpcDeleteResourceReserve PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01F5335DDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01F5335DDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcDeleteResourceReserve ENDP + +Sw3NtAlpcDeleteSectionView PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F0ACE530h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F0ACE530h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcDeleteSectionView ENDP + +Sw3NtAlpcDeleteSecurityContext PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03690C3F9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03690C3F9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcDeleteSecurityContext ENDP + +Sw3NtAlpcDisconnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 060F77B78h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 060F77B78h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcDisconnectPort ENDP + +Sw3NtAlpcImpersonateClientContainerOfPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DCB7B354h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DCB7B354h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcImpersonateClientContainerOfPort ENDP + +Sw3NtAlpcImpersonateClientOfPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A032CDACh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A032CDACh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcImpersonateClientOfPort ENDP + +Sw3NtAlpcOpenSenderProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 013AF0E22h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 013AF0E22h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcOpenSenderProcess ENDP + +Sw3NtAlpcOpenSenderThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E84F35FEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E84F35FEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcOpenSenderThread ENDP + +Sw3NtAlpcQueryInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05CCB7E87h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05CCB7E87h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcQueryInformation ENDP + +Sw3NtAlpcQueryInformationMessage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09E2E5B0Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09E2E5B0Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcQueryInformationMessage ENDP + +Sw3NtAlpcRevokeSecurityContext PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08E9279D2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08E9279D2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcRevokeSecurityContext ENDP + +Sw3NtAlpcSendWaitReceivePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DC71D3E2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DC71D3E2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcSendWaitReceivePort ENDP + +Sw3NtAlpcSetInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00CD60E47h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00CD60E47h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAlpcSetInformation ENDP + +Sw3NtAreMappedFilesTheSame PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E1DDE647h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E1DDE647h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAreMappedFilesTheSame ENDP + +Sw3NtAssignProcessToJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 070DA5F81h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 070DA5F81h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAssignProcessToJobObject ENDP + +Sw3NtAssociateWaitCompletionPacket PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01928FA57h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01928FA57h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAssociateWaitCompletionPacket ENDP + +Sw3NtCallEnclave PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0973B7EB9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0973B7EB9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCallEnclave ENDP + +Sw3NtCancelIoFileEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A95AC9A2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A95AC9A2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelIoFileEx ENDP + +Sw3NtCancelSynchronousIoFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DC98D803h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DC98D803h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelSynchronousIoFile ENDP + +Sw3NtCancelTimer2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03238E935h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03238E935h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelTimer2 ENDP + +Sw3NtCancelWaitCompletionPacket PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0993EB9A2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0993EB9A2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelWaitCompletionPacket ENDP + +Sw3NtCommitComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D922D7CBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D922D7CBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCommitComplete ENDP + +Sw3NtCommitEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 077D89043h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 077D89043h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCommitEnlistment ENDP + +Sw3NtCommitRegistryTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 003A80732h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 003A80732h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCommitRegistryTransaction ENDP + +Sw3NtCommitTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00843FA0Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00843FA0Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCommitTransaction ENDP + +Sw3NtCompactKeys PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 043BB6C18h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 043BB6C18h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompactKeys ENDP + +Sw3NtCompareObjects PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 047AF4B2Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 047AF4B2Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompareObjects ENDP + +Sw3NtCompareSigningLevels PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CE83C917h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CE83C917h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompareSigningLevels ENDP + +Sw3NtCompareTokens PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0959468DCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0959468DCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompareTokens ENDP + +Sw3NtCompleteConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00FAC3C03h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00FAC3C03h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompleteConnectPort ENDP + +Sw3NtCompressKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07451EB49h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07451EB49h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCompressKey ENDP + +Sw3NtConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 026B15D3Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 026B15D3Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtConnectPort ENDP + +Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F87AC4F0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F87AC4F0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter ENDP + +Sw3NtCreateDebugObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0071C7BF7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0071C7BF7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateDebugObject ENDP + +Sw3NtCreateDirectoryObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CC28473Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CC28473Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateDirectoryObject ENDP + +Sw3NtCreateDirectoryObjectEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08B144761h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08B144761h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateDirectoryObjectEx ENDP + +Sw3NtCreateEnclave PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 048E66424h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 048E66424h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateEnclave ENDP + +Sw3NtCreateEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07FA50653h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07FA50653h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateEnlistment ENDP + +Sw3NtCreateEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FE5DD485h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FE5DD485h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateEventPair ENDP + +Sw3NtCreateIRTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FBC823E2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FBC823E2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateIRTimer ENDP + +Sw3NtCreateIoCompletion PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04B424DD7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04B424DD7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateIoCompletion ENDP + +Sw3NtCreateJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0309C01D1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0309C01D1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateJobObject ENDP + +Sw3NtCreateJobSet PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00EA21C3Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00EA21C3Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateJobSet ENDP + +Sw3NtCreateKeyTransacted PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03EBD1E7Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03EBD1E7Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateKeyTransacted ENDP + +Sw3NtCreateKeyedEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 042A05B04h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 042A05B04h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateKeyedEvent ENDP + +Sw3NtCreateLowBoxToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DF97D62Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DF97D62Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateLowBoxToken ENDP + +Sw3NtCreateMailslotFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0329C5206h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0329C5206h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateMailslotFile ENDP + +Sw3NtCreateMutant PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 012BC2D36h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 012BC2D36h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateMutant ENDP + +Sw3NtCreateNamedPipeFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02CBDBA86h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02CBDBA86h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateNamedPipeFile ENDP + +Sw3NtCreatePagingFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06CFAA548h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06CFAA548h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreatePagingFile ENDP + +Sw3NtCreatePartition PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 030177ECFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 030177ECFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreatePartition ENDP + +Sw3NtCreatePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02E4D3D22h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02E4D3D22h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreatePort ENDP + +Sw3NtCreatePrivateNamespace PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 014BE497Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 014BE497Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreatePrivateNamespace ENDP + +Sw3NtCreateProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E2BBDB10h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E2BBDB10h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateProcess ENDP + +Sw3NtCreateProfile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F65AFCCAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F65AFCCAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateProfile ENDP + +Sw3NtCreateProfileEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08A9048EBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08A9048EBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateProfileEx ENDP + +Sw3NtCreateRegistryTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F3AFD2FCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F3AFD2FCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateRegistryTransaction ENDP + +Sw3NtCreateResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B310D1C0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B310D1C0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateResourceManager ENDP + +Sw3NtCreateSemaphore PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01C48C67Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01C48C67Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateSemaphore ENDP + +Sw3NtCreateSymbolicLinkObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 008553AEAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 008553AEAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateSymbolicLinkObject ENDP + +Sw3NtCreateThreadEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07AA7385Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07AA7385Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateThreadEx ENDP + +Sw3NtCreateTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 009932532h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 009932532h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateTimer ENDP + +Sw3NtCreateTimer2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03B9AC0B7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03B9AC0B7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateTimer2 ENDP + +Sw3NtCreateToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FDA935F0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FDA935F0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateToken ENDP + +Sw3NtCreateTokenEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0485A068Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0485A068Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateTokenEx ENDP + +Sw3NtCreateTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F46CD4FFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F46CD4FFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateTransaction ENDP + +Sw3NtCreateTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 003A9978Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 003A9978Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateTransactionManager ENDP + +Sw3NtCreateUserProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F22BD3B7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F22BD3B7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateUserProcess ENDP + +Sw3NtCreateWaitCompletionPacket PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01581272Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01581272Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateWaitCompletionPacket ENDP + +Sw3NtCreateWaitablePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E0B007A2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E0B007A2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateWaitablePort ENDP + +Sw3NtCreateWnfStateName PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02CACBB9Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02CACBB9Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateWnfStateName ENDP + +Sw3NtCreateWorkerFactory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CC92F82Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CC92F82Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateWorkerFactory ENDP + +Sw3NtDebugActiveProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00EAC0F33h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00EAC0F33h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDebugActiveProcess ENDP + +Sw3NtDebugContinue PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 054CF58A4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 054CF58A4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDebugContinue ENDP + +Sw3NtDeleteAtom PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A3BFA62Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A3BFA62Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteAtom ENDP + +Sw3NtDeleteBootEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00B963722h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00B963722h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteBootEntry ENDP + +Sw3NtDeleteDriverEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 049807948h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 049807948h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteDriverEntry ENDP + +Sw3NtDeleteFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02214D103h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02214D103h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteFile ENDP + +Sw3NtDeleteKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01B0F42DCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01B0F42DCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteKey ENDP + +Sw3NtDeleteObjectAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B22C4844h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B22C4844h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteObjectAuditAlarm ENDP + +Sw3NtDeletePrivateNamespace PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B6903FB5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B6903FB5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeletePrivateNamespace ENDP + +Sw3NtDeleteValueKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 086FBB741h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 086FBB741h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteValueKey ENDP + +Sw3NtDeleteWnfStateData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 022C64C0Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 022C64C0Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteWnfStateData ENDP + +Sw3NtDeleteWnfStateName PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0BCBC3F9Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0BCBC3F9Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDeleteWnfStateName ENDP + +Sw3NtDisableLastKnownGood PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02D83792Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02D83792Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDisableLastKnownGood ENDP + +Sw3NtDisplayString PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 016CE0E6Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 016CE0E6Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDisplayString ENDP + +Sw3NtDrawText PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EF0BE091h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EF0BE091h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtDrawText ENDP + +Sw3NtEnableLastKnownGood PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 067F17746h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 067F17746h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnableLastKnownGood ENDP + +Sw3NtEnumerateBootEntries PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0BA85C569h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0BA85C569h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateBootEntries ENDP + +Sw3NtEnumerateDriverEntries PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00A832F13h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00A832F13h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateDriverEntries ENDP + +Sw3NtEnumerateSystemEnvironmentValuesEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DE4E1C14h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DE4E1C14h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateSystemEnvironmentValuesEx ENDP + +Sw3NtEnumerateTransactionObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01AC2244Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01AC2244Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtEnumerateTransactionObject ENDP + +Sw3NtExtendSection PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 034EB163Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 034EB163Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtExtendSection ENDP + +Sw3NtFilterBootOption PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0048E645Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0048E645Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFilterBootOption ENDP + +Sw3NtFilterToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 085D18B4Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 085D18B4Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFilterToken ENDP + +Sw3NtFilterTokenEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FE9828C6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FE9828C6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFilterTokenEx ENDP + +Sw3NtFlushBuffersFileEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05E478C1Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05E478C1Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushBuffersFileEx ENDP + +Sw3NtFlushInstallUILanguage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00FD97E02h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00FD97E02h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushInstallUILanguage ENDP + +Sw3NtFlushInstructionCache PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0059B46BDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0059B46BDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushInstructionCache ENDP + +Sw3NtFlushKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 060D84979h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 060D84979h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushKey ENDP + +Sw3NtFlushProcessWriteBuffers PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FAB4D0EBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FAB4D0EBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushProcessWriteBuffers ENDP + +Sw3NtFlushVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08C14829Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08C14829Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushVirtualMemory ENDP + +Sw3NtFlushWriteBuffer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07F5A6FD9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07F5A6FD9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFlushWriteBuffer ENDP + +Sw3NtFreeUserPhysicalPages PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09346ACEEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09346ACEEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFreeUserPhysicalPages ENDP + +Sw3NtFreezeRegistry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04CDA667Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04CDA667Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFreezeRegistry ENDP + +Sw3NtFreezeTransactions PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CF9429CFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CF9429CFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtFreezeTransactions ENDP + +Sw3NtGetCachedSigningLevel PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EEBAE808h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EEBAE808h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetCachedSigningLevel ENDP + +Sw3NtGetCompleteWnfStateSubscription PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 042CA6653h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 042CA6653h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetCompleteWnfStateSubscription ENDP + +Sw3NtGetContextThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00C9E7E4Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00C9E7E4Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetContextThread ENDP + +Sw3NtGetCurrentProcessorNumber PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 006B04E6Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 006B04E6Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetCurrentProcessorNumber ENDP + +Sw3NtGetCurrentProcessorNumberEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07EDBAC81h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07EDBAC81h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetCurrentProcessorNumberEx ENDP + +Sw3NtGetDevicePowerState PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 076C97E66h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 076C97E66h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetDevicePowerState ENDP + +Sw3NtGetMUIRegistryInfo PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0251651FCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0251651FCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetMUIRegistryInfo ENDP + +Sw3NtGetNextProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F9A3163Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F9A3163Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetNextProcess ENDP + +Sw3NtGetNextThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 038A3F20Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 038A3F20Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetNextThread ENDP + +Sw3NtGetNlsSectionPtr PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FF89FA1Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FF89FA1Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetNlsSectionPtr ENDP + +Sw3NtGetNotificationResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 031B0DFACh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 031B0DFACh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetNotificationResourceManager ENDP + +Sw3NtGetWriteWatch PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08E434216h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08E434216h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetWriteWatch ENDP + +Sw3NtImpersonateAnonymousToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0879D7B8Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0879D7B8Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtImpersonateAnonymousToken ENDP + +Sw3NtImpersonateThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09ABC068Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09ABC068Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtImpersonateThread ENDP + +Sw3NtInitializeEnclave PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09A45E89Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09A45E89Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtInitializeEnclave ENDP + +Sw3NtInitializeNlsFiles PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C466DBCCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C466DBCCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtInitializeNlsFiles ENDP + +Sw3NtInitializeRegistry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 006830003h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 006830003h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtInitializeRegistry ENDP + +Sw3NtInitiatePowerAction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 002BD2C61h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 002BD2C61h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtInitiatePowerAction ENDP + +Sw3NtIsSystemResumeAutomatic PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 015009D27h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 015009D27h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtIsSystemResumeAutomatic ENDP + +Sw3NtIsUILanguageComitted PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07BAA3287h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07BAA3287h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtIsUILanguageComitted ENDP + +Sw3NtListenPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06D3166AEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06D3166AEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtListenPort ENDP + +Sw3NtLoadDriver PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04E983E76h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04E983E76h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadDriver ENDP + +Sw3NtLoadEnclaveData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FC468A92h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FC468A92h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadEnclaveData ENDP + +Sw3NtLoadHotPatch PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0756F6FDDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0756F6FDDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadHotPatch ENDP + +Sw3NtLoadKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06D0E5EB7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06D0E5EB7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadKey ENDP + +Sw3NtLoadKey2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DA630E85h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DA630E85h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadKey2 ENDP + +Sw3NtLoadKeyEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 037B9F7E6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 037B9F7E6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLoadKeyEx ENDP + +Sw3NtLockFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 001380599h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 001380599h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLockFile ENDP + +Sw3NtLockProductActivationKeys PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04DD32032h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04DD32032h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLockProductActivationKeys ENDP + +Sw3NtLockRegistryKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EFD8C27Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EFD8C27Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLockRegistryKey ENDP + +Sw3NtLockVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0079D3D2Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0079D3D2Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtLockVirtualMemory ENDP + +Sw3NtMakePermanentObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03AA6081Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03AA6081Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMakePermanentObject ENDP + +Sw3NtMakeTemporaryObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0469217BFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0469217BFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMakeTemporaryObject ENDP + +Sw3NtManagePartition PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0870D879Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0870D879Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtManagePartition ENDP + +Sw3NtMapCMFModule PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A2AC6AFEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A2AC6AFEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMapCMFModule ENDP + +Sw3NtMapUserPhysicalPages PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 023BF6C3Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 023BF6C3Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMapUserPhysicalPages ENDP + +Sw3NtMapViewOfSectionEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0069D5240h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0069D5240h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMapViewOfSectionEx ENDP + +Sw3NtModifyBootEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0099B3520h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0099B3520h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtModifyBootEntry ENDP + +Sw3NtModifyDriverEntry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F955CDE8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F955CDE8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtModifyDriverEntry ENDP + +Sw3NtNotifyChangeDirectoryFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 079B96703h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 079B96703h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtNotifyChangeDirectoryFile ENDP + +Sw3NtNotifyChangeDirectoryFileEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078B65E09h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078B65E09h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtNotifyChangeDirectoryFileEx ENDP + +Sw3NtNotifyChangeKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0069E5145h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0069E5145h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtNotifyChangeKey ENDP + +Sw3NtNotifyChangeMultipleKeys PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 053C85658h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 053C85658h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtNotifyChangeMultipleKeys ENDP + +Sw3NtNotifyChangeSession PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00991D6A0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00991D6A0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtNotifyChangeSession ENDP + +Sw3NtOpenEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 057D96E73h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 057D96E73h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenEnlistment ENDP + +Sw3NtOpenEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D0B1F817h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D0B1F817h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenEventPair ENDP + +Sw3NtOpenIoCompletion PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08A938C0Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08A938C0Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenIoCompletion ENDP + +Sw3NtOpenJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C745E7E6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C745E7E6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenJobObject ENDP + +Sw3NtOpenKeyEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06BE5BFBAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06BE5BFBAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenKeyEx ENDP + +Sw3NtOpenKeyTransacted PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0306FF032h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0306FF032h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenKeyTransacted ENDP + +Sw3NtOpenKeyTransactedEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C45D1706h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C45D1706h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenKeyTransactedEx ENDP + +Sw3NtOpenKeyedEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0608B7DEAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0608B7DEAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenKeyedEvent ENDP + +Sw3NtOpenMutant PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F293FF0Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F293FF0Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenMutant ENDP + +Sw3NtOpenObjectAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04F2F4FB8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04F2F4FB8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenObjectAuditAlarm ENDP + +Sw3NtOpenPartition PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CC962FC2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CC962FC2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenPartition ENDP + +Sw3NtOpenPrivateNamespace PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06C33EA12h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06C33EA12h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenPrivateNamespace ENDP + +Sw3NtOpenProcessToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C0262E65h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C0262E65h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenProcessToken ENDP + +Sw3NtOpenRegistryTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04CCD6651h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04CCD6651h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenRegistryTransaction ENDP + +Sw3NtOpenResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 031A76762h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 031A76762h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenResourceManager ENDP + +Sw3NtOpenSemaphore PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 030D85A54h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 030D85A54h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenSemaphore ENDP + +Sw3NtOpenSession PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 035AE1178h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 035AE1178h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenSession ENDP + +Sw3NtOpenSymbolicLinkObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01D81F3FBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01D81F3FBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenSymbolicLinkObject ENDP + +Sw3NtOpenThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E249F8F7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E249F8F7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenThread ENDP + +Sw3NtOpenTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 077543786h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 077543786h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenTimer ENDP + +Sw3NtOpenTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01572C81Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01572C81Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenTransaction ENDP + +Sw3NtOpenTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09D22D3FAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09D22D3FAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtOpenTransactionManager ENDP + +Sw3NtPlugPlayControl PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03F95ED33h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03F95ED33h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPlugPlayControl ENDP + +Sw3NtPrePrepareComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 048D7B186h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 048D7B186h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrePrepareComplete ENDP + +Sw3NtPrePrepareEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C98735C4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C98735C4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrePrepareEnlistment ENDP + +Sw3NtPrepareComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0393AA60Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0393AA60Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrepareComplete ENDP + +Sw3NtPrepareEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00F910E03h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00F910E03h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrepareEnlistment ENDP + +Sw3NtPrivilegeCheck PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0069C3343h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0069C3343h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrivilegeCheck ENDP + +Sw3NtPrivilegeObjectAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CEB02CE0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CEB02CE0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrivilegeObjectAuditAlarm ENDP + +Sw3NtPrivilegedServiceAuditAlarm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02EA9AEBEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02EA9AEBEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPrivilegedServiceAuditAlarm ENDP + +Sw3NtPropagationComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EE52FCFEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EE52FCFEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPropagationComplete ENDP + +Sw3NtPropagationFailed PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0ECB5EA57h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0ECB5EA57h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPropagationFailed ENDP + +Sw3NtPulseEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B0AC953Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B0AC953Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPulseEvent ENDP + +Sw3NtQueryAuxiliaryCounterFrequency PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04E9368CCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04E9368CCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryAuxiliaryCounterFrequency ENDP + +Sw3NtQueryBootEntryOrder PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 041DB737Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 041DB737Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryBootEntryOrder ENDP + +Sw3NtQueryBootOptions PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00D9A2309h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00D9A2309h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryBootOptions ENDP + +Sw3NtQueryDebugFilterState PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E61980D4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E61980D4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDebugFilterState ENDP + +Sw3NtQueryDirectoryFileEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EB18BFC4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EB18BFC4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDirectoryFileEx ENDP + +Sw3NtQueryDirectoryObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08D20B3AAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08D20B3AAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDirectoryObject ENDP + +Sw3NtQueryDriverEntryOrder PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01388191Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01388191Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryDriverEntryOrder ENDP + +Sw3NtQueryEaFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07CDB929Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07CDB929Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryEaFile ENDP + +Sw3NtQueryFullAttributesFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EE71FACEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EE71FACEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryFullAttributesFile ENDP + +Sw3NtQueryInformationAtom PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04BC94858h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04BC94858h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationAtom ENDP + +Sw3NtQueryInformationByName PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FEB8F112h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FEB8F112h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationByName ENDP + +Sw3NtQueryInformationEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01FBA2019h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01FBA2019h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationEnlistment ENDP + +Sw3NtQueryInformationJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 000987A75h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 000987A75h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationJobObject ENDP + +Sw3NtQueryInformationPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02EBB2128h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02EBB2128h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationPort ENDP + +Sw3NtQueryInformationResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01583FEFEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01583FEFEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationResourceManager ENDP + +Sw3NtQueryInformationTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09F059198h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09F059198h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationTransaction ENDP + +Sw3NtQueryInformationTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 006239000h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 006239000h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationTransactionManager ENDP + +Sw3NtQueryInformationWorkerFactory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FC62E8FFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FC62E8FFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInformationWorkerFactory ENDP + +Sw3NtQueryInstallUILanguage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EBB4D0E8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EBB4D0E8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryInstallUILanguage ENDP + +Sw3NtQueryIntervalProfile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 018C2EF9Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 018C2EF9Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryIntervalProfile ENDP + +Sw3NtQueryIoCompletion PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CC59EE89h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CC59EE89h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryIoCompletion ENDP + +Sw3NtQueryLicenseValue PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F6609DEEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F6609DEEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryLicenseValue ENDP + +Sw3NtQueryMultipleValueKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01E18F67Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01E18F67Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryMultipleValueKey ENDP + +Sw3NtQueryMutant PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0228C4B58h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0228C4B58h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryMutant ENDP + +Sw3NtQueryOpenSubKeys PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03FDD4C1Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03FDD4C1Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryOpenSubKeys ENDP + +Sw3NtQueryOpenSubKeysEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F9B94891h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F9B94891h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryOpenSubKeysEx ENDP + +Sw3NtQueryPortInformationProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F232D19Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F232D19Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryPortInformationProcess ENDP + +Sw3NtQueryQuotaInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D378A16Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D378A16Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryQuotaInformationFile ENDP + +Sw3NtQuerySecurityAttributesToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0359403D0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0359403D0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySecurityAttributesToken ENDP + +Sw3NtQuerySecurityObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C5661515h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C5661515h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySecurityObject ENDP + +Sw3NtQuerySecurityPolicy PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 072C44F01h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 072C44F01h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySecurityPolicy ENDP + +Sw3NtQuerySemaphore PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01E8556A8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01E8556A8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySemaphore ENDP + +Sw3NtQuerySymbolicLinkObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08FA5B50Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08FA5B50Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySymbolicLinkObject ENDP + +Sw3NtQuerySystemEnvironmentValue PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B423D3A8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B423D3A8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySystemEnvironmentValue ENDP + +Sw3NtQuerySystemEnvironmentValueEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0578B9236h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0578B9236h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySystemEnvironmentValueEx ENDP + +Sw3NtQuerySystemInformationEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A69BC47Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A69BC47Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySystemInformationEx ENDP + +Sw3NtQueryTimerResolution PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0DA40DAD3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0DA40DAD3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryTimerResolution ENDP + +Sw3NtQueryWnfStateData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A211B0E2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A211B0E2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryWnfStateData ENDP + +Sw3NtQueryWnfStateNameInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E656FD23h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E656FD23h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueryWnfStateNameInformation ENDP + +Sw3NtQueueApcThreadEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F4D23A94h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F4D23A94h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQueueApcThreadEx ENDP + +Sw3NtRaiseException PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CF052C50h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CF052C50h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRaiseException ENDP + +Sw3NtRaiseHardError PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07BAC673Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07BAC673Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRaiseHardError ENDP + +Sw3NtReadOnlyEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 059D87A4Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 059D87A4Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReadOnlyEnlistment ENDP + +Sw3NtRecoverEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 019C73871h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 019C73871h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRecoverEnlistment ENDP + +Sw3NtRecoverResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08A1C5A3Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08A1C5A3Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRecoverResourceManager ENDP + +Sw3NtRecoverTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08526B3A6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08526B3A6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRecoverTransactionManager ENDP + +Sw3NtRegisterProtocolAddressInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FFBBDEE8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FFBBDEE8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRegisterProtocolAddressInformation ENDP + +Sw3NtRegisterThreadTerminatePort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A6BE58CFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A6BE58CFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRegisterThreadTerminatePort ENDP + +Sw3NtReleaseKeyedEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0902D72BBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0902D72BBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReleaseKeyedEvent ENDP + +Sw3NtReleaseWorkerFactoryWorker PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 000986E05h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 000986E05h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReleaseWorkerFactoryWorker ENDP + +Sw3NtRemoveIoCompletionEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01C0C3AB2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01C0C3AB2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRemoveIoCompletionEx ENDP + +Sw3NtRemoveProcessDebug PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08A2C9F40h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08A2C9F40h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRemoveProcessDebug ENDP + +Sw3NtRenameKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E72D1B49h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E72D1B49h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRenameKey ENDP + +Sw3NtRenameTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 033956750h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 033956750h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRenameTransactionManager ENDP + +Sw3NtReplaceKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 062FFB1A4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 062FFB1A4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplaceKey ENDP + +Sw3NtReplacePartitionUnit PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0193C0594h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0193C0594h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplacePartitionUnit ENDP + +Sw3NtReplyWaitReplyPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03CBA10EAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03CBA10EAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReplyWaitReplyPort ENDP + +Sw3NtRequestPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 022B5051Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 022B5051Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRequestPort ENDP + +Sw3NtResetEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01073CB24h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01073CB24h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtResetEvent ENDP + +Sw3NtResetWriteWatch PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05E8F6620h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05E8F6620h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtResetWriteWatch ENDP + +Sw3NtRestoreKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E6E2D959h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E6E2D959h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRestoreKey ENDP + +Sw3NtResumeProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 035993414h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 035993414h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtResumeProcess ENDP + +Sw3NtRevertContainerImpersonation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 031167FCFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 031167FCFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRevertContainerImpersonation ENDP + +Sw3NtRollbackComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F9B5D77Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F9B5D77Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollbackComplete ENDP + +Sw3NtRollbackEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08818F1EEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08818F1EEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollbackEnlistment ENDP + +Sw3NtRollbackRegistryTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0960E92A7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0960E92A7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollbackRegistryTransaction ENDP + +Sw3NtRollbackTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07CA55A75h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07CA55A75h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollbackTransaction ENDP + +Sw3NtRollforwardTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0122E7AB4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0122E7AB4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollforwardTransactionManager ENDP + +Sw3NtSaveKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 046F92703h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 046F92703h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSaveKey ENDP + +Sw3NtSaveKeyEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 061FB2F2Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 061FB2F2Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSaveKeyEx ENDP + +Sw3NtSaveMergedKeys PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 023343E9Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 023343E9Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSaveMergedKeys ENDP + +Sw3NtSecureConnectPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 038AE22C0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 038AE22C0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSecureConnectPort ENDP + +Sw3NtSerializeBoot PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EDBCC528h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EDBCC528h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSerializeBoot ENDP + +Sw3NtSetBootEntryOrder PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01CBF35E4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01CBF35E4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetBootEntryOrder ENDP + +Sw3NtSetBootOptions PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FBA5133Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FBA5133Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetBootOptions ENDP + +Sw3NtSetCachedSigningLevel PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 012DC99E2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 012DC99E2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetCachedSigningLevel ENDP + +Sw3NtSetCachedSigningLevel2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F0CE1B1Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F0CE1B1Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetCachedSigningLevel2 ENDP + +Sw3NtSetContextThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B897B63Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B897B63Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetContextThread ENDP + +Sw3NtSetDebugFilterState PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00319EE16h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00319EE16h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetDebugFilterState ENDP + +Sw3NtSetDefaultHardErrorPort PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02632A128h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02632A128h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetDefaultHardErrorPort ENDP + +Sw3NtSetDefaultLocale PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01DA1C595h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01DA1C595h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetDefaultLocale ENDP + +Sw3NtSetDefaultUILanguage PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 028BBDE26h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 028BBDE26h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetDefaultUILanguage ENDP + +Sw3NtSetDriverEntryOrder PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0359B0F33h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0359B0F33h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetDriverEntryOrder ENDP + +Sw3NtSetEaFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B838A08Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B838A08Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetEaFile ENDP + +Sw3NtSetHighEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 093345D68h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 093345D68h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetHighEventPair ENDP + +Sw3NtSetHighWaitLowEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05D3E5BA9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05D3E5BA9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetHighWaitLowEventPair ENDP + +Sw3NtSetIRTimer PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08011B4ABh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08011B4ABh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetIRTimer ENDP + +Sw3NtSetInformationDebugObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EAB0F42Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EAB0F42Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationDebugObject ENDP + +Sw3NtSetInformationEnlistment PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D954E0F9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D954E0F9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationEnlistment ENDP + +Sw3NtSetInformationJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01CBF2A1Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01CBF2A1Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationJobObject ENDP + +Sw3NtSetInformationKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01025338Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01025338Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationKey ENDP + +Sw3NtSetInformationResourceManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01F8D0B10h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01F8D0B10h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationResourceManager ENDP + +Sw3NtSetInformationSymbolicLink PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A03AA4A2h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A03AA4A2h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationSymbolicLink ENDP + +Sw3NtSetInformationToken PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09BADD77Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09BADD77Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationToken ENDP + +Sw3NtSetInformationTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04B6F67F5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04B6F67F5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationTransaction ENDP + +Sw3NtSetInformationTransactionManager PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08300B5A4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08300B5A4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationTransactionManager ENDP + +Sw3NtSetInformationVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00D99170Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00D99170Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationVirtualMemory ENDP + +Sw3NtSetInformationWorkerFactory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0889D74D8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0889D74D8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationWorkerFactory ENDP + +Sw3NtSetIntervalProfile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 018A2D100h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 018A2D100h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetIntervalProfile ENDP + +Sw3NtSetIoCompletion PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E871E0EBh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E871E0EBh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetIoCompletion ENDP + +Sw3NtSetIoCompletionEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0989B5AA0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0989B5AA0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetIoCompletionEx ENDP + +Sw3NtSetLdtEntries PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0EDBE04E4h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0EDBE04E4h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetLdtEntries ENDP + +Sw3NtSetLowEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 032AE5031h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 032AE5031h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetLowEventPair ENDP + +Sw3NtSetLowWaitHighEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 015B64B66h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 015B64B66h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetLowWaitHighEventPair ENDP + +Sw3NtSetQuotaInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A8B8822Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A8B8822Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetQuotaInformationFile ENDP + +Sw3NtSetSecurityObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0173B4D95h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0173B4D95h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSecurityObject ENDP + +Sw3NtSetSystemEnvironmentValue PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FB21BC01h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FB21BC01h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSystemEnvironmentValue ENDP + +Sw3NtSetSystemEnvironmentValueEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D320A3D8h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D320A3D8h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSystemEnvironmentValueEx ENDP + +Sw3NtSetSystemInformation PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 002AB003Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 002AB003Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSystemInformation ENDP + +Sw3NtSetSystemPowerState PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 01697C832h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 01697C832h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSystemPowerState ENDP + +Sw3NtSetSystemTime PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A036A9A3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A036A9A3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetSystemTime ENDP + +Sw3NtSetThreadExecutionState PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0108EE080h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0108EE080h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetThreadExecutionState ENDP + +Sw3NtSetTimer2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D8B3182Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D8B3182Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetTimer2 ENDP + +Sw3NtSetTimerEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0836BCFAFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0836BCFAFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetTimerEx ENDP + +Sw3NtSetTimerResolution PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D64009EDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D64009EDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetTimerResolution ENDP + +Sw3NtSetUuidSeed PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F9A03D18h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F9A03D18h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetUuidSeed ENDP + +Sw3NtSetVolumeInformationFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0B81CBCBEh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0B81CBCBEh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetVolumeInformationFile ENDP + +Sw3NtSetWnfProcessNotificationEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 02A94ECC1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 02A94ECC1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetWnfProcessNotificationEvent ENDP + +Sw3NtShutdownSystem PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0029ED1A0h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0029ED1A0h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtShutdownSystem ENDP + +Sw3NtShutdownWorkerFactory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0FFA115B3h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0FFA115B3h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtShutdownWorkerFactory ENDP + +Sw3NtSignalAndWaitForSingleObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F6587134h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F6587134h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSignalAndWaitForSingleObject ENDP + +Sw3NtSinglePhaseReject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 028857049h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 028857049h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSinglePhaseReject ENDP + +Sw3NtStartProfile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09D251101h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09D251101h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtStartProfile ENDP + +Sw3NtStopProfile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C1163B47h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C1163B47h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtStopProfile ENDP + +Sw3NtSubscribeWnfStateChange PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 062BF2362h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 062BF2362h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSubscribeWnfStateChange ENDP + +Sw3NtSuspendProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 06DB71254h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 06DB71254h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSuspendProcess ENDP + +Sw3NtSuspendThread PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 032ADF50Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 032ADF50Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSuspendThread ENDP + +Sw3NtSystemDebugControl PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07D521DC9h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07D521DC9h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSystemDebugControl ENDP + +Sw3NtTerminateEnclave PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CB54AB5Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CB54AB5Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTerminateEnclave ENDP + +Sw3NtTerminateJobObject PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00E347ABFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00E347ABFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTerminateJobObject ENDP + +Sw3NtTestAlert PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 069B1701Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 069B1701Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTestAlert ENDP + +Sw3NtThawRegistry PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 078E317F7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 078E317F7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtThawRegistry ENDP + +Sw3NtThawTransactions PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 009DA7731h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 009DA7731h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtThawTransactions ENDP + +Sw3NtTraceControl PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00D9BCBB1h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00D9BCBB1h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTraceControl ENDP + +Sw3NtTranslateFilePath PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 028B0133Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 028B0133Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtTranslateFilePath ENDP + +Sw3NtUmsThreadYield PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04A671051h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04A671051h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUmsThreadYield ENDP + +Sw3NtUnloadDriver PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00EA7160Eh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00EA7160Eh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnloadDriver ENDP + +Sw3NtUnloadKey PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0281E19A7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0281E19A7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnloadKey ENDP + +Sw3NtUnloadKey2 PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08F3655DAh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08F3655DAh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnloadKey2 ENDP + +Sw3NtUnloadKeyEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08BB9FF44h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08BB9FF44h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnloadKeyEx ENDP + +Sw3NtUnlockFile PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 04217DB31h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 04217DB31h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnlockFile ENDP + +Sw3NtUnlockVirtualMemory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 003902B07h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 003902B07h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnlockVirtualMemory ENDP + +Sw3NtUnmapViewOfSectionEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07E55FD6Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07E55FD6Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnmapViewOfSectionEx ENDP + +Sw3NtUnsubscribeWnfStateChange PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0A203EBA6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0A203EBA6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUnsubscribeWnfStateChange ENDP + +Sw3NtUpdateWnfStateData PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0BD03560Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0BD03560Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtUpdateWnfStateData ENDP + +Sw3NtVdmControl PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00999EF8Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00999EF8Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtVdmControl ENDP + +Sw3NtWaitForAlertByThreadId PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 08CB03E66h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 08CB03E66h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForAlertByThreadId ENDP + +Sw3NtWaitForDebugEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 030A30304h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 030A30304h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForDebugEvent ENDP + +Sw3NtWaitForKeyedEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0F05FF5D6h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0F05FF5D6h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForKeyedEvent ENDP + +Sw3NtWaitForWorkViaWorkerFactory PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0C495DC17h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0C495DC17h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForWorkViaWorkerFactory ENDP + +Sw3NtWaitHighEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 062375A9Dh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 062375A9Dh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitHighEventPair ENDP + +Sw3NtWaitLowEventPair PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 03192AE9Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 03192AE9Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitLowEventPair ENDP + +Sw3NtAcquireCMFViewOwnership PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00C53C40Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00C53C40Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtAcquireCMFViewOwnership ENDP + +Sw3NtCancelDeviceWakeupRequest PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 053CD7350h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 053CD7350h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCancelDeviceWakeupRequest ENDP + +Sw3NtClearAllSavepointsTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 004961E63h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 004961E63h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtClearAllSavepointsTransaction ENDP + +Sw3NtClearSavepointTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 00B1C2988h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 00B1C2988h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtClearSavepointTransaction ENDP + +Sw3NtRollbackSavepointTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 082D45E9Fh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 082D45E9Fh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRollbackSavepointTransaction ENDP + +Sw3NtSavepointTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0D00BD69Bh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0D00BD69Bh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSavepointTransaction ENDP + +Sw3NtSavepointComplete PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 036A5241Ch ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 036A5241Ch ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSavepointComplete ENDP + +Sw3NtCreateSectionEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 000953428h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 000953428h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateSectionEx ENDP + +Sw3NtCreateCrossVmEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0016C04FCh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0016C04FCh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtCreateCrossVmEvent ENDP + +Sw3NtGetPlugPlayEvent PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0634A48ECh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0634A48ECh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtGetPlugPlayEvent ENDP + +Sw3NtListTransactions PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0014E05DDh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0014E05DDh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtListTransactions ENDP + +Sw3NtMarshallTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09E009895h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09E009895h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtMarshallTransaction ENDP + +Sw3NtPullTransaction PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 008670AF7h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 008670AF7h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtPullTransaction ENDP + +Sw3NtReleaseCMFViewOwnership PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0CC93F41Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0CC93F41Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtReleaseCMFViewOwnership ENDP + +Sw3NtWaitForWnfNotifications PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0E34BC5FFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0E34BC5FFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtWaitForWnfNotifications ENDP + +Sw3NtStartTm PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 07C71DC43h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 07C71DC43h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtStartTm ENDP + +Sw3NtSetInformationProcess PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 05F807A28h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 05F807A28h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtSetInformationProcess ENDP + +Sw3NtRequestDeviceWakeup PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 055CD959Ah ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 055CD959Ah ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRequestDeviceWakeup ENDP + +Sw3NtRequestWakeupLatency PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0173B7CAFh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0173B7CAFh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtRequestWakeupLatency ENDP + +Sw3NtQuerySystemTime PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09A8F13ABh ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09A8F13ABh ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtQuerySystemTime ENDP + +Sw3NtManageHotPatch PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 09FAF5188h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 09FAF5188h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtManageHotPatch ENDP + +Sw3NtContinueEx PROC + mov [rsp +8], rcx ; Save registers. + mov [rsp+16], rdx + mov [rsp+24], r8 + mov [rsp+32], r9 + sub rsp, 28h + mov ecx, 0978853B5h ; Load function hash into ECX. + call SW3_GetSyscallAddress ; Resolve function hash into syscall offset. + mov r11, rax ; Save the address of the syscall + mov ecx, 0978853B5h ; Re-Load function hash into ECX (optional). + call SW3_GetSyscallNumber ; Resolve function hash into syscall number. + add rsp, 28h + mov rcx, [rsp+8] ; Restore registers. + mov rdx, [rsp+16] + mov r8, [rsp+24] + mov r9, [rsp+32] + mov r10, rcx + jmp r11 ; Jump to -> Invoke system call. +Sw3NtContinueEx ENDP + +end \ No newline at end of file