diff --git a/InlineWhispers3.py b/InlineWhispers3.py new file mode 100644 index 0000000..50ab355 --- /dev/null +++ b/InlineWhispers3.py @@ -0,0 +1,163 @@ +#!/usr/bin/env python +# coding: utf=8 + +import os +import re +import sys +import argparse + +from pathlib import Path +from shutil import copyfile + +def get_new_seed(): + '''Get new seed''' + with open('SysWhispers3/syscalls_all.h') as file: + for line in file: + if 'SW3_SEED' in line: + return line + +def replace_seed(): + '''Replace SEED in the new file''' + new_seed = get_new_seed() + + replacement = '' + with open('output/syscalls.h', 'r') as file: + for line in file: + line = line.strip() + changes = line.replace('$$SEED$$', new_seed) + replacement = replacement + changes + '\n' + with open('output/syscalls.h', 'w') as file: + file.write(replacement) + print("[+] New seed added to syscalls.h") + +def replace_extern(): + '''Replace EXTERN_C definitions in the new file''' + replacement = '' + actual_extern_c = '' + is_extern_part = False + with open('output/syscalls.h', 'r') as file: + for line in file: + line = line.strip() + if 'EXTERN_C NTSTATUS' in line: + actual_extern_c = line.replace('EXTERN_C NTSTATUS', '').replace('(', '').replace(')', '').replace(';', '').replace(' ', '') + is_extern_part = True + if is_extern_part and ';' in line: + changes = line.replace(';', f' asm("{actual_extern_c}");') + + if '#include ' in line: + changes = line.replace('#include ', '#include \n#include "syscalls-asm.h"') + else: + changes = line + replacement = replacement + changes + '\n' + with open('output/syscalls.h', 'w') as file: + file.write(replacement) + +def create_asm_file(): + '''Create asm stubs file''' + replacement = '' + with open('SysWhispers3/syscalls_all_-asm.x64.asm', 'r') as file: + for line in file: + line = line.strip() + + if '.code' in line: + line = line.replace('.code', '#pragma once\r\n#include \r\n\r\n#if _WIN64') + if 'EXTERN SW3_GetSyscallNumber: PROC' in line: + line = line.replace('EXTERN SW3_GetSyscallNumber: PROC', '') + if 'EXTERN SW3_GetSyscallAddress: PROC' in line: + line = line.replace('EXTERN SW3_GetSyscallAddress: PROC', '') + if 'PROC' in line: + func_nt = line.split(' ', 1)[0] + func_zw = func_nt.replace('Nt', 'Zw') + line = line.replace(f'{func_nt} PROC', f'#define {func_zw} {func_nt}\r\n__asm__("{func_nt}: \\n\\') + if ';' in line: + line = line.split(';', 1)[0] + if 'sub rsp, 28h' in line: + line = line.replace('sub rsp, 28h', 'sub rsp, 0x28').rstrip() + ' \\n\\' + if 'add rsp, 28h' in line: + line = line.replace('add rsp, 28h', 'add rsp, 0x28').rstrip() + ' \\n\\' + if 'mov ecx,' in line: + line = line.replace('mov ecx, ', 'mov ecx, 0x').rstrip()[:-1] + if line.startswith('call'): + line = line.rstrip() + ' \\n\\' + if line.startswith('mov'): + line = line.rstrip() + ' \\n\\' + if line.startswith('syscall'): + line = line.rstrip() + ' \\n\\' + if line.startswith('ret'): + line = line.rstrip() + ' \\n\\' + if line.startswith('jmp'): + line = line.rstrip() + ' \\n\\' + if 'ENDP' in line: + line = '");' + + if line.startswith('end'): + line = '#endif' + + changes = line + replacement = replacement + changes + '\n' + + with open('output/syscalls-asm.h', 'w') as file: + file.write(replacement) + +def remove_specific_includes(content): + '''Remove #include "syscalls.h", #include "syscalls-asm.h", and #include "syscalls.c" statements from the content''' + return re.sub(r'#(include ("syscalls(.h"|-asm.h"|.c")|)|pragma once)', '', content) + +def merge_to_aio(): + '''Merge all files to one usable .h file''' + with open('output/syscalls-aio.h', 'w') as aio: + with open('output/syscalls.h', 'r') as sys_h, \ + open('output/syscalls.c', 'r') as sys_c, \ + open('output/syscalls-asm.h', 'r') as sys_asm: + + aio.write("#pragma once\n#include \n") + aio.write(remove_specific_includes(sys_h.read())) + aio.write('\n') + aio.write(remove_specific_includes(sys_c.read())) + aio.write('\n') + aio.write(remove_specific_includes(sys_asm.read())) + +if __name__ == '__main__': + '''Main''' + print(".___ .__ .__ __ __.__ .__ ________ ") + print("| | ____ | | |__| ____ ____/ \\ / \\ |__ |__| ____________ ___________ _____\\_____ \\ ") + print("| |/ \\| | | |/ \\_/ __ \\ \\/\\/ / | \\| |/ ___/\\____ \\_/ __ \\_ __ \\/ ___/ _(__ < ") + print("| | | \\ |_| | | \\ ___/\\ /| Y \\ |\\___ \\ | |_> > ___/| | \\/\\___ \\ / \\ ") + print("|___|___| /____/__|___| /\\___ >\\__/\\ / |___| /__/____ >| __/ \\___ >__| /____ >______ /") + print(" \\/ \\/ \\/ \\/ \\/ \\/ |__| \\/ \\/ \\/") + print("\r\ntdeerenberg - https://github.com/tdeerenberg\r\n") + + if not os.path.isdir('SysWhispers3') or not os.path.isfile('SysWhispers3/syscalls_all.h'): + print('[ERROR] SysWhispers3 not present, to fix:\r\n') + print('git clone https://github.com/klezVirus/SysWhispers3') + print('cd SysWhispers3/ && python3 syswhispers.py -p all -a x64 -m jumper -o syscalls_all && cd ..\r\n') + sys.exit(0) + + # Create output directory with the new templates + Path('output').mkdir(parents=True, exist_ok=True) + copyfile('syscalls.c.template', 'output/syscalls.c') + copyfile('syscalls.h.template', 'output/syscalls.h') + + parser = argparse.ArgumentParser() + parser.add_argument('--aio', action='store_true', help="Trigger the aio flag") + args = parser.parse_args() + + # Replace EXTERN_C in syscalls.h + print("[+] Replacing EXTERN_C in syscalls.h") + replace_extern() + print("[+] Replaced EXTERN_C in syscalls.h") + + # Create asm stub with the correct syscalls format + print("[+] Creating syscalls-asm.c with indirect syscall instructions") + create_asm_file() + print("[+] Done creating syscalls-asm.c\n") + + if args.aio: + print('[+] All in One flag detected, merging syscalls.c, syscalls.h, and syscalls-asm.h into one file') + merge_to_aio() + print("[+] Merged into one usable file: syscalls-aio.h\n") + print("Import syscalls-aio.h in your project and include syscalls-aio.h to use indirect syscalls, or:") + + print("Import syscalls.c syscalls.h, syscalls-asm.h in your project and include syscalls.c to start to use syscalls") + + diff --git a/README.md b/README.md index 9c1b1de..4de6459 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,44 @@ # InlineWhispers3 -Tool for working with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOF) using SysWhispers3 +InlineWhispers3 is an updated version of [InlineWhispers2](https://github.com/Sh0ckFR/InlineWhispers2), designed to work with Indirect System Calls in Cobalt Strike's Beacon Object Files (BOFs) using [SysWhispers3](https://github.com/klezVirus/SysWhispers3). This tool helps changing SysWhispers3 generated files to be BOF compatible. + +## How to set this up? + +```sh +# Clone the main repository and initialize submodules (SysWhispers3) +git clone --recurse-submodules https://github.com/tdeerenberg/InlineWhispers3 +cd InlineWhispers3 + +# Navigate to submodule directory and run the syswhispers.py script +cd SysWhispers3/ +python3 syswhispers.py -p all -a x64 -m jumper -o syscalls_all + +# Navigate back to the main repository and run the InlineWhispers3.py script +cd .. +python3 InlineWhispers3.py --aio +``` + +This generates the required syscalls.c/h files and then runs InlineWhispers3 to make the files compatible with BOFs. + +> The `--aio` flag is optional and merges all output files into one `.h` file, which can also be used instead of using `syscalls.c`, `syscalls.h`, and `syscalls-asm.h` + +## How to use indirect syscalls in your BOF + +Import `syscalls.h`, `syscalls.c`, and `syscalls-asm.h` (or only `syscalls-aio.h`) in your project and include `syscalls.c` (or `syscalls-aio.h`) in your C code to start using syscalls. + +An example BOF for reference (creates a new process using ` `): + +```c +#include +#include "beacon.h" +#include "syscalls.c" + +void go(char* args, int length) { + ... CODE TO BE ADDED ... +} +``` + +## Credits +- [@klezVirus](https://github.com/klezVirus) for SysWhispers3 +- [@Sh0ckFR](https://github.com/Sh0ckFR) for InlineWhispers2 +- [@outflanknl](https://github.com/outflanknl) for the first version of InlineWhispers and their informative blog post about it +- The Cyber Security Community for all the articles and resources \ No newline at end of file diff --git a/SysWhispers3 b/SysWhispers3 new file mode 160000 index 0000000..31cfc93 --- /dev/null +++ b/SysWhispers3 @@ -0,0 +1 @@ +Subproject commit 31cfc93c9466b52ae79d60925b0b5e0a1f653b88 diff --git a/output/syscalls-aio.h b/output/syscalls-aio.h new file mode 100644 index 0000000..7502710 --- /dev/null +++ b/output/syscalls-aio.h @@ -0,0 +1,14499 @@ +#pragma once +#include + + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +#ifndef SW3_HEADER_H_ +#define SW3_HEADER_H_ + + + + +#ifndef _NTDEF_ +typedef _Return_type_success_(return >= 0) LONG NTSTATUS; +typedef NTSTATUS* PNTSTATUS; +#endif + +#define SW3_SEED 0xCC6A5286 +#define SW3_ROL8(v) (v << 8 | v >> 24) +#define SW3_ROR8(v) (v >> 8 | v << 24) +#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) +#define SW3_MAX_ENTRIES 600 +#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) + +// Typedefs are prefixed to avoid pollution. + +typedef struct _SW3_SYSCALL_ENTRY +{ +DWORD Hash; +DWORD Address; +PVOID SyscallAddress; +} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; + +typedef struct _SW3_SYSCALL_LIST +{ +DWORD Count; +SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; +} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; + +typedef struct _SW3_PEB_LDR_DATA { +BYTE Reserved1[8]; +PVOID Reserved2[3]; +LIST_ENTRY InMemoryOrderModuleList; +} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; + +typedef struct _SW3_LDR_DATA_TABLE_ENTRY { +PVOID Reserved1[2]; +LIST_ENTRY InMemoryOrderLinks; +PVOID Reserved2[2]; +PVOID DllBase; +} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; + +typedef struct _SW3_PEB { +BYTE Reserved1[2]; +BYTE BeingDebugged; +BYTE Reserved2[1]; +PVOID Reserved3[2]; +PSW3_PEB_LDR_DATA Ldr; +} SW3_PEB, *PSW3_PEB; + +DWORD SW3_HashSyscall(PCSTR FunctionName); +BOOL SW3_PopulateSyscallList(); +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); +typedef struct _UNICODE_STRING +{ +USHORT Length; +USHORT MaximumLength; +PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_HANDLE +{ +ULONG ProcessId; +BYTE ObjectTypeNumber; +BYTE Flags; +USHORT Handle; +PVOID Object; +ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ +PVOID pValue; +ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ +ULONG64 Version; +UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ +GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef enum _KCONTINUE_TYPE +{ +KCONTINUE_UNWIND, +KCONTINUE_RESUME, +KCONTINUE_LONGJUMP, +KCONTINUE_SET, +KCONTINUE_LAST +} KCONTINUE_TYPE; + +typedef struct _IO_STATUS_BLOCK +{ +union +{ +NTSTATUS Status; +VOID* Pointer; +}; +ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef enum _PS_CREATE_STATE +{ +PsCreateInitialState, +PsCreateFailOnFileOpen, +PsCreateFailOnSectionCreate, +PsCreateFailExeFormat, +PsCreateFailMachineMismatch, +PsCreateFailExeName, +PsCreateSuccess, +PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ +ULONG HandleCount; +SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _CLIENT_ID +{ +HANDLE UniqueProcess; +HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ +HardwareProfileChangeEvent, +TargetDeviceChangeEvent, +DeviceClassChangeEvent, +CustomDeviceEvent, +DeviceInstallEvent, +DeviceArrivalEvent, +PowerEvent, +VetoEvent, +BlockedDriverEvent, +InvalidIDEvent, +MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE +{ +PNP_VetoTypeUnknown, // unspecified +PNP_VetoLegacyDevice, // instance path +PNP_VetoPendingClose, // instance path +PNP_VetoWindowsApp, // module +PNP_VetoWindowsService, // service +PNP_VetoOutstandingOpen, // instance path +PNP_VetoDevice, // instance path +PNP_VetoDriver, // driver service name +PNP_VetoIllegalDeviceRequest, // instance path +PNP_VetoInsufficientPower, // unspecified +PNP_VetoNonDisableable, // instance path +PNP_VetoLegacyDriver, // service +PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ +UNICODE_STRING Name; +USHORT ValueType; +USHORT Reserved; +ULONG Flags; +ULONG ValueCount; +union +{ +PLONG64 pInt64; +PULONG64 pUint64; +PUNICODE_STRING pString; +PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; +PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; +} Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef VOID(KNORMAL_ROUTINE) ( +IN PVOID NormalContext, +IN PVOID SystemArgument1, +IN PVOID SystemArgument2); + +typedef struct _PS_ATTRIBUTE +{ +ULONG Attribute; +SIZE_T Size; +union +{ +ULONG Value; +PVOID ValuePtr; +} u1; +PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _WNF_STATE_NAME +{ +ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ +(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ +(p)->RootDirectory = r; \ +(p)->Attributes = a; \ +(p)->ObjectName = n; \ +(p)->SecurityDescriptor = s; \ +(p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef struct _KEY_VALUE_ENTRY +{ +PUNICODE_STRING ValueName; +ULONG DataLength; +ULONG DataOffset; +ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ +KeyWriteTimeInformation, +KeyWow64FlagsInformation, +KeyControlFlagsInformation, +KeySetVirtualizationInformation, +KeySetDebugInformation, +KeySetHandleTagsInformation, +MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ +SystemBasicInformation = 0, +SystemPerformanceInformation = 2, +SystemTimeOfDayInformation = 3, +SystemProcessInformation = 5, +SystemProcessorPerformanceInformation = 8, +SystemHandleInformation = 16, +SystemInterruptInformation = 23, +SystemExceptionInformation = 33, +SystemRegistryQuotaInformation = 37, +SystemLookasideInformation = 45, +SystemCodeIntegrityInformation = 103, +SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _PROCESSINFOCLASS +{ +ProcessBasicInformation = 0, +ProcessDebugPort = 7, +ProcessWow64Information = 26, +ProcessImageFileName = 27, +ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ +PVOID VirtualAddress; +SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ +ULONG Version; +ULONG Reserved; +LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef struct _FILE_PATH +{ +ULONG Version; +ULONG Length; +ULONG Type; +CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER QuotaUsed; +LARGE_INTEGER QuotaThreshold; +LARGE_INTEGER QuotaLimit; +SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER AllocationSize; +LARGE_INTEGER EndOfFile; +ULONG FileAttributes; +ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ +FilterBootOptionOperationOpenSystemStore, +FilterBootOptionOperationSetElement, +FilterBootOptionOperationDeleteElement, +FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef enum _EVENT_TYPE +{ +NotificationEvent = 0, +SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ +ULONG NextEntryOffset; +UCHAR Flags; +UCHAR EaNameLength; +USHORT EaValueLength; +CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ +ULONG NextEntryOffset; +BYTE EaNameLength; +CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _BOOT_OPTIONS +{ +ULONG Version; +ULONG Length; +ULONG Timeout; +ULONG CurrentBootEntryId; +ULONG NextBootEntryId; +WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef enum _WNF_DATA_SCOPE +{ +WnfDataScopeSystem = 0, +WnfDataScopeSession = 1, +WnfDataScopeUser = 2, +WnfDataScopeProcess = 3, +WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ +WnfWellKnownStateName = 0, +WnfPermanentStateName = 1, +WnfPersistentStateName = 2, +WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ +VmPrefetchInformation, +VmPagePriorityInformation, +VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef enum _IO_SESSION_EVENT +{ +IoSessionEventIgnore, +IoSessionEventCreated, +IoSessionEventTerminated, +IoSessionEventConnected, +IoSessionEventDisconnected, +IoSessionEventLogon, +IoSessionEventLogoff, +IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _PORT_INFORMATION_CLASS +{ +PortBasicInformation, +#if DEVL +PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ +PlugPlayControlEnumerateDevice, +PlugPlayControlRegisterNewDevice, +PlugPlayControlDeregisterDevice, +PlugPlayControlInitializeDevice, +PlugPlayControlStartDevice, +PlugPlayControlUnlockDevice, +PlugPlayControlQueryAndRemoveDevice, +PlugPlayControlUserResponse, +PlugPlayControlGenerateLegacyDevice, +PlugPlayControlGetInterfaceDeviceList, +PlugPlayControlProperty, +PlugPlayControlDeviceClassAssociation, +PlugPlayControlGetRelatedDevice, +PlugPlayControlGetInterfaceDeviceAlias, +PlugPlayControlDeviceStatus, +PlugPlayControlGetDeviceDepth, +PlugPlayControlQueryDeviceRelations, +PlugPlayControlTargetDeviceRelation, +PlugPlayControlQueryConflictList, +PlugPlayControlRetrieveDock, +PlugPlayControlResetDevice, +PlugPlayControlHaltDevice, +PlugPlayControlGetBlockedDriverList, +MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ +IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ +ViewShare = 1, +ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _DEBUGOBJECTINFOCLASS +{ +DebugObjectFlags = 1, +MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ +SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef struct _PS_ATTRIBUTE_LIST +{ +SIZE_T TotalLength; +PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _VDMSERVICECLASS +{ +VdmStartExecution, +VdmQueueInterrupt, +VdmDelayInterrupt, +VdmInitialize, +VdmFeatures, +VdmSetInt21Handler, +VdmQueryDir, +VdmPrinterDirectIoOpen, +VdmPrinterDirectIoClose, +VdmPrinterInitialize, +VdmSetLdtEntries, +VdmSetProcessLdtInfo, +VdmAdlibEmulation, +VdmPMCliControl, +VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef struct _PS_CREATE_INFO +{ +SIZE_T Size; +PS_CREATE_STATE State; +union +{ +// PsCreateInitialState +struct { +union { +ULONG InitFlags; +struct { +UCHAR WriteOutputOnExit : 1; +UCHAR DetectManifest : 1; +UCHAR IFEOSkipDebugger : 1; +UCHAR IFEODoNotPropagateKeyState : 1; +UCHAR SpareBits1 : 4; +UCHAR SpareBits2 : 8; +USHORT ProhibitedImageCharacteristics : 16; +}; +}; +ACCESS_MASK AdditionalFileAccess; +} InitState; +// PsCreateFailOnSectionCreate +struct { +HANDLE FileHandle; +} FailSection; +// PsCreateFailExeFormat +struct { +USHORT DllCharacteristics; +} ExeFormat; +// PsCreateFailExeName +struct { +HANDLE IFEOKey; +} ExeName; +// PsCreateSuccess +struct { +union { +ULONG OutputFlags; +struct { +UCHAR ProtectedProcess : 1; +UCHAR AddressSpaceOverride : 1; +UCHAR DevOverrideEnabled : 1; // from Image File Execution Options +UCHAR ManifestDetected : 1; +UCHAR ProtectedProcessLight : 1; +UCHAR SpareBits1 : 3; +UCHAR SpareBits2 : 8; +USHORT SpareBits3 : 16; +}; +}; +HANDLE FileHandle; +HANDLE SectionHandle; +ULONGLONG UserProcessParametersNative; +ULONG UserProcessParametersWow64; +ULONG CurrentParameterFlags; +ULONGLONG PebAddressNative; +ULONG PebAddressWow64; +ULONGLONG ManifestAddress; +ULONG ManifestSize; +} SuccessState; +}; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _MEMORY_INFORMATION_CLASS +{ +MemoryBasicInformation, +MemoryWorkingSetInformation, +MemoryMappedFilenameInformation, +MemoryRegionInformation, +MemoryWorkingSetExInformation, +MemorySharedCommitInformation, +MemoryImageInformation, +MemoryRegionInformationEx, +MemoryPrivilegedBasicInformation, +MemoryEnclaveImageInformation, +MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ +MemoryReserveUserApc, +MemoryReserveIoCompletion, +MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ +AlpcBasicInformation, +AlpcPortInformation, +AlpcAssociateCompletionPortInformation, +AlpcConnectedSIDInformation, +AlpcServerInformation, +AlpcMessageZoneInformation, +AlpcRegisterCompletionListInformation, +AlpcUnregisterCompletionListInformation, +AlpcAdjustCompletionListConcurrencyCountInformation, +AlpcRegisterCallbackInformation, +AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _ALPC_CONTEXT_ATTR +{ +PVOID PortContext; +PVOID MessageContext; +ULONG SequenceNumber; +ULONG MessageID; +ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ +ULONG Flags; +HANDLE SectionHandle; +PVOID ViewBase; +SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef struct _ALPC_SECURITY_ATTR +{ +ULONG Flags; +PSECURITY_QUALITY_OF_SERVICE SecurityQos; +HANDLE ContextHandle; +ULONG Reserved1; +ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef PVOID* PPVOID; + +typedef enum _KPROFILE_SOURCE +{ +ProfileTime = 0, +ProfileAlignmentFixup = 1, +ProfileTotalIssues = 2, +ProfilePipelineDry = 3, +ProfileLoadInstructions = 4, +ProfilePipelineFrozen = 5, +ProfileBranchInstructions = 6, +ProfileTotalNonissues = 7, +ProfileDcacheMisses = 8, +ProfileIcacheMisses = 9, +ProfileCacheMisses = 10, +ProfileBranchMispredictions = 11, +ProfileStoreInstructions = 12, +ProfileFpInstructions = 13, +ProfileIntegerInstructions = 14, +Profile2Issue = 15, +Profile3Issue = 16, +Profile4Issue = 17, +ProfileSpecialInstructions = 18, +ProfileTotalCycles = 19, +ProfileIcacheIssues = 20, +ProfileDcacheAccesses = 21, +ProfileMemoryBarrierCycles = 22, +ProfileLoadLinkedIssues = 23, +ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ +AlpcMessageSidInformation, +AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _WORKERFACTORYINFOCLASS +{ +WorkerFactoryTimeout, +WorkerFactoryRetryTimeout, +WorkerFactoryIdleTimeout, +WorkerFactoryBindingCount, +WorkerFactoryThreadMinimum, +WorkerFactoryThreadMaximum, +WorkerFactoryPaused, +WorkerFactoryBasicInformation, +WorkerFactoryAdjustThreadGoal, +WorkerFactoryCallbackType, +WorkerFactoryStackInformation, +MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ +SystemMemoryPartitionInformation, +SystemMemoryPartitionMoveMemory, +SystemMemoryPartitionAddPagefile, +SystemMemoryPartitionCombineMemory, +SystemMemoryPartitionInitialAddMemory, +SystemMemoryPartitionGetMemoryEvents, +SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +typedef enum _MUTANT_INFORMATION_CLASS +{ +MutantBasicInformation, +MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ +AtomBasicInformation, +AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _SHUTDOWN_ACTION { +ShutdownNoReboot, +ShutdownReboot, +ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( +IN PVOID TimerContext, +IN ULONG TimerLowValue, +IN LONG TimerHighValue); + +typedef enum _KEY_VALUE_INFORMATION_CLASS { +KeyValueBasicInformation = 0, +KeyValueFullInformation, +KeyValuePartialInformation, +KeyValueFullInformationAlign64, +KeyValuePartialInformationAlign64, +MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef LANGID* PLANGID; + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ +GUID EventGuid; +PLUGPLAY_EVENT_CATEGORY EventCategory; +PULONG Result; +ULONG Flags; +ULONG TotalSize; +PVOID DeviceObject; + +union +{ +struct +{ +GUID ClassGuid; +WCHAR SymbolicLinkName[1]; +} DeviceClass; +struct +{ +WCHAR DeviceIds[1]; +} TargetDevice; +struct +{ +WCHAR DeviceId[1]; +} InstallDevice; +struct +{ +PVOID NotificationStructure; +WCHAR DeviceIds[1]; +} CustomNotification; +struct +{ +PVOID Notification; +} ProfileNotification; +struct +{ +ULONG NotificationCode; +ULONG NotificationData; +} PowerNotification; +struct +{ +PNP_VETO_TYPE VetoType; +WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName +} VetoNotification; +struct +{ +GUID BlockedDriverGuid; +} BlockedDriverNotification; +struct +{ +WCHAR ParentId[1]; +} InvalidIDNotification; +} u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( +IN PVOID ApcContext, +IN PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG Reserved); + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ +DirectoryNotifyInformation = 1, +DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_INFORMATION_CLASS +{ +EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ +unsigned long AllocatedAttributes; +unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ +ULONG Flags; +SECURITY_QUALITY_OF_SERVICE SecurityQos; +SIZE_T MaxMessageLength; +SIZE_T MemoryBandwidth; +SIZE_T MaxPoolUsage; +SIZE_T MaxSectionSize; +SIZE_T MaxViewSize; +SIZE_T MaxTotalSectionSize; +ULONG DupObjectTypes; +#ifdef _WIN64 +ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _IO_SESSION_STATE +{ +IoSessionStateCreated = 1, +IoSessionStateInitialized = 2, +IoSessionStateConnected = 3, +IoSessionStateDisconnected = 4, +IoSessionStateDisconnectedLoggedOn = 5, +IoSessionStateLoggedOn = 6, +IoSessionStateLoggedOff = 7, +IoSessionStateTerminated = 8, +IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ +unsigned __int64 SubscriptionId; +WNF_STATE_NAME StateName; +unsigned long ChangeStamp; +unsigned long StateDataSize; +unsigned long EventMask; +WNF_TYPE_ID TypeId; +unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef enum _DEBUG_CONTROL_CODE +{ +SysDbgQueryModuleInformation = 0, +SysDbgQueryTraceInformation = 1, +SysDbgSetTracePoint = 2, +SysDbgSetSpecialCall = 3, +SysDbgClearSpecialCalls = 4, +SysDbgQuerySpecialCalls = 5, +SysDbgBreakPoint = 6, +SysDbgQueryVersion = 7, +SysDbgReadVirtual = 8, +SysDbgWriteVirtual = 9, +SysDbgReadPhysical = 10, +SysDbgWritePhysical = 11, +SysDbgReadControlSpace = 12, +SysDbgWriteControlSpace = 13, +SysDbgReadIoSpace = 14, +SysDbgWriteIoSpace = 15, +SysDbgReadMsr = 16, +SysDbgWriteMsr = 17, +SysDbgReadBusData = 18, +SysDbgWriteBusData = 19, +SysDbgCheckLowMemory = 20, +SysDbgEnableKernelDebugger = 21, +SysDbgDisableKernelDebugger = 22, +SysDbgGetAutoKdEnable = 23, +SysDbgSetAutoKdEnable = 24, +SysDbgGetPrintBufferSize = 25, +SysDbgSetPrintBufferSize = 26, +SysDbgGetKdUmExceptionEnable = 27, +SysDbgSetKdUmExceptionEnable = 28, +SysDbgGetTriageDump = 29, +SysDbgGetKdBlockEnable = 30, +SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef struct _PORT_MESSAGE +{ +union +{ +union +{ +struct +{ +short DataLength; +short TotalLength; +} s1; +unsigned long Length; +}; +} u1; +union +{ +union +{ +struct +{ +short Type; +short DataInfoOffset; +} s2; +unsigned long ZeroInit; +}; +} u2; +union +{ +CLIENT_ID ClientId; +double DoNotUseThisField; +}; +unsigned long MessageId; +union +{ +unsigned __int64 ClientViewSize; +struct +{ +unsigned long CallbackId; +long __PADDING__[1]; +}; +}; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _FILE_BASIC_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_READ +{ +ULONG Length; +ULONG ViewSize; +ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _PORT_SECTION_WRITE +{ +ULONG Length; +HANDLE SectionHandle; +ULONG SectionOffset; +ULONG ViewSize; +PVOID ViewBase; +PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef enum _TIMER_TYPE +{ +NotificationTimer, +SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _BOOT_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG BootFilePathOffset; +ULONG OsOptionsLength; +UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ +TimerSetCoalescableTimer, +MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS +{ +FileFsVolumeInformation = 1, +FileFsLabelInformation = 2, +FileFsSizeInformation = 3, +FileFsDeviceInformation = 4, +FileFsAttributeInformation = 5, +FileFsControlInformation = 6, +FileFsFullSizeInformation = 7, +FileFsObjectIdInformation = 8, +FileFsDriverPathInformation = 9, +FileFsVolumeFlagsInformation = 10, +FileFsSectorSizeInformation = 11, +FileFsDataCopyInformation = 12, +FileFsMetadataSizeInformation = 13, +FileFsFullSizeInformationEx = 14, +FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _WAIT_TYPE +{ +WaitAll = 0, +WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _USER_STACK +{ +PVOID FixedStackBase; +PVOID FixedStackLimit; +PVOID ExpandableStackBase; +PVOID ExpandableStackLimit; +PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef enum _SECTION_INFORMATION_CLASS +{ +SectionBasicInformation, +SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef enum _APPHELPCACHESERVICECLASS +{ +ApphelpCacheServiceLookup = 0, +ApphelpCacheServiceRemove = 1, +ApphelpCacheServiceUpdate = 2, +ApphelpCacheServiceFlush = 3, +ApphelpCacheServiceDump = 4, +ApphelpDBGReadRegistry = 0x100, +ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ +USHORT Version; +USHORT Reserved; +ULONG AttributeCount; +union +{ +PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; +} Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ +PVOID KeyContext; +PVOID ApcContext; +IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _THREADINFOCLASS +{ +ThreadBasicInformation, +ThreadTimes, +ThreadPriority, +ThreadBasePriority, +ThreadAffinityMask, +ThreadImpersonationToken, +ThreadDescriptorTableEntry, +ThreadEnableAlignmentFaultFixup, +ThreadEventPair_Reusable, +ThreadQuerySetWin32StartAddress, +ThreadZeroTlsCell, +ThreadPerformanceCount, +ThreadAmILastThread, +ThreadIdealProcessor, +ThreadPriorityBoost, +ThreadSetTlsArrayAddress, +ThreadIsIoPending, +ThreadHideFromDebugger, +ThreadBreakOnTermination, +MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ +ObjectBasicInformation, +ObjectNameInformation, +ObjectTypeInformation, +ObjectAllTypesInformation, +ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ +FileDirectoryInformation = 1, +FileFullDirectoryInformation = 2, +FileBothDirectoryInformation = 3, +FileBasicInformation = 4, +FileStandardInformation = 5, +FileInternalInformation = 6, +FileEaInformation = 7, +FileAccessInformation = 8, +FileNameInformation = 9, +FileRenameInformation = 10, +FileLinkInformation = 11, +FileNamesInformation = 12, +FileDispositionInformation = 13, +FilePositionInformation = 14, +FileFullEaInformation = 15, +FileModeInformation = 16, +FileAlignmentInformation = 17, +FileAllInformation = 18, +FileAllocationInformation = 19, +FileEndOfFileInformation = 20, +FileAlternateNameInformation = 21, +FileStreamInformation = 22, +FilePipeInformation = 23, +FilePipeLocalInformation = 24, +FilePipeRemoteInformation = 25, +FileMailslotQueryInformation = 26, +FileMailslotSetInformation = 27, +FileCompressionInformation = 28, +FileObjectIdInformation = 29, +FileCompletionInformation = 30, +FileMoveClusterInformation = 31, +FileQuotaInformation = 32, +FileReparsePointInformation = 33, +FileNetworkOpenInformation = 34, +FileAttributeTagInformation = 35, +FileTrackingInformation = 36, +FileIdBothDirectoryInformation = 37, +FileIdFullDirectoryInformation = 38, +FileValidDataLengthInformation = 39, +FileShortNameInformation = 40, +FileIoCompletionNotificationInformation = 41, +FileIoStatusBlockRangeInformation = 42, +FileIoPriorityHintInformation = 43, +FileSfioReserveInformation = 44, +FileSfioVolumeInformation = 45, +FileHardLinkInformation = 46, +FileProcessIdsUsingFileInformation = 47, +FileNormalizedNameInformation = 48, +FileNetworkPhysicalNameInformation = 49, +FileIdGlobalTxDirectoryInformation = 50, +FileIsRemoteDeviceInformation = 51, +FileUnusedInformation = 52, +FileNumaNodeInformation = 53, +FileStandardLinkInformation = 54, +FileRemoteProtocolInformation = 55, +FileRenameInformationBypassAccessCheck = 56, +FileLinkInformationBypassAccessCheck = 57, +FileVolumeNameInformation = 58, +FileIdInformation = 59, +FileIdExtdDirectoryInformation = 60, +FileReplaceCompletionInformation = 61, +FileHardLinkFullIdInformation = 62, +FileIdExtdBothDirectoryInformation = 63, +FileDispositionInformationEx = 64, +FileRenameInformationEx = 65, +FileRenameInformationExBypassAccessCheck = 66, +FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ +KeyBasicInformation = 0, +KeyNodeInformation = 1, +KeyFullInformation = 2, +KeyNameInformation = 3, +KeyCachedInformation = 4, +KeyFlagsInformation = 5, +KeyVirtualizationInformation = 6, +KeyHandleTagsInformation = 7, +MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef struct _OBJECT_ATTRIBUTES +{ +ULONG Length; +HANDLE RootDirectory; +PUNICODE_STRING ObjectName; +ULONG Attributes; +PVOID SecurityDescriptor; +PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef enum _TIMER_INFORMATION_CLASS +{ +TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef struct _KCONTINUE_ARGUMENT +{ +KCONTINUE_TYPE ContinueType; +ULONG ContinueFlags; +ULONGLONG Reserved[2]; +} KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; + +EXTERN_C NTSTATUS Sw3NtAccessCheck( +IN PSECURITY_DESCRIPTOR pSecurityDescriptor, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiaredAccess, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS Sw3NtWorkerFactoryWorkerReady( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtAcceptConnectPort( +OUT PHANDLE ServerPortHandle, +IN ULONG AlternativeReceivePortHandle OPTIONAL, +IN PPORT_MESSAGE ConnectionReply, +IN BOOLEAN AcceptConnection, +IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, +OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPagesScatter( +IN PVOID VirtualAddresses, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForSingleObject( +IN HANDLE ObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallbackReturn( +IN PVOID OutputBuffer OPTIONAL, +IN ULONG OutputLength, +IN NTSTATUS Status); + +EXTERN_C NTSTATUS Sw3NtReadFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +OUT PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeviceIoControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG IoControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletion( +IN HANDLE IoCompletionHandle, +OUT PULONG KeyContext, +OUT PULONG ApcContext, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseSemaphore( +IN HANDLE SemaphoreHandle, +IN LONG ReleaseCount, +OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePort( +IN HANDLE PortHandle, +OUT PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS Sw3NtReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtSetInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +IN PVOID ThreadInformation, +IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtClose( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtQueryObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +OUT PVOID ObjectInformation OPTIONAL, +IN ULONG ObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtOpenKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtEnumerateValueKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtFindAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultLocale( +IN BOOLEAN UserProfile, +OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtQueryKey( +IN HANDLE KeyHandle, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtQueryValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN ULONG ZeroBits, +IN OUT PSIZE_T RegionSize, +IN ULONG AllocationType, +IN ULONG Protect); + +EXTERN_C NTSTATUS Sw3NtQueryInformationProcess( +IN HANDLE ProcessHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +OUT PVOID ProcessInformation, +IN ULONG ProcessInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects32( +IN ULONG ObjectCount, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteFileGather( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFreeVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG FreeType); + +EXTERN_C NTSTATUS Sw3NtImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS Sw3NtReleaseMutant( +IN HANDLE MutantHandle, +OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +OUT PVOID TokenInformation, +IN ULONG TokenInformationLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtRequestWaitReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage, +OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtQueryVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN MEMORY_INFORMATION_CLASS MemoryInformationClass, +OUT PVOID MemoryInformation, +IN SIZE_T MemoryInformationLength, +OUT PSIZE_T ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadToken( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +OUT PVOID ThreadInformation, +IN ULONG ThreadInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSection( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG ZeroBits, +IN SIZE_T CommitSize, +IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, +IN OUT PSIZE_T ViewSize, +IN SECTION_INHERIT InheritDisposition, +IN ULONG AllocationType, +IN ULONG Win32Protect); + +EXTERN_C NTSTATUS Sw3NtAccessCheckAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN ACCESS_MASK DesiredAccess, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSection( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePortEx( +IN HANDLE PortHandle, +OUT PULONG PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateProcess( +IN HANDLE ProcessHandle OPTIONAL, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtSetEventBoostPriority( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadFileScatter( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadTokenEx( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenProcessTokenEx( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryPerformanceCounter( +OUT PLARGE_INTEGER PerformanceCounter, +OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtEnumerateKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtOpenFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtDelayExecution( +IN BOOLEAN Alertable, +IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN BOOLEAN ReturnSingleEntry, +IN PUNICODE_STRING FileName OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN OUT PVOID SystemInformation, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtQueryTimer( +IN HANDLE TimerHandle, +IN TIMER_INFORMATION_CLASS TimerInformationClass, +OUT PVOID TimerInformation, +IN ULONG TimerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFsControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG FsControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T NumberOfBytesToWrite, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCloseObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDuplicateObject( +IN HANDLE SourceProcessHandle, +IN HANDLE SourceHandle, +IN HANDLE TargetProcessHandle OPTIONAL, +OUT PHANDLE TargetHandle OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Options); + +EXTERN_C NTSTATUS Sw3NtQueryAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtClearEvent( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +OUT PVOID Buffer, +IN SIZE_T BufferSize, +OUT PSIZE_T NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAdjustPrivilegesToken( +IN HANDLE TokenHandle, +IN BOOLEAN DisableAllPrivileges, +IN PTOKEN_PRIVILEGES NewState OPTIONAL, +IN ULONG BufferLength, +OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDuplicateToken( +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN BOOLEAN EffectiveOnly, +IN TOKEN_TYPE TokenType, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtContinue( +IN PCONTEXT ContextRecord, +IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultUILanguage( +OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueueApcThread( +IN HANDLE ThreadHandle, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtYieldExecution(); + +EXTERN_C NTSTATUS Sw3NtAddAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN EVENT_TYPE EventType, +IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS Sw3NtQueryVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FsInformation, +IN ULONG Length, +IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS Sw3NtCreateSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtApphelpCacheControl( +IN APPHELPCACHESERVICECLASS Service, +IN PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtCreateProcessEx( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL, +IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS Sw3NtCreateThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +OUT PCLIENT_ID ClientId, +IN PCONTEXT ThreadContext, +IN PUSER_STACK InitialTeb, +IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS Sw3NtIsProcessInJob( +IN HANDLE ProcessHandle, +IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtProtectVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG NewProtect, +OUT PULONG OldProtect); + +EXTERN_C NTSTATUS Sw3NtQuerySection( +IN HANDLE SectionHandle, +IN SECTION_INFORMATION_CLASS SectionInformationClass, +OUT PVOID SectionInformation, +IN ULONG SectionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResumeThread( +IN HANDLE ThreadHandle, +IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateThread( +IN HANDLE ThreadHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtReadRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG DataEntryIndex, +OUT PVOID Buffer, +IN ULONG BufferSize, +OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER AllocationSize OPTIONAL, +IN ULONG FileAttributes, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN PVOID EaBuffer OPTIONAL, +IN ULONG EaLength); + +EXTERN_C NTSTATUS Sw3NtQueryEvent( +IN HANDLE EventHandle, +IN EVENT_INFORMATION_CLASS EventInformationClass, +OUT PVOID EventInformation, +IN ULONG EventInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Request, +IN ULONG DataIndex, +IN PVOID Buffer, +IN ULONG Length, +OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects( +IN ULONG Count, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +IN PVOID ObjectInformation, +IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtCancelIoFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtTraceEvent( +IN HANDLE TraceHandle, +IN ULONG Flags, +IN ULONG FieldSize, +IN PVOID Fields); + +EXTERN_C NTSTATUS Sw3NtPowerInformation( +IN POWER_INFORMATION_LEVEL InformationLevel, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtSetValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN ULONG TitleIndex OPTIONAL, +IN ULONG Type, +IN PVOID SystemData, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtCancelTimer( +IN HANDLE TimerHandle, +OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, +IN PVOID TimerContext OPTIONAL, +IN BOOLEAN ResumeTimer, +IN LONG Period OPTIONAL, +OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByType( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ULONG DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultList( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS Sw3NtAddAtomEx( +IN PWSTR AtomName, +IN ULONG Length, +IN PRTL_ATOM Atom, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAddBootEntry( +IN PBOOT_ENTRY BootEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAddDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAdjustGroupsToken( +IN HANDLE TokenHandle, +IN BOOLEAN ResetToDefault, +IN PTOKEN_GROUPS NewState OPTIONAL, +IN ULONG BufferLength OPTIONAL, +OUT PTOKEN_GROUPS PreviousState OPTIONAL, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtAdjustTokenClaimsAndDeviceGroups( +IN HANDLE TokenHandle, +IN BOOLEAN UserResetToDefault, +IN BOOLEAN DeviceResetToDefault, +IN BOOLEAN DeviceGroupsResetToDefault, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, +IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, +IN ULONG UserBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, +IN ULONG DeviceBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, +IN ULONG DeviceGroupsBufferLength, +OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, +OUT PULONG UserReturnLength OPTIONAL, +OUT PULONG DeviceReturnLength OPTIONAL, +OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertResumeThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertThread( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtAlertThreadByThreadId( +IN ULONG ThreadId); + +EXTERN_C NTSTATUS Sw3NtAllocateLocallyUniqueId( +OUT PLUID Luid); + +EXTERN_C NTSTATUS Sw3NtAllocateReserveObject( +OUT PHANDLE MemoryReserveHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS Sw3NtAllocateUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtAllocateUuids( +OUT PLARGE_INTEGER Time, +OUT PULONG Range, +OUT PULONG Sequence, +OUT PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemoryEx( +IN HANDLE ProcessHandle, +IN OUT PPVOID lpAddress, +IN ULONG_PTR ZeroBits, +IN OUT PSIZE_T pSize, +IN ULONG flAllocationType, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtAlpcAcceptConnectPort( +OUT PHANDLE PortHandle, +IN HANDLE ConnectionPortHandle, +IN ULONG Flags, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ConnectionRequest, +IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, +IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS Sw3NtAlpcCancelMessage( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PULONG BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPortEx( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, +IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN SIZE_T SectionSize, +OUT PHANDLE AlpcSectionHandle, +OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN SIZE_T MessageSize, +OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS Sw3NtAlpcDeletePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PVOID ViewBase); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDisconnectPort( +IN HANDLE PortHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientContainerOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN PVOID Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderProcess( +OUT PHANDLE ProcessHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderThread( +OUT PHANDLE ThreadHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformation( +IN HANDLE PortHandle OPTIONAL, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformationMessage( +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, +OUT PVOID MessageInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcRevokeSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcSendWaitReceivePort( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PPORT_MESSAGE SendMessage OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcSetInformation( +IN HANDLE PortHandle, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN PVOID PortInformation OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtAreMappedFilesTheSame( +IN PVOID File1MappedAsAnImage, +IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS Sw3NtAssignProcessToJobObject( +IN HANDLE JobHandle, +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtAssociateWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN HANDLE IoCompletionHandle, +IN HANDLE TargetObjectHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation, +OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallEnclave( +IN PENCLAVE_ROUTINE Routine, +IN PVOID Parameter, +IN BOOLEAN WaitForThread, +IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCancelIoFileEx( +IN HANDLE FileHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelSynchronousIoFile( +IN HANDLE ThreadHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelTimer2( +IN HANDLE TimerHandle, +IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtCancelWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS Sw3NtCommitComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtCommitTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtCompactKeys( +IN ULONG Count, +IN HANDLE KeyArray); + +EXTERN_C NTSTATUS Sw3NtCompareObjects( +IN HANDLE FirstObjectHandle, +IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS Sw3NtCompareSigningLevels( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS Sw3NtCompareTokens( +IN HANDLE FirstTokenHandle, +IN HANDLE SecondTokenHandle, +OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS Sw3NtCompleteConnectPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtCompressKey( +IN HANDLE Key); + +EXTERN_C NTSTATUS Sw3NtConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtCreateDebugObject( +OUT PHANDLE DebugObjectHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObjectEx( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE ShadowDirectoryHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateEnclave( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG_PTR ZeroBits, +IN SIZE_T Size, +IN SIZE_T InitialCommitment, +IN ULONG EnclaveType, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN HANDLE TransactionHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN NOTIFICATION_MASK NotificationMask, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateIRTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobSet( +IN ULONG NumJob, +IN PJOB_SET_ARRAY UserJobSet, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +IN HANDLE TransactionHandle, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateLowBoxToken( +OUT PHANDLE TokenHandle, +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PSID PackageSid, +IN ULONG CapabilityCount, +IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, +IN ULONG HandleCount, +IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateMailslotFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CreateOptions, +IN ULONG MailslotQuota, +IN ULONG MaximumMessageSize, +IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS Sw3NtCreateMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS Sw3NtCreateNamedPipeFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN BOOLEAN NamedPipeType, +IN BOOLEAN ReadMode, +IN BOOLEAN CompletionMode, +IN ULONG MaximumInstances, +IN ULONG InboundQuota, +IN ULONG OutboundQuota, +IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePagingFile( +IN PUNICODE_STRING PageFileName, +IN PULARGE_INTEGER MinimumSize, +IN PULARGE_INTEGER MaximumSize, +IN ULONG Priority); + +EXTERN_C NTSTATUS Sw3NtCreatePartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG PreferredNode); + +EXTERN_C NTSTATUS Sw3NtCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN BOOLEAN InheritObjectTable, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateProfile( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN ULONG ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN ULONG Affinity); + +EXTERN_C NTSTATUS Sw3NtCreateProfileEx( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN SIZE_T ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN USHORT GroupCount, +IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS Sw3NtCreateRegistryTransaction( +OUT PHANDLE Handle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN DWORD Flags); + +EXTERN_C NTSTATUS Sw3NtCreateResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID RmGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LONG InitialCount, +IN LONG MaximumCount); + +EXTERN_C NTSTATUS Sw3NtCreateSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS Sw3NtCreateThreadEx( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +IN PVOID StartRoutine, +IN PVOID Argument OPTIONAL, +IN ULONG CreateFlags, +IN SIZE_T ZeroBits, +IN SIZE_T StackSize, +IN SIZE_T MaximumStackSize, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS Sw3NtCreateTimer2( +OUT PHANDLE TimerHandle, +IN PVOID Reserved1 OPTIONAL, +IN PVOID Reserved2 OPTIONAL, +IN ULONG Attributes, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateToken( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTokenEx( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS DeviceGroups OPTIONAL, +IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LPGUID Uow OPTIONAL, +IN HANDLE TmHandle OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG IsolationLevel OPTIONAL, +IN ULONG IsolationFlags OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateUserProcess( +OUT PHANDLE ProcessHandle, +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK ProcessDesiredAccess, +IN ACCESS_MASK ThreadDesiredAccess, +IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, +IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, +IN ULONG ProcessFlags, +IN ULONG ThreadFlags, +IN PVOID ProcessParameters OPTIONAL, +IN OUT PPS_CREATE_INFO CreateInfo, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitCompletionPacket( +OUT PHANDLE WaitCompletionPacketHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitablePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWnfStateName( +OUT PCWNF_STATE_NAME StateName, +IN WNF_STATE_NAME_LIFETIME NameLifetime, +IN WNF_DATA_SCOPE DataScope, +IN BOOLEAN PersistData, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN ULONG MaximumStateSize, +IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateWorkerFactory( +OUT PHANDLE WorkerFactoryHandleReturn, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE CompletionPortHandle, +IN HANDLE WorkerProcessHandle, +IN PVOID StartRoutine, +IN PVOID StartParameter OPTIONAL, +IN ULONG MaxThreadCount OPTIONAL, +IN SIZE_T StackReserve OPTIONAL, +IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDebugActiveProcess( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtDebugContinue( +IN HANDLE DebugObjectHandle, +IN PCLIENT_ID ClientId, +IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS Sw3NtDeleteAtom( +IN USHORT Atom); + +EXTERN_C NTSTATUS Sw3NtDeleteBootEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteDriverEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteFile( +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtDeleteKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDeletePrivateNamespace( +IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateName( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtDisplayString( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtDrawText( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtEnumerateBootEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateDriverEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateSystemEnvironmentValuesEx( +IN ULONG InformationClass, +OUT PVOID Buffer, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateTransactionObject( +IN HANDLE RootObjectHandle OPTIONAL, +IN KTMOBJECT_TYPE QueryType, +IN OUT PKTMOBJECT_CURSOR ObjectCursor, +IN ULONG ObjectCursorLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtExtendSection( +IN HANDLE SectionHandle, +IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS Sw3NtFilterBootOption( +IN FILTER_BOOT_OPTION_OPERATION FilterOperation, +IN ULONG ObjectType, +IN ULONG ElementType, +IN PVOID SystemData OPTIONAL, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtFilterToken( +IN HANDLE ExistingTokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFilterTokenEx( +IN HANDLE TokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +IN ULONG DisableUserClaimsCount, +IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, +IN ULONG DisableDeviceClaimsCount, +IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, +IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFileEx( +IN HANDLE FileHandle, +IN ULONG Flags, +IN PVOID Parameters, +IN ULONG ParametersSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushInstallUILanguage( +IN LANGID InstallUILanguage, +IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS Sw3NtFlushInstructionCache( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtFlushKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS Sw3NtFlushVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN OUT PULONG RegionSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS Sw3NtFreeUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtFreezeRegistry( +IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS Sw3NtFreezeTransactions( +IN PLARGE_INTEGER FreezeTimeout, +IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS Sw3NtGetCachedSigningLevel( +IN HANDLE File, +OUT PULONG Flags, +OUT PSE_SIGNING_LEVEL SigningLevel, +OUT PUCHAR Thumbprint OPTIONAL, +IN OUT PULONG ThumbprintSize OPTIONAL, +OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetCompleteWnfStateSubscription( +IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, +IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, +IN ULONG OldDescriptorEventMask OPTIONAL, +IN ULONG OldDescriptorStatus OPTIONAL, +OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, +IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS Sw3NtGetContextThread( +IN HANDLE ThreadHandle, +IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumberEx( +OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetDevicePowerState( +IN HANDLE Device, +OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS Sw3NtGetMUIRegistryInfo( +IN ULONG Flags, +IN OUT PULONG DataSize, +OUT PVOID SystemData); + +EXTERN_C NTSTATUS Sw3NtGetNextProcess( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS Sw3NtGetNextThread( +IN HANDLE ProcessHandle, +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS Sw3NtGetNlsSectionPtr( +IN ULONG SectionType, +IN ULONG SectionData, +IN PVOID ContextData, +OUT PVOID SectionPointer, +OUT PULONG SectionSize); + +EXTERN_C NTSTATUS Sw3NtGetNotificationResourceManager( +IN HANDLE ResourceManagerHandle, +OUT PTRANSACTION_NOTIFICATION TransactionNotification, +IN ULONG NotificationLength, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PULONG ReturnLength OPTIONAL, +IN ULONG Asynchronous, +IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetWriteWatch( +IN HANDLE ProcessHandle, +IN ULONG Flags, +IN PVOID BaseAddress, +IN ULONG RegionSize, +OUT PULONG UserAddressArray, +IN OUT PULONG EntriesInUserAddressArray, +OUT PULONG Granularity); + +EXTERN_C NTSTATUS Sw3NtImpersonateAnonymousToken( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtImpersonateThread( +IN HANDLE ServerThreadHandle, +IN HANDLE ClientThreadHandle, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS Sw3NtInitializeEnclave( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtInitializeNlsFiles( +OUT PVOID BaseAddress, +OUT PLCID DefaultLocaleId, +OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS Sw3NtInitializeRegistry( +IN USHORT BootCondition); + +EXTERN_C NTSTATUS Sw3NtInitiatePowerAction( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE LightestSystemState, +IN ULONG Flags, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS Sw3NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS Sw3NtListenPort( +IN HANDLE PortHandle, +OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS Sw3NtLoadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtLoadEnclaveData( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T BufferSize, +IN ULONG Protect, +IN PVOID PageInformation, +IN ULONG PageInformationLength, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLoadHotPatch( +IN PUNICODE_STRING HotPatchName, +IN ULONG LoadFlag); + +EXTERN_C NTSTATUS Sw3NtLoadKey( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS Sw3NtLoadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtLoadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags, +IN HANDLE TrustClassKey OPTIONAL, +IN HANDLE Event OPTIONAL, +IN ACCESS_MASK DesiredAccess OPTIONAL, +OUT PHANDLE RootHandle OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key, +IN BOOLEAN FailImmediately, +IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS Sw3NtLockProductActivationKeys( +IN OUT PULONG pPrivateVer OPTIONAL, +OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockRegistryKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtLockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PULONG RegionSize, +IN ULONG MapType); + +EXTERN_C NTSTATUS Sw3NtMakePermanentObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtMakeTemporaryObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtManagePartition( +IN HANDLE TargetHandle, +IN HANDLE SourceHandle, +IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, +IN OUT PVOID PartitionInformation, +IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS Sw3NtMapCMFModule( +IN ULONG What, +IN ULONG Index, +OUT PULONG CacheIndexOut OPTIONAL, +OUT PULONG CacheFlagsOut OPTIONAL, +OUT PULONG ViewSizeOut OPTIONAL, +OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPages( +IN PVOID VirtualAddress, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSectionEx( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PLARGE_INTEGER SectionOffset, +IN OUT PPVOID BaseAddress, +IN OUT PSIZE_T ViewSize, +IN ULONG AllocationType, +IN ULONG Protect, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtModifyBootEntry( +IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS Sw3NtModifyDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_NOTIFY_INFORMATION Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeKey( +IN HANDLE KeyHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeMultipleKeys( +IN HANDLE MasterKeyHandle, +IN ULONG Count OPTIONAL, +IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeSession( +IN HANDLE SessionHandle, +IN ULONG ChangeSequenceNumber, +IN PLARGE_INTEGER ChangeTimeStamp, +IN IO_SESSION_EVENT Event, +IN IO_SESSION_STATE NewState, +IN IO_SESSION_STATE PreviousState, +IN PVOID Payload OPTIONAL, +IN ULONG PayloadSize); + +EXTERN_C NTSTATUS Sw3NtOpenEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN LPGUID EnlistmentGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenKeyEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransactedEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN ACCESS_MASK GrantedAccess, +IN PPRIVILEGE_SET Privileges OPTIONAL, +IN BOOLEAN ObjectCreation, +IN BOOLEAN AccessGranted, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtOpenPartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenPrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtOpenProcessToken( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenRegistryTransaction( +OUT PHANDLE RegistryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID ResourceManagerGuid OPTIONAL, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSession( +OUT PHANDLE SessionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN LPGUID Uow, +IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN LPGUID TmIdentity OPTIONAL, +IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPlugPlayControl( +IN PLUGPLAY_CONTROL_CLASS PnPControlClass, +IN OUT PVOID PnPControlData, +IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS Sw3NtPrePrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrePrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrivilegeCheck( +IN HANDLE ClientToken, +IN OUT PPRIVILEGE_SET RequiredPrivileges, +OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS Sw3NtPrivilegeObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPrivilegedServiceAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PUNICODE_STRING ServiceName, +IN HANDLE ClientToken, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPropagationComplete( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN ULONG BufferLength, +IN PVOID Buffer); + +EXTERN_C NTSTATUS Sw3NtPropagationFailed( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS Sw3NtPulseEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryAuxiliaryCounterFrequency( +OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS Sw3NtQueryBootEntryOrder( +OUT PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryBootOptions( +OUT PBOOT_OPTIONS BootOptions OPTIONAL, +IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS Sw3NtQueryDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN ULONG QueryFlags, +IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryObject( +IN HANDLE DirectoryHandle, +OUT PVOID Buffer OPTIONAL, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN BOOLEAN RestartScan, +IN OUT PULONG Context, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDriverEntryOrder( +IN PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_FULL_EA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, +IN ULONG EaListLength, +IN PULONG EaIndex OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQueryFullAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtQueryInformationAtom( +IN USHORT Atom, +IN ATOM_INFORMATION_CLASS AtomInformationClass, +OUT PVOID AtomInformation, +IN ULONG AtomInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationByName( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtQueryInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +OUT PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +OUT PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationPort( +IN HANDLE PortHandle, +IN PORT_INFORMATION_CLASS PortInformationClass, +OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +OUT PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +OUT PVOID TransactionInformation, +IN ULONG TransactionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransactionManager( +IN HANDLE TransactionManagerHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, +OUT PVOID TransactionManagerInformation, +IN ULONG TransactionManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +OUT PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInstallUILanguage( +OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueryIntervalProfile( +IN KPROFILE_SOURCE ProfileSource, +OUT PULONG Interval); + +EXTERN_C NTSTATUS Sw3NtQueryIoCompletion( +IN HANDLE IoCompletionHandle, +IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, +OUT PVOID IoCompletionInformation, +IN ULONG IoCompletionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryLicenseValue( +IN PUNICODE_STRING ValueName, +OUT PULONG Type OPTIONAL, +OUT PVOID SystemData OPTIONAL, +IN ULONG DataSize, +OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS Sw3NtQueryMultipleValueKey( +IN HANDLE KeyHandle, +IN OUT PKEY_VALUE_ENTRY ValueEntries, +IN ULONG EntryCount, +OUT PVOID ValueBuffer, +IN PULONG BufferLength, +OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryMutant( +IN HANDLE MutantHandle, +IN MUTANT_INFORMATION_CLASS MutantInformationClass, +OUT PVOID MutantInformation, +IN ULONG MutantInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeys( +IN POBJECT_ATTRIBUTES TargetKey, +OUT PULONG HandleCount); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeysEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG BufferLength, +OUT PVOID Buffer, +OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS Sw3NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS Sw3NtQueryQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, +IN ULONG SidListLength, +IN PSID StartSid OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityAttributesToken( +IN HANDLE TokenHandle, +IN PUNICODE_STRING Attributes OPTIONAL, +IN ULONG NumberOfAttributes, +OUT PVOID Buffer, +IN ULONG Length, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityObject( +IN HANDLE Handle, +IN SECURITY_INFORMATION SecurityInformation, +OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN ULONG Length, +OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityPolicy( +IN ULONG_PTR UnknownParameter1, +IN ULONG_PTR UnknownParameter2, +IN ULONG_PTR UnknownParameter3, +IN ULONG_PTR UnknownParameter4, +IN ULONG_PTR UnknownParameter5, +IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS Sw3NtQuerySemaphore( +IN HANDLE SemaphoreHandle, +IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, +OUT PVOID SemaphoreInformation, +IN ULONG SemaphoreInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySymbolicLinkObject( +IN HANDLE LinkHandle, +IN OUT PUNICODE_STRING LinkTarget, +OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +OUT PVOID VariableValue, +IN ULONG ValueLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +OUT PVOID Value OPTIONAL, +IN OUT PULONG ValueLength, +OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformationEx( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID InputBuffer, +IN ULONG InputBufferLength, +OUT PVOID SystemInformation OPTIONAL, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryTimerResolution( +OUT PULONG MaximumTime, +OUT PULONG MinimumTime, +OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +OUT PWNF_CHANGE_STAMP ChangeStamp, +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateNameInformation( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID NameInfoClass, +IN PVOID ExplicitScope OPTIONAL, +OUT PVOID InfoBuffer, +IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS Sw3NtQueueApcThreadEx( +IN HANDLE ThreadHandle, +IN HANDLE UserApcReserveHandle OPTIONAL, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRaiseException( +IN PEXCEPTION_RECORD ExceptionRecord, +IN PCONTEXT ContextRecord, +IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS Sw3NtRaiseHardError( +IN NTSTATUS ErrorStatus, +IN ULONG NumberOfParameters, +IN ULONG UnicodeStringParameterMask, +IN PULONG_PTR Parameters, +IN ULONG ValidResponseOptions, +OUT PULONG Response); + +EXTERN_C NTSTATUS Sw3NtReadOnlyEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverEnlistment( +IN HANDLE EnlistmentHandle, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverResourceManager( +IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRecoverTransactionManager( +IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRegisterProtocolAddressInformation( +IN HANDLE ResourceManager, +IN LPGUID ProtocolId, +IN ULONG ProtocolInformationSize, +IN PVOID ProtocolInformation, +IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRegisterThreadTerminatePort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtReleaseKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID KeyValue, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseWorkerFactoryWorker( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletionEx( +IN HANDLE IoCompletionHandle, +OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, +IN ULONG Count, +OUT PULONG NumEntriesRemoved, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS Sw3NtRemoveProcessDebug( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtRenameKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS Sw3NtRenameTransactionManager( +IN PUNICODE_STRING LogFileName, +IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS Sw3NtReplaceKey( +IN POBJECT_ATTRIBUTES NewFile, +IN HANDLE TargetHandle, +IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS Sw3NtReplacePartitionUnit( +IN PUNICODE_STRING TargetInstancePath, +IN PUNICODE_STRING SpareInstancePath, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReplyPort( +IN HANDLE PortHandle, +IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtRequestPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS Sw3NtResetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResetWriteWatch( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN ULONG RegionSize); + +EXTERN_C NTSTATUS Sw3NtRestoreKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtResumeProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS Sw3NtRollbackComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtRollbackTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtRollforwardTransactionManager( +IN HANDLE TransactionManagerHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSaveKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSaveKeyEx( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Format); + +EXTERN_C NTSTATUS Sw3NtSaveMergedKeys( +IN HANDLE HighPrecedenceKeyHandle, +IN HANDLE LowPrecedenceKeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSecureConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSerializeBoot(); + +EXTERN_C NTSTATUS Sw3NtSetBootEntryOrder( +IN PULONG Ids, +IN ULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetBootOptions( +IN PBOOT_OPTIONS BootOptions, +IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel( +IN ULONG Flags, +IN SE_SIGNING_LEVEL InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel2( +IN ULONG Flags, +IN ULONG InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL, +IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetContextThread( +IN HANDLE ThreadHandle, +IN PCONTEXT Context); + +EXTERN_C NTSTATUS Sw3NtSetDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level, +IN BOOLEAN State); + +EXTERN_C NTSTATUS Sw3NtSetDefaultHardErrorPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtSetDefaultLocale( +IN BOOLEAN UserProfile, +IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtSetDefaultUILanguage( +IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtSetDriverEntryOrder( +IN PULONG Ids, +IN PULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_FULL_EA_INFORMATION EaBuffer, +IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS Sw3NtSetHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetHighWaitLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetIRTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationDebugObject( +IN HANDLE DebugObject, +IN DEBUGOBJECTINFOCLASS InformationClass, +IN PVOID Information, +IN ULONG InformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +IN PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +IN PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationKey( +IN HANDLE KeyHandle, +IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, +IN PVOID KeySetInformation, +IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +IN PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationSymbolicLink( +IN HANDLE Handle, +IN ULONG Class, +IN PVOID Buffer, +IN ULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +IN PVOID TokenInformation, +IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransactionManager( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationVirtualMemory( +IN HANDLE ProcessHandle, +IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, +IN ULONG_PTR NumberOfEntries, +IN PMEMORY_RANGE_ENTRY VirtualAddresses, +IN PVOID VmInformation, +IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +IN PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetIntervalProfile( +IN ULONG Interval, +IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletion( +IN HANDLE IoCompletionHandle, +IN ULONG CompletionKey, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN NTSTATUS CompletionStatus, +IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletionEx( +IN HANDLE IoCompletionHandle, +IN HANDLE IoCompletionPacketHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS Sw3NtSetLdtEntries( +IN ULONG Selector0, +IN ULONG Entry0Low, +IN ULONG Entry0Hi, +IN ULONG Selector1, +IN ULONG Entry1Low, +IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS Sw3NtSetLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetLowWaitHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtSetSecurityObject( +IN HANDLE ObjectHandle, +IN SECURITY_INFORMATION SecurityInformationClass, +IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +IN PVOID Value OPTIONAL, +IN ULONG ValueLength, +IN ULONG Attributes); + +EXTERN_C NTSTATUS Sw3NtSetSystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID SystemInformation, +IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetSystemPowerState( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE MinSystemState, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtSetSystemTime( +IN PLARGE_INTEGER SystemTime, +OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetThreadExecutionState( +IN EXECUTION_STATE ExecutionState, +OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS Sw3NtSetTimer2( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PLARGE_INTEGER Period OPTIONAL, +IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtSetTimerEx( +IN HANDLE TimerHandle, +IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, +IN OUT PVOID TimerSetInformation OPTIONAL, +IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetTimerResolution( +IN ULONG DesiredResolution, +IN BOOLEAN SetResolution, +OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS Sw3NtSetUuidSeed( +IN PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtSetVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileSystemInformation, +IN ULONG Length, +IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS Sw3NtSetWnfProcessNotificationEvent( +IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS Sw3NtShutdownSystem( +IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS Sw3NtShutdownWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS Sw3NtSignalAndWaitForSingleObject( +IN HANDLE hObjectToSignal, +IN HANDLE hObjectToWaitOn, +IN BOOLEAN bAlertable, +IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSinglePhaseReject( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtStartProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtStopProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtSubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName, +IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, +IN ULONG EventMask, +OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSuspendProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtSuspendThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS Sw3NtSystemDebugControl( +IN DEBUG_CONTROL_CODE Command, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateEnclave( +IN PVOID BaseAddress, +IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS Sw3NtTerminateJobObject( +IN HANDLE JobHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtTestAlert(); + +EXTERN_C NTSTATUS Sw3NtThawRegistry(); + +EXTERN_C NTSTATUS Sw3NtThawTransactions(); + +EXTERN_C NTSTATUS Sw3NtTraceControl( +IN ULONG FunctionCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtTranslateFilePath( +IN PFILE_PATH InputFilePath, +IN ULONG OutputType, +OUT PFILE_PATH OutputFilePath OPTIONAL, +IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUmsThreadYield( +IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS Sw3NtUnloadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey( +IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnloadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUnlockFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key); + +EXTERN_C NTSTATUS Sw3NtUnlockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID * BaseAddress, +IN PSIZE_T NumberOfBytesToUnlock, +IN ULONG LockType); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSectionEx( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnsubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtUpdateWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID Buffer OPTIONAL, +IN ULONG Length OPTIONAL, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +IN WNF_CHANGE_STAMP MatchingChangeStamp, +IN ULONG CheckStamp); + +EXTERN_C NTSTATUS Sw3NtVdmControl( +IN VDMSERVICECLASS Service, +IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtWaitForAlertByThreadId( +IN HANDLE Handle, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForDebugEvent( +IN HANDLE DebugObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS Sw3NtWaitForKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID Key, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForWorkViaWorkerFactory( +IN HANDLE WorkerFactoryHandle, +OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS Sw3NtWaitHighEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtWaitLowEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtAcquireCMFViewOwnership( +OUT BOOLEAN TimeStamp, +OUT BOOLEAN TokenTaken, +IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS Sw3NtCancelDeviceWakeupRequest( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtClearAllSavepointsTransaction( +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtClearSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtRollbackSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Flag, +OUT ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointComplete( +IN HANDLE TransactionHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSectionEx( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL, +IN PMEM_EXTENDED_PARAMETER ExtendedParameters, +IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS Sw3NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS Sw3NtGetPlugPlayEvent( +IN HANDLE EventHandle, +IN PVOID Context OPTIONAL, +OUT PPLUGPLAY_EVENT_BLOCK EventBlock, +IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS Sw3NtListTransactions(); + +EXTERN_C NTSTATUS Sw3NtMarshallTransaction(); + +EXTERN_C NTSTATUS Sw3NtPullTransaction(); + +EXTERN_C NTSTATUS Sw3NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS Sw3NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS Sw3NtStartTm(); + +EXTERN_C NTSTATUS Sw3NtSetInformationProcess( +IN HANDLE DeviceHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +IN PVOID ProcessInformation, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtRequestDeviceWakeup( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtRequestWakeupLatency( +IN ULONG LatencyTime); + +EXTERN_C NTSTATUS Sw3NtQuerySystemTime( +OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS Sw3NtManageHotPatch( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtContinueEx( +IN PCONTEXT ContextRecord, +IN PKCONTINUE_ARGUMENT ContinueArgument); + +#endif + + + +//#define DEBUG + +#define JUMPER + +#ifdef _M_IX86 + +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) { + return (PVOID)__readfsdword(0xC0); +} + +__declspec(naked) BOOL local_is_wow64(void) +{ + __asm { + mov eax, fs:[0xc0] + test eax, eax + jne wow64 + mov eax, 0 + ret + wow64: + mov eax, 1 + ret + } +} + + +#endif + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +SW3_SYSCALL_LIST SW3_SyscallList; + +// SEARCH_AND_REPLACE +#ifdef SEARCH_AND_REPLACE +// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release +EXTERN void SearchAndReplace(unsigned char[], unsigned char[]); +#endif + +DWORD SW3_HashSyscall(PCSTR FunctionName) +{ + DWORD i = 0; + DWORD Hash = SW3_SEED; + + while (FunctionName[i]) + { + WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++); + Hash ^= PartialName + SW3_ROR8(Hash); + } + + return Hash; +} + +#ifndef JUMPER +PVOID SC_Address(PVOID NtApiAddress) +{ + return NULL; +} +#else +PVOID SC_Address(PVOID NtApiAddress) +{ + DWORD searchLimit = 512; + PVOID SyscallAddress; + + #ifdef _WIN64 + // If the process is 64-bit on a 64-bit OS, we need to search for syscall + BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 }; + ULONG distance_to_syscall = 0x12; + #else + // If the process is 32-bit on a 32-bit OS, we need to search for sysenter + BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 }; + ULONG distance_to_syscall = 0x0f; + #endif + + #ifdef _M_IX86 + // If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved + if (local_is_wow64()) + { + #ifdef DEBUG + // printf("[+] Running 32-bit app on x64 (WOW64)\n"); + #endif + return NULL; + } + #endif + + // we don't really care if there is a 'jmp' between + // NtApiAddress and the 'syscall; ret' instructions + SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall); + + int match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // the 'syscall; ret' intructions have not been found, + // we will try to use one near it, similarly to HalosGate + + for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++) + { + // let's try with an Nt* API below our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall + num_jumps * 0x20); + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // let's try with an Nt* API above our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall - num_jumps * 0x20); + + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + } + +#ifdef DEBUG + // printf("Syscall Opcodes not found!\n"); +#endif + + return NULL; +} +#endif + + +BOOL SW3_PopulateSyscallList() +{ + // Return early if the list is already populated. + if (SW3_SyscallList.Count) return TRUE; + + #ifdef _WIN64 + PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60); + #else + PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30); + #endif + PSW3_PEB_LDR_DATA Ldr = Peb->Ldr; + PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; + PVOID DllBase = NULL; + + // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second + // in the list, so it's safer to loop through the full list and find it. + PSW3_LDR_DATA_TABLE_ENTRY LdrEntry; + for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0]) + { + DllBase = LdrEntry->DllBase; + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase; + PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew); + PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory; + DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if (VirtualAddress == 0) continue; + + ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress); + + // If this is NTDLL.dll, exit loop. + PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name); + + if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue; + if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break; + } + + if (!ExportDirectory) return FALSE; + + DWORD NumberOfNames = ExportDirectory->NumberOfNames; + PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions); + PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames); + PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals); + + // Populate SW3_SyscallList with unsorted Zw* entries. + DWORD i = 0; + PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries; + do + { + PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]); + + // Is this a system call? + if (*(USHORT*)FunctionName == 0x775a) + { + Entries[i].Hash = SW3_HashSyscall(FunctionName); + Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]]; + Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address)); + + i++; + if (i == SW3_MAX_ENTRIES) break; + } + } while (--NumberOfNames); + + // Save total number of system calls found. + SW3_SyscallList.Count = i; + + // Sort the list by address in ascending order. + for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++) + { + for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++) + { + if (Entries[j].Address > Entries[j + 1].Address) + { + // Swap entries. + SW3_SYSCALL_ENTRY TempEntry; + + TempEntry.Hash = Entries[j].Hash; + TempEntry.Address = Entries[j].Address; + TempEntry.SyscallAddress = Entries[j].SyscallAddress; + + Entries[j].Hash = Entries[j + 1].Hash; + Entries[j].Address = Entries[j + 1].Address; + Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress; + + Entries[j + 1].Hash = TempEntry.Hash; + Entries[j + 1].Address = TempEntry.Address; + Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress; + } + } + } + + return TRUE; +} + +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return -1; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return i; + } + } + + return -1; +} + +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return SW3_SyscallList.Entries[i].SyscallAddress; + } + } + + return NULL; +} + +DWORD LCG() { + static DWORD seed = 123987654; + return (seed >> 16) & 0x7FFF; // return a pseudo-random number +} + +EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + DWORD index = LCG() % SW3_SyscallList.Count; + + while (FunctionHash == SW3_SyscallList.Entries[index].Hash){ + // Spoofing the syscall return address + index = LCG() % SW3_SyscallList.Count; + } + return SW3_SyscallList.Entries[index].SyscallAddress; +} + + + + +#if _WIN64 + + + + + +#define Sw3ZwAccessCheck Sw3NtAccessCheck +__asm__("Sw3NtAccessCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWorkerFactoryWorkerReady Sw3NtWorkerFactoryWorkerReady +__asm__("Sw3NtWorkerFactoryWorkerReady: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcceptConnectPort Sw3NtAcceptConnectPort +__asm__("Sw3NtAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPagesScatter Sw3NtMapUserPhysicalPagesScatter +__asm__("Sw3NtMapUserPhysicalPagesScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForSingleObject Sw3NtWaitForSingleObject +__asm__("Sw3NtWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallbackReturn Sw3NtCallbackReturn +__asm__("Sw3NtCallbackReturn: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFile Sw3NtReadFile +__asm__("Sw3NtReadFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeviceIoControlFile Sw3NtDeviceIoControlFile +__asm__("Sw3NtDeviceIoControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFile Sw3NtWriteFile +__asm__("Sw3NtWriteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletion Sw3NtRemoveIoCompletion +__asm__("Sw3NtRemoveIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseSemaphore Sw3NtReleaseSemaphore +__asm__("Sw3NtReleaseSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePort Sw3NtReplyWaitReceivePort +__asm__("Sw3NtReplyWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyPort Sw3NtReplyPort +__asm__("Sw3NtReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationThread Sw3NtSetInformationThread +__asm__("Sw3NtSetInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEvent Sw3NtSetEvent +__asm__("Sw3NtSetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClose Sw3NtClose +__asm__("Sw3NtClose: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryObject Sw3NtQueryObject +__asm__("Sw3NtQueryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationFile Sw3NtQueryInformationFile +__asm__("Sw3NtQueryInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKey Sw3NtOpenKey +__asm__("Sw3NtOpenKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateValueKey Sw3NtEnumerateValueKey +__asm__("Sw3NtEnumerateValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFindAtom Sw3NtFindAtom +__asm__("Sw3NtFindAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultLocale Sw3NtQueryDefaultLocale +__asm__("Sw3NtQueryDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryKey Sw3NtQueryKey +__asm__("Sw3NtQueryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryValueKey Sw3NtQueryValueKey +__asm__("Sw3NtQueryValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemory Sw3NtAllocateVirtualMemory +__asm__("Sw3NtAllocateVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationProcess Sw3NtQueryInformationProcess +__asm__("Sw3NtQueryInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects32 Sw3NtWaitForMultipleObjects32 +__asm__("Sw3NtWaitForMultipleObjects32: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFileGather Sw3NtWriteFileGather +__asm__("Sw3NtWriteFileGather: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKey Sw3NtCreateKey +__asm__("Sw3NtCreateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeVirtualMemory Sw3NtFreeVirtualMemory +__asm__("Sw3NtFreeVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateClientOfPort Sw3NtImpersonateClientOfPort +__asm__("Sw3NtImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseMutant Sw3NtReleaseMutant +__asm__("Sw3NtReleaseMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationToken Sw3NtQueryInformationToken +__asm__("Sw3NtQueryInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWaitReplyPort Sw3NtRequestWaitReplyPort +__asm__("Sw3NtRequestWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVirtualMemory Sw3NtQueryVirtualMemory +__asm__("Sw3NtQueryVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadToken Sw3NtOpenThreadToken +__asm__("Sw3NtOpenThreadToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationThread Sw3NtQueryInformationThread +__asm__("Sw3NtQueryInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcess Sw3NtOpenProcess +__asm__("Sw3NtOpenProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationFile Sw3NtSetInformationFile +__asm__("Sw3NtSetInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSection Sw3NtMapViewOfSection +__asm__("Sw3NtMapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckAndAuditAlarm Sw3NtAccessCheckAndAuditAlarm +__asm__("Sw3NtAccessCheckAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSection Sw3NtUnmapViewOfSection +__asm__("Sw3NtUnmapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePortEx Sw3NtReplyWaitReceivePortEx +__asm__("Sw3NtReplyWaitReceivePortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateProcess Sw3NtTerminateProcess +__asm__("Sw3NtTerminateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEventBoostPriority Sw3NtSetEventBoostPriority +__asm__("Sw3NtSetEventBoostPriority: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFileScatter Sw3NtReadFileScatter +__asm__("Sw3NtReadFileScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadTokenEx Sw3NtOpenThreadTokenEx +__asm__("Sw3NtOpenThreadTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessTokenEx Sw3NtOpenProcessTokenEx +__asm__("Sw3NtOpenProcessTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPerformanceCounter Sw3NtQueryPerformanceCounter +__asm__("Sw3NtQueryPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateKey Sw3NtEnumerateKey +__asm__("Sw3NtEnumerateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenFile Sw3NtOpenFile +__asm__("Sw3NtOpenFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDelayExecution Sw3NtDelayExecution +__asm__("Sw3NtDelayExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFile Sw3NtQueryDirectoryFile +__asm__("Sw3NtQueryDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformation Sw3NtQuerySystemInformation +__asm__("Sw3NtQuerySystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSection Sw3NtOpenSection +__asm__("Sw3NtOpenSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimer Sw3NtQueryTimer +__asm__("Sw3NtQueryTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFsControlFile Sw3NtFsControlFile +__asm__("Sw3NtFsControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteVirtualMemory Sw3NtWriteVirtualMemory +__asm__("Sw3NtWriteVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCloseObjectAuditAlarm Sw3NtCloseObjectAuditAlarm +__asm__("Sw3NtCloseObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateObject Sw3NtDuplicateObject +__asm__("Sw3NtDuplicateObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAttributesFile Sw3NtQueryAttributesFile +__asm__("Sw3NtQueryAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearEvent Sw3NtClearEvent +__asm__("Sw3NtClearEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadVirtualMemory Sw3NtReadVirtualMemory +__asm__("Sw3NtReadVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEvent Sw3NtOpenEvent +__asm__("Sw3NtOpenEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustPrivilegesToken Sw3NtAdjustPrivilegesToken +__asm__("Sw3NtAdjustPrivilegesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateToken Sw3NtDuplicateToken +__asm__("Sw3NtDuplicateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinue Sw3NtContinue +__asm__("Sw3NtContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultUILanguage Sw3NtQueryDefaultUILanguage +__asm__("Sw3NtQueryDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThread Sw3NtQueueApcThread +__asm__("Sw3NtQueueApcThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwYieldExecution Sw3NtYieldExecution +__asm__("Sw3NtYieldExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtom Sw3NtAddAtom +__asm__("Sw3NtAddAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEvent Sw3NtCreateEvent +__asm__("Sw3NtCreateEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVolumeInformationFile Sw3NtQueryVolumeInformationFile +__asm__("Sw3NtQueryVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSection Sw3NtCreateSection +__asm__("Sw3NtCreateSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFile Sw3NtFlushBuffersFile +__asm__("Sw3NtFlushBuffersFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwApphelpCacheControl Sw3NtApphelpCacheControl +__asm__("Sw3NtApphelpCacheControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcessEx Sw3NtCreateProcessEx +__asm__("Sw3NtCreateProcessEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThread Sw3NtCreateThread +__asm__("Sw3NtCreateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsProcessInJob Sw3NtIsProcessInJob +__asm__("Sw3NtIsProcessInJob: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwProtectVirtualMemory Sw3NtProtectVirtualMemory +__asm__("Sw3NtProtectVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySection Sw3NtQuerySection +__asm__("Sw3NtQuerySection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeThread Sw3NtResumeThread +__asm__("Sw3NtResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateThread Sw3NtTerminateThread +__asm__("Sw3NtTerminateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadRequestData Sw3NtReadRequestData +__asm__("Sw3NtReadRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateFile Sw3NtCreateFile +__asm__("Sw3NtCreateFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEvent Sw3NtQueryEvent +__asm__("Sw3NtQueryEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteRequestData Sw3NtWriteRequestData +__asm__("Sw3NtWriteRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenDirectoryObject Sw3NtOpenDirectoryObject +__asm__("Sw3NtOpenDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeAndAuditAlarm Sw3NtAccessCheckByTypeAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects Sw3NtWaitForMultipleObjects +__asm__("Sw3NtWaitForMultipleObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationObject Sw3NtSetInformationObject +__asm__("Sw3NtSetInformationObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFile Sw3NtCancelIoFile +__asm__("Sw3NtCancelIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceEvent Sw3NtTraceEvent +__asm__("Sw3NtTraceEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPowerInformation Sw3NtPowerInformation +__asm__("Sw3NtPowerInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetValueKey Sw3NtSetValueKey +__asm__("Sw3NtSetValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer Sw3NtCancelTimer +__asm__("Sw3NtCancelTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer Sw3NtSetTimer +__asm__("Sw3NtSetTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByType Sw3NtAccessCheckByType +__asm__("Sw3NtAccessCheckByType: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultList Sw3NtAccessCheckByTypeResultList +__asm__("Sw3NtAccessCheckByTypeResultList: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarm Sw3NtAccessCheckByTypeResultListAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarmByHandle Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireProcessActivityReference Sw3NtAcquireProcessActivityReference +__asm__("Sw3NtAcquireProcessActivityReference: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtomEx Sw3NtAddAtomEx +__asm__("Sw3NtAddAtomEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddBootEntry Sw3NtAddBootEntry +__asm__("Sw3NtAddBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddDriverEntry Sw3NtAddDriverEntry +__asm__("Sw3NtAddDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustGroupsToken Sw3NtAdjustGroupsToken +__asm__("Sw3NtAdjustGroupsToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustTokenClaimsAndDeviceGroups Sw3NtAdjustTokenClaimsAndDeviceGroups +__asm__("Sw3NtAdjustTokenClaimsAndDeviceGroups: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertResumeThread Sw3NtAlertResumeThread +__asm__("Sw3NtAlertResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThread Sw3NtAlertThread +__asm__("Sw3NtAlertThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThreadByThreadId Sw3NtAlertThreadByThreadId +__asm__("Sw3NtAlertThreadByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateLocallyUniqueId Sw3NtAllocateLocallyUniqueId +__asm__("Sw3NtAllocateLocallyUniqueId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateReserveObject Sw3NtAllocateReserveObject +__asm__("Sw3NtAllocateReserveObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUserPhysicalPages Sw3NtAllocateUserPhysicalPages +__asm__("Sw3NtAllocateUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUuids Sw3NtAllocateUuids +__asm__("Sw3NtAllocateUuids: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemoryEx Sw3NtAllocateVirtualMemoryEx +__asm__("Sw3NtAllocateVirtualMemoryEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcAcceptConnectPort Sw3NtAlpcAcceptConnectPort +__asm__("Sw3NtAlpcAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCancelMessage Sw3NtAlpcCancelMessage +__asm__("Sw3NtAlpcCancelMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPort Sw3NtAlpcConnectPort +__asm__("Sw3NtAlpcConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPortEx Sw3NtAlpcConnectPortEx +__asm__("Sw3NtAlpcConnectPortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePort Sw3NtAlpcCreatePort +__asm__("Sw3NtAlpcCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePortSection Sw3NtAlpcCreatePortSection +__asm__("Sw3NtAlpcCreatePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateResourceReserve Sw3NtAlpcCreateResourceReserve +__asm__("Sw3NtAlpcCreateResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSectionView Sw3NtAlpcCreateSectionView +__asm__("Sw3NtAlpcCreateSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSecurityContext Sw3NtAlpcCreateSecurityContext +__asm__("Sw3NtAlpcCreateSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeletePortSection Sw3NtAlpcDeletePortSection +__asm__("Sw3NtAlpcDeletePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteResourceReserve Sw3NtAlpcDeleteResourceReserve +__asm__("Sw3NtAlpcDeleteResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSectionView Sw3NtAlpcDeleteSectionView +__asm__("Sw3NtAlpcDeleteSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSecurityContext Sw3NtAlpcDeleteSecurityContext +__asm__("Sw3NtAlpcDeleteSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDisconnectPort Sw3NtAlpcDisconnectPort +__asm__("Sw3NtAlpcDisconnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientContainerOfPort Sw3NtAlpcImpersonateClientContainerOfPort +__asm__("Sw3NtAlpcImpersonateClientContainerOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientOfPort Sw3NtAlpcImpersonateClientOfPort +__asm__("Sw3NtAlpcImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderProcess Sw3NtAlpcOpenSenderProcess +__asm__("Sw3NtAlpcOpenSenderProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderThread Sw3NtAlpcOpenSenderThread +__asm__("Sw3NtAlpcOpenSenderThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformation Sw3NtAlpcQueryInformation +__asm__("Sw3NtAlpcQueryInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformationMessage Sw3NtAlpcQueryInformationMessage +__asm__("Sw3NtAlpcQueryInformationMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcRevokeSecurityContext Sw3NtAlpcRevokeSecurityContext +__asm__("Sw3NtAlpcRevokeSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSendWaitReceivePort Sw3NtAlpcSendWaitReceivePort +__asm__("Sw3NtAlpcSendWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSetInformation Sw3NtAlpcSetInformation +__asm__("Sw3NtAlpcSetInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAreMappedFilesTheSame Sw3NtAreMappedFilesTheSame +__asm__("Sw3NtAreMappedFilesTheSame: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssignProcessToJobObject Sw3NtAssignProcessToJobObject +__asm__("Sw3NtAssignProcessToJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssociateWaitCompletionPacket Sw3NtAssociateWaitCompletionPacket +__asm__("Sw3NtAssociateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallEnclave Sw3NtCallEnclave +__asm__("Sw3NtCallEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFileEx Sw3NtCancelIoFileEx +__asm__("Sw3NtCancelIoFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelSynchronousIoFile Sw3NtCancelSynchronousIoFile +__asm__("Sw3NtCancelSynchronousIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer2 Sw3NtCancelTimer2 +__asm__("Sw3NtCancelTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelWaitCompletionPacket Sw3NtCancelWaitCompletionPacket +__asm__("Sw3NtCancelWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitComplete Sw3NtCommitComplete +__asm__("Sw3NtCommitComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitEnlistment Sw3NtCommitEnlistment +__asm__("Sw3NtCommitEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitRegistryTransaction Sw3NtCommitRegistryTransaction +__asm__("Sw3NtCommitRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitTransaction Sw3NtCommitTransaction +__asm__("Sw3NtCommitTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompactKeys Sw3NtCompactKeys +__asm__("Sw3NtCompactKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareObjects Sw3NtCompareObjects +__asm__("Sw3NtCompareObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareSigningLevels Sw3NtCompareSigningLevels +__asm__("Sw3NtCompareSigningLevels: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareTokens Sw3NtCompareTokens +__asm__("Sw3NtCompareTokens: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompleteConnectPort Sw3NtCompleteConnectPort +__asm__("Sw3NtCompleteConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompressKey Sw3NtCompressKey +__asm__("Sw3NtCompressKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConnectPort Sw3NtConnectPort +__asm__("Sw3NtConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter +__asm__("Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDebugObject Sw3NtCreateDebugObject +__asm__("Sw3NtCreateDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObject Sw3NtCreateDirectoryObject +__asm__("Sw3NtCreateDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObjectEx Sw3NtCreateDirectoryObjectEx +__asm__("Sw3NtCreateDirectoryObjectEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnclave Sw3NtCreateEnclave +__asm__("Sw3NtCreateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnlistment Sw3NtCreateEnlistment +__asm__("Sw3NtCreateEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEventPair Sw3NtCreateEventPair +__asm__("Sw3NtCreateEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIRTimer Sw3NtCreateIRTimer +__asm__("Sw3NtCreateIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIoCompletion Sw3NtCreateIoCompletion +__asm__("Sw3NtCreateIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobObject Sw3NtCreateJobObject +__asm__("Sw3NtCreateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobSet Sw3NtCreateJobSet +__asm__("Sw3NtCreateJobSet: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyTransacted Sw3NtCreateKeyTransacted +__asm__("Sw3NtCreateKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyedEvent Sw3NtCreateKeyedEvent +__asm__("Sw3NtCreateKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateLowBoxToken Sw3NtCreateLowBoxToken +__asm__("Sw3NtCreateLowBoxToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMailslotFile Sw3NtCreateMailslotFile +__asm__("Sw3NtCreateMailslotFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMutant Sw3NtCreateMutant +__asm__("Sw3NtCreateMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateNamedPipeFile Sw3NtCreateNamedPipeFile +__asm__("Sw3NtCreateNamedPipeFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePagingFile Sw3NtCreatePagingFile +__asm__("Sw3NtCreatePagingFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePartition Sw3NtCreatePartition +__asm__("Sw3NtCreatePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePort Sw3NtCreatePort +__asm__("Sw3NtCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePrivateNamespace Sw3NtCreatePrivateNamespace +__asm__("Sw3NtCreatePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcess Sw3NtCreateProcess +__asm__("Sw3NtCreateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfile Sw3NtCreateProfile +__asm__("Sw3NtCreateProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfileEx Sw3NtCreateProfileEx +__asm__("Sw3NtCreateProfileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateRegistryTransaction Sw3NtCreateRegistryTransaction +__asm__("Sw3NtCreateRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateResourceManager Sw3NtCreateResourceManager +__asm__("Sw3NtCreateResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSemaphore Sw3NtCreateSemaphore +__asm__("Sw3NtCreateSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSymbolicLinkObject Sw3NtCreateSymbolicLinkObject +__asm__("Sw3NtCreateSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThreadEx Sw3NtCreateThreadEx +__asm__("Sw3NtCreateThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer Sw3NtCreateTimer +__asm__("Sw3NtCreateTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer2 Sw3NtCreateTimer2 +__asm__("Sw3NtCreateTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateToken Sw3NtCreateToken +__asm__("Sw3NtCreateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTokenEx Sw3NtCreateTokenEx +__asm__("Sw3NtCreateTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransaction Sw3NtCreateTransaction +__asm__("Sw3NtCreateTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransactionManager Sw3NtCreateTransactionManager +__asm__("Sw3NtCreateTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateUserProcess Sw3NtCreateUserProcess +__asm__("Sw3NtCreateUserProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitCompletionPacket Sw3NtCreateWaitCompletionPacket +__asm__("Sw3NtCreateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitablePort Sw3NtCreateWaitablePort +__asm__("Sw3NtCreateWaitablePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWnfStateName Sw3NtCreateWnfStateName +__asm__("Sw3NtCreateWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWorkerFactory Sw3NtCreateWorkerFactory +__asm__("Sw3NtCreateWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugActiveProcess Sw3NtDebugActiveProcess +__asm__("Sw3NtDebugActiveProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugContinue Sw3NtDebugContinue +__asm__("Sw3NtDebugContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteAtom Sw3NtDeleteAtom +__asm__("Sw3NtDeleteAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteBootEntry Sw3NtDeleteBootEntry +__asm__("Sw3NtDeleteBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteDriverEntry Sw3NtDeleteDriverEntry +__asm__("Sw3NtDeleteDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteFile Sw3NtDeleteFile +__asm__("Sw3NtDeleteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteKey Sw3NtDeleteKey +__asm__("Sw3NtDeleteKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteObjectAuditAlarm Sw3NtDeleteObjectAuditAlarm +__asm__("Sw3NtDeleteObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeletePrivateNamespace Sw3NtDeletePrivateNamespace +__asm__("Sw3NtDeletePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteValueKey Sw3NtDeleteValueKey +__asm__("Sw3NtDeleteValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateData Sw3NtDeleteWnfStateData +__asm__("Sw3NtDeleteWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateName Sw3NtDeleteWnfStateName +__asm__("Sw3NtDeleteWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisableLastKnownGood Sw3NtDisableLastKnownGood +__asm__("Sw3NtDisableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisplayString Sw3NtDisplayString +__asm__("Sw3NtDisplayString: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDrawText Sw3NtDrawText +__asm__("Sw3NtDrawText: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnableLastKnownGood Sw3NtEnableLastKnownGood +__asm__("Sw3NtEnableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateBootEntries Sw3NtEnumerateBootEntries +__asm__("Sw3NtEnumerateBootEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateDriverEntries Sw3NtEnumerateDriverEntries +__asm__("Sw3NtEnumerateDriverEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateSystemEnvironmentValuesEx Sw3NtEnumerateSystemEnvironmentValuesEx +__asm__("Sw3NtEnumerateSystemEnvironmentValuesEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateTransactionObject Sw3NtEnumerateTransactionObject +__asm__("Sw3NtEnumerateTransactionObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwExtendSection Sw3NtExtendSection +__asm__("Sw3NtExtendSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterBootOption Sw3NtFilterBootOption +__asm__("Sw3NtFilterBootOption: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterToken Sw3NtFilterToken +__asm__("Sw3NtFilterToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterTokenEx Sw3NtFilterTokenEx +__asm__("Sw3NtFilterTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFileEx Sw3NtFlushBuffersFileEx +__asm__("Sw3NtFlushBuffersFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstallUILanguage Sw3NtFlushInstallUILanguage +__asm__("Sw3NtFlushInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstructionCache Sw3NtFlushInstructionCache +__asm__("Sw3NtFlushInstructionCache: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushKey Sw3NtFlushKey +__asm__("Sw3NtFlushKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushProcessWriteBuffers Sw3NtFlushProcessWriteBuffers +__asm__("Sw3NtFlushProcessWriteBuffers: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushVirtualMemory Sw3NtFlushVirtualMemory +__asm__("Sw3NtFlushVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushWriteBuffer Sw3NtFlushWriteBuffer +__asm__("Sw3NtFlushWriteBuffer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeUserPhysicalPages Sw3NtFreeUserPhysicalPages +__asm__("Sw3NtFreeUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeRegistry Sw3NtFreezeRegistry +__asm__("Sw3NtFreezeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeTransactions Sw3NtFreezeTransactions +__asm__("Sw3NtFreezeTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCachedSigningLevel Sw3NtGetCachedSigningLevel +__asm__("Sw3NtGetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCompleteWnfStateSubscription Sw3NtGetCompleteWnfStateSubscription +__asm__("Sw3NtGetCompleteWnfStateSubscription: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetContextThread Sw3NtGetContextThread +__asm__("Sw3NtGetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumber Sw3NtGetCurrentProcessorNumber +__asm__("Sw3NtGetCurrentProcessorNumber: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumberEx Sw3NtGetCurrentProcessorNumberEx +__asm__("Sw3NtGetCurrentProcessorNumberEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetDevicePowerState Sw3NtGetDevicePowerState +__asm__("Sw3NtGetDevicePowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetMUIRegistryInfo Sw3NtGetMUIRegistryInfo +__asm__("Sw3NtGetMUIRegistryInfo: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextProcess Sw3NtGetNextProcess +__asm__("Sw3NtGetNextProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextThread Sw3NtGetNextThread +__asm__("Sw3NtGetNextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNlsSectionPtr Sw3NtGetNlsSectionPtr +__asm__("Sw3NtGetNlsSectionPtr: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNotificationResourceManager Sw3NtGetNotificationResourceManager +__asm__("Sw3NtGetNotificationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetWriteWatch Sw3NtGetWriteWatch +__asm__("Sw3NtGetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateAnonymousToken Sw3NtImpersonateAnonymousToken +__asm__("Sw3NtImpersonateAnonymousToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateThread Sw3NtImpersonateThread +__asm__("Sw3NtImpersonateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeEnclave Sw3NtInitializeEnclave +__asm__("Sw3NtInitializeEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeNlsFiles Sw3NtInitializeNlsFiles +__asm__("Sw3NtInitializeNlsFiles: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeRegistry Sw3NtInitializeRegistry +__asm__("Sw3NtInitializeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitiatePowerAction Sw3NtInitiatePowerAction +__asm__("Sw3NtInitiatePowerAction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsSystemResumeAutomatic Sw3NtIsSystemResumeAutomatic +__asm__("Sw3NtIsSystemResumeAutomatic: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsUILanguageComitted Sw3NtIsUILanguageComitted +__asm__("Sw3NtIsUILanguageComitted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListenPort Sw3NtListenPort +__asm__("Sw3NtListenPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadDriver Sw3NtLoadDriver +__asm__("Sw3NtLoadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadEnclaveData Sw3NtLoadEnclaveData +__asm__("Sw3NtLoadEnclaveData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadHotPatch Sw3NtLoadHotPatch +__asm__("Sw3NtLoadHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey Sw3NtLoadKey +__asm__("Sw3NtLoadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey2 Sw3NtLoadKey2 +__asm__("Sw3NtLoadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKeyEx Sw3NtLoadKeyEx +__asm__("Sw3NtLoadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockFile Sw3NtLockFile +__asm__("Sw3NtLockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockProductActivationKeys Sw3NtLockProductActivationKeys +__asm__("Sw3NtLockProductActivationKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockRegistryKey Sw3NtLockRegistryKey +__asm__("Sw3NtLockRegistryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockVirtualMemory Sw3NtLockVirtualMemory +__asm__("Sw3NtLockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakePermanentObject Sw3NtMakePermanentObject +__asm__("Sw3NtMakePermanentObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakeTemporaryObject Sw3NtMakeTemporaryObject +__asm__("Sw3NtMakeTemporaryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManagePartition Sw3NtManagePartition +__asm__("Sw3NtManagePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapCMFModule Sw3NtMapCMFModule +__asm__("Sw3NtMapCMFModule: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPages Sw3NtMapUserPhysicalPages +__asm__("Sw3NtMapUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSectionEx Sw3NtMapViewOfSectionEx +__asm__("Sw3NtMapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyBootEntry Sw3NtModifyBootEntry +__asm__("Sw3NtModifyBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyDriverEntry Sw3NtModifyDriverEntry +__asm__("Sw3NtModifyDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFile Sw3NtNotifyChangeDirectoryFile +__asm__("Sw3NtNotifyChangeDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFileEx Sw3NtNotifyChangeDirectoryFileEx +__asm__("Sw3NtNotifyChangeDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeKey Sw3NtNotifyChangeKey +__asm__("Sw3NtNotifyChangeKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeMultipleKeys Sw3NtNotifyChangeMultipleKeys +__asm__("Sw3NtNotifyChangeMultipleKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeSession Sw3NtNotifyChangeSession +__asm__("Sw3NtNotifyChangeSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEnlistment Sw3NtOpenEnlistment +__asm__("Sw3NtOpenEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEventPair Sw3NtOpenEventPair +__asm__("Sw3NtOpenEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenIoCompletion Sw3NtOpenIoCompletion +__asm__("Sw3NtOpenIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenJobObject Sw3NtOpenJobObject +__asm__("Sw3NtOpenJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyEx Sw3NtOpenKeyEx +__asm__("Sw3NtOpenKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransacted Sw3NtOpenKeyTransacted +__asm__("Sw3NtOpenKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransactedEx Sw3NtOpenKeyTransactedEx +__asm__("Sw3NtOpenKeyTransactedEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyedEvent Sw3NtOpenKeyedEvent +__asm__("Sw3NtOpenKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenMutant Sw3NtOpenMutant +__asm__("Sw3NtOpenMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenObjectAuditAlarm Sw3NtOpenObjectAuditAlarm +__asm__("Sw3NtOpenObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPartition Sw3NtOpenPartition +__asm__("Sw3NtOpenPartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPrivateNamespace Sw3NtOpenPrivateNamespace +__asm__("Sw3NtOpenPrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessToken Sw3NtOpenProcessToken +__asm__("Sw3NtOpenProcessToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenRegistryTransaction Sw3NtOpenRegistryTransaction +__asm__("Sw3NtOpenRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenResourceManager Sw3NtOpenResourceManager +__asm__("Sw3NtOpenResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSemaphore Sw3NtOpenSemaphore +__asm__("Sw3NtOpenSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSession Sw3NtOpenSession +__asm__("Sw3NtOpenSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSymbolicLinkObject Sw3NtOpenSymbolicLinkObject +__asm__("Sw3NtOpenSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThread Sw3NtOpenThread +__asm__("Sw3NtOpenThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTimer Sw3NtOpenTimer +__asm__("Sw3NtOpenTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransaction Sw3NtOpenTransaction +__asm__("Sw3NtOpenTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransactionManager Sw3NtOpenTransactionManager +__asm__("Sw3NtOpenTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPlugPlayControl Sw3NtPlugPlayControl +__asm__("Sw3NtPlugPlayControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareComplete Sw3NtPrePrepareComplete +__asm__("Sw3NtPrePrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareEnlistment Sw3NtPrePrepareEnlistment +__asm__("Sw3NtPrePrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareComplete Sw3NtPrepareComplete +__asm__("Sw3NtPrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareEnlistment Sw3NtPrepareEnlistment +__asm__("Sw3NtPrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeCheck Sw3NtPrivilegeCheck +__asm__("Sw3NtPrivilegeCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeObjectAuditAlarm Sw3NtPrivilegeObjectAuditAlarm +__asm__("Sw3NtPrivilegeObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegedServiceAuditAlarm Sw3NtPrivilegedServiceAuditAlarm +__asm__("Sw3NtPrivilegedServiceAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationComplete Sw3NtPropagationComplete +__asm__("Sw3NtPropagationComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationFailed Sw3NtPropagationFailed +__asm__("Sw3NtPropagationFailed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPulseEvent Sw3NtPulseEvent +__asm__("Sw3NtPulseEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAuxiliaryCounterFrequency Sw3NtQueryAuxiliaryCounterFrequency +__asm__("Sw3NtQueryAuxiliaryCounterFrequency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootEntryOrder Sw3NtQueryBootEntryOrder +__asm__("Sw3NtQueryBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootOptions Sw3NtQueryBootOptions +__asm__("Sw3NtQueryBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDebugFilterState Sw3NtQueryDebugFilterState +__asm__("Sw3NtQueryDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFileEx Sw3NtQueryDirectoryFileEx +__asm__("Sw3NtQueryDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryObject Sw3NtQueryDirectoryObject +__asm__("Sw3NtQueryDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDriverEntryOrder Sw3NtQueryDriverEntryOrder +__asm__("Sw3NtQueryDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEaFile Sw3NtQueryEaFile +__asm__("Sw3NtQueryEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryFullAttributesFile Sw3NtQueryFullAttributesFile +__asm__("Sw3NtQueryFullAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationAtom Sw3NtQueryInformationAtom +__asm__("Sw3NtQueryInformationAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationByName Sw3NtQueryInformationByName +__asm__("Sw3NtQueryInformationByName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationEnlistment Sw3NtQueryInformationEnlistment +__asm__("Sw3NtQueryInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationJobObject Sw3NtQueryInformationJobObject +__asm__("Sw3NtQueryInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationPort Sw3NtQueryInformationPort +__asm__("Sw3NtQueryInformationPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationResourceManager Sw3NtQueryInformationResourceManager +__asm__("Sw3NtQueryInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransaction Sw3NtQueryInformationTransaction +__asm__("Sw3NtQueryInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransactionManager Sw3NtQueryInformationTransactionManager +__asm__("Sw3NtQueryInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationWorkerFactory Sw3NtQueryInformationWorkerFactory +__asm__("Sw3NtQueryInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInstallUILanguage Sw3NtQueryInstallUILanguage +__asm__("Sw3NtQueryInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIntervalProfile Sw3NtQueryIntervalProfile +__asm__("Sw3NtQueryIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIoCompletion Sw3NtQueryIoCompletion +__asm__("Sw3NtQueryIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryLicenseValue Sw3NtQueryLicenseValue +__asm__("Sw3NtQueryLicenseValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMultipleValueKey Sw3NtQueryMultipleValueKey +__asm__("Sw3NtQueryMultipleValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMutant Sw3NtQueryMutant +__asm__("Sw3NtQueryMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeys Sw3NtQueryOpenSubKeys +__asm__("Sw3NtQueryOpenSubKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeysEx Sw3NtQueryOpenSubKeysEx +__asm__("Sw3NtQueryOpenSubKeysEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPortInformationProcess Sw3NtQueryPortInformationProcess +__asm__("Sw3NtQueryPortInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryQuotaInformationFile Sw3NtQueryQuotaInformationFile +__asm__("Sw3NtQueryQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityAttributesToken Sw3NtQuerySecurityAttributesToken +__asm__("Sw3NtQuerySecurityAttributesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityObject Sw3NtQuerySecurityObject +__asm__("Sw3NtQuerySecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityPolicy Sw3NtQuerySecurityPolicy +__asm__("Sw3NtQuerySecurityPolicy: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySemaphore Sw3NtQuerySemaphore +__asm__("Sw3NtQuerySemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySymbolicLinkObject Sw3NtQuerySymbolicLinkObject +__asm__("Sw3NtQuerySymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValue Sw3NtQuerySystemEnvironmentValue +__asm__("Sw3NtQuerySystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValueEx Sw3NtQuerySystemEnvironmentValueEx +__asm__("Sw3NtQuerySystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformationEx Sw3NtQuerySystemInformationEx +__asm__("Sw3NtQuerySystemInformationEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimerResolution Sw3NtQueryTimerResolution +__asm__("Sw3NtQueryTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateData Sw3NtQueryWnfStateData +__asm__("Sw3NtQueryWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateNameInformation Sw3NtQueryWnfStateNameInformation +__asm__("Sw3NtQueryWnfStateNameInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThreadEx Sw3NtQueueApcThreadEx +__asm__("Sw3NtQueueApcThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseException Sw3NtRaiseException +__asm__("Sw3NtRaiseException: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseHardError Sw3NtRaiseHardError +__asm__("Sw3NtRaiseHardError: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadOnlyEnlistment Sw3NtReadOnlyEnlistment +__asm__("Sw3NtReadOnlyEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverEnlistment Sw3NtRecoverEnlistment +__asm__("Sw3NtRecoverEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverResourceManager Sw3NtRecoverResourceManager +__asm__("Sw3NtRecoverResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverTransactionManager Sw3NtRecoverTransactionManager +__asm__("Sw3NtRecoverTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterProtocolAddressInformation Sw3NtRegisterProtocolAddressInformation +__asm__("Sw3NtRegisterProtocolAddressInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterThreadTerminatePort Sw3NtRegisterThreadTerminatePort +__asm__("Sw3NtRegisterThreadTerminatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseKeyedEvent Sw3NtReleaseKeyedEvent +__asm__("Sw3NtReleaseKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseWorkerFactoryWorker Sw3NtReleaseWorkerFactoryWorker +__asm__("Sw3NtReleaseWorkerFactoryWorker: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletionEx Sw3NtRemoveIoCompletionEx +__asm__("Sw3NtRemoveIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveProcessDebug Sw3NtRemoveProcessDebug +__asm__("Sw3NtRemoveProcessDebug: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameKey Sw3NtRenameKey +__asm__("Sw3NtRenameKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameTransactionManager Sw3NtRenameTransactionManager +__asm__("Sw3NtRenameTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplaceKey Sw3NtReplaceKey +__asm__("Sw3NtReplaceKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplacePartitionUnit Sw3NtReplacePartitionUnit +__asm__("Sw3NtReplacePartitionUnit: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReplyPort Sw3NtReplyWaitReplyPort +__asm__("Sw3NtReplyWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestPort Sw3NtRequestPort +__asm__("Sw3NtRequestPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetEvent Sw3NtResetEvent +__asm__("Sw3NtResetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetWriteWatch Sw3NtResetWriteWatch +__asm__("Sw3NtResetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRestoreKey Sw3NtRestoreKey +__asm__("Sw3NtRestoreKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeProcess Sw3NtResumeProcess +__asm__("Sw3NtResumeProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRevertContainerImpersonation Sw3NtRevertContainerImpersonation +__asm__("Sw3NtRevertContainerImpersonation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackComplete Sw3NtRollbackComplete +__asm__("Sw3NtRollbackComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackEnlistment Sw3NtRollbackEnlistment +__asm__("Sw3NtRollbackEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackRegistryTransaction Sw3NtRollbackRegistryTransaction +__asm__("Sw3NtRollbackRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackTransaction Sw3NtRollbackTransaction +__asm__("Sw3NtRollbackTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollforwardTransactionManager Sw3NtRollforwardTransactionManager +__asm__("Sw3NtRollforwardTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKey Sw3NtSaveKey +__asm__("Sw3NtSaveKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKeyEx Sw3NtSaveKeyEx +__asm__("Sw3NtSaveKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveMergedKeys Sw3NtSaveMergedKeys +__asm__("Sw3NtSaveMergedKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSecureConnectPort Sw3NtSecureConnectPort +__asm__("Sw3NtSecureConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSerializeBoot Sw3NtSerializeBoot +__asm__("Sw3NtSerializeBoot: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootEntryOrder Sw3NtSetBootEntryOrder +__asm__("Sw3NtSetBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootOptions Sw3NtSetBootOptions +__asm__("Sw3NtSetBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel Sw3NtSetCachedSigningLevel +__asm__("Sw3NtSetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel2 Sw3NtSetCachedSigningLevel2 +__asm__("Sw3NtSetCachedSigningLevel2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetContextThread Sw3NtSetContextThread +__asm__("Sw3NtSetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDebugFilterState Sw3NtSetDebugFilterState +__asm__("Sw3NtSetDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultHardErrorPort Sw3NtSetDefaultHardErrorPort +__asm__("Sw3NtSetDefaultHardErrorPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultLocale Sw3NtSetDefaultLocale +__asm__("Sw3NtSetDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultUILanguage Sw3NtSetDefaultUILanguage +__asm__("Sw3NtSetDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDriverEntryOrder Sw3NtSetDriverEntryOrder +__asm__("Sw3NtSetDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEaFile Sw3NtSetEaFile +__asm__("Sw3NtSetEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighEventPair Sw3NtSetHighEventPair +__asm__("Sw3NtSetHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighWaitLowEventPair Sw3NtSetHighWaitLowEventPair +__asm__("Sw3NtSetHighWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIRTimer Sw3NtSetIRTimer +__asm__("Sw3NtSetIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationDebugObject Sw3NtSetInformationDebugObject +__asm__("Sw3NtSetInformationDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationEnlistment Sw3NtSetInformationEnlistment +__asm__("Sw3NtSetInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationJobObject Sw3NtSetInformationJobObject +__asm__("Sw3NtSetInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationKey Sw3NtSetInformationKey +__asm__("Sw3NtSetInformationKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationResourceManager Sw3NtSetInformationResourceManager +__asm__("Sw3NtSetInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationSymbolicLink Sw3NtSetInformationSymbolicLink +__asm__("Sw3NtSetInformationSymbolicLink: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationToken Sw3NtSetInformationToken +__asm__("Sw3NtSetInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransaction Sw3NtSetInformationTransaction +__asm__("Sw3NtSetInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransactionManager Sw3NtSetInformationTransactionManager +__asm__("Sw3NtSetInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationVirtualMemory Sw3NtSetInformationVirtualMemory +__asm__("Sw3NtSetInformationVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationWorkerFactory Sw3NtSetInformationWorkerFactory +__asm__("Sw3NtSetInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIntervalProfile Sw3NtSetIntervalProfile +__asm__("Sw3NtSetIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletion Sw3NtSetIoCompletion +__asm__("Sw3NtSetIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletionEx Sw3NtSetIoCompletionEx +__asm__("Sw3NtSetIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLdtEntries Sw3NtSetLdtEntries +__asm__("Sw3NtSetLdtEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowEventPair Sw3NtSetLowEventPair +__asm__("Sw3NtSetLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowWaitHighEventPair Sw3NtSetLowWaitHighEventPair +__asm__("Sw3NtSetLowWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetQuotaInformationFile Sw3NtSetQuotaInformationFile +__asm__("Sw3NtSetQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSecurityObject Sw3NtSetSecurityObject +__asm__("Sw3NtSetSecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValue Sw3NtSetSystemEnvironmentValue +__asm__("Sw3NtSetSystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValueEx Sw3NtSetSystemEnvironmentValueEx +__asm__("Sw3NtSetSystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemInformation Sw3NtSetSystemInformation +__asm__("Sw3NtSetSystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemPowerState Sw3NtSetSystemPowerState +__asm__("Sw3NtSetSystemPowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemTime Sw3NtSetSystemTime +__asm__("Sw3NtSetSystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetThreadExecutionState Sw3NtSetThreadExecutionState +__asm__("Sw3NtSetThreadExecutionState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer2 Sw3NtSetTimer2 +__asm__("Sw3NtSetTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerEx Sw3NtSetTimerEx +__asm__("Sw3NtSetTimerEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerResolution Sw3NtSetTimerResolution +__asm__("Sw3NtSetTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetUuidSeed Sw3NtSetUuidSeed +__asm__("Sw3NtSetUuidSeed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetVolumeInformationFile Sw3NtSetVolumeInformationFile +__asm__("Sw3NtSetVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetWnfProcessNotificationEvent Sw3NtSetWnfProcessNotificationEvent +__asm__("Sw3NtSetWnfProcessNotificationEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownSystem Sw3NtShutdownSystem +__asm__("Sw3NtShutdownSystem: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownWorkerFactory Sw3NtShutdownWorkerFactory +__asm__("Sw3NtShutdownWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSignalAndWaitForSingleObject Sw3NtSignalAndWaitForSingleObject +__asm__("Sw3NtSignalAndWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSinglePhaseReject Sw3NtSinglePhaseReject +__asm__("Sw3NtSinglePhaseReject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartProfile Sw3NtStartProfile +__asm__("Sw3NtStartProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStopProfile Sw3NtStopProfile +__asm__("Sw3NtStopProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSubscribeWnfStateChange Sw3NtSubscribeWnfStateChange +__asm__("Sw3NtSubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendProcess Sw3NtSuspendProcess +__asm__("Sw3NtSuspendProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendThread Sw3NtSuspendThread +__asm__("Sw3NtSuspendThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSystemDebugControl Sw3NtSystemDebugControl +__asm__("Sw3NtSystemDebugControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateEnclave Sw3NtTerminateEnclave +__asm__("Sw3NtTerminateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateJobObject Sw3NtTerminateJobObject +__asm__("Sw3NtTerminateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTestAlert Sw3NtTestAlert +__asm__("Sw3NtTestAlert: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawRegistry Sw3NtThawRegistry +__asm__("Sw3NtThawRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawTransactions Sw3NtThawTransactions +__asm__("Sw3NtThawTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceControl Sw3NtTraceControl +__asm__("Sw3NtTraceControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTranslateFilePath Sw3NtTranslateFilePath +__asm__("Sw3NtTranslateFilePath: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUmsThreadYield Sw3NtUmsThreadYield +__asm__("Sw3NtUmsThreadYield: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadDriver Sw3NtUnloadDriver +__asm__("Sw3NtUnloadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey Sw3NtUnloadKey +__asm__("Sw3NtUnloadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey2 Sw3NtUnloadKey2 +__asm__("Sw3NtUnloadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKeyEx Sw3NtUnloadKeyEx +__asm__("Sw3NtUnloadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockFile Sw3NtUnlockFile +__asm__("Sw3NtUnlockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockVirtualMemory Sw3NtUnlockVirtualMemory +__asm__("Sw3NtUnlockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSectionEx Sw3NtUnmapViewOfSectionEx +__asm__("Sw3NtUnmapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnsubscribeWnfStateChange Sw3NtUnsubscribeWnfStateChange +__asm__("Sw3NtUnsubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUpdateWnfStateData Sw3NtUpdateWnfStateData +__asm__("Sw3NtUpdateWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwVdmControl Sw3NtVdmControl +__asm__("Sw3NtVdmControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForAlertByThreadId Sw3NtWaitForAlertByThreadId +__asm__("Sw3NtWaitForAlertByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForDebugEvent Sw3NtWaitForDebugEvent +__asm__("Sw3NtWaitForDebugEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForKeyedEvent Sw3NtWaitForKeyedEvent +__asm__("Sw3NtWaitForKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWorkViaWorkerFactory Sw3NtWaitForWorkViaWorkerFactory +__asm__("Sw3NtWaitForWorkViaWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitHighEventPair Sw3NtWaitHighEventPair +__asm__("Sw3NtWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitLowEventPair Sw3NtWaitLowEventPair +__asm__("Sw3NtWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireCMFViewOwnership Sw3NtAcquireCMFViewOwnership +__asm__("Sw3NtAcquireCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelDeviceWakeupRequest Sw3NtCancelDeviceWakeupRequest +__asm__("Sw3NtCancelDeviceWakeupRequest: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearAllSavepointsTransaction Sw3NtClearAllSavepointsTransaction +__asm__("Sw3NtClearAllSavepointsTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearSavepointTransaction Sw3NtClearSavepointTransaction +__asm__("Sw3NtClearSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackSavepointTransaction Sw3NtRollbackSavepointTransaction +__asm__("Sw3NtRollbackSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointTransaction Sw3NtSavepointTransaction +__asm__("Sw3NtSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointComplete Sw3NtSavepointComplete +__asm__("Sw3NtSavepointComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSectionEx Sw3NtCreateSectionEx +__asm__("Sw3NtCreateSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateCrossVmEvent Sw3NtCreateCrossVmEvent +__asm__("Sw3NtCreateCrossVmEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetPlugPlayEvent Sw3NtGetPlugPlayEvent +__asm__("Sw3NtGetPlugPlayEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListTransactions Sw3NtListTransactions +__asm__("Sw3NtListTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMarshallTransaction Sw3NtMarshallTransaction +__asm__("Sw3NtMarshallTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPullTransaction Sw3NtPullTransaction +__asm__("Sw3NtPullTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseCMFViewOwnership Sw3NtReleaseCMFViewOwnership +__asm__("Sw3NtReleaseCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWnfNotifications Sw3NtWaitForWnfNotifications +__asm__("Sw3NtWaitForWnfNotifications: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartTm Sw3NtStartTm +__asm__("Sw3NtStartTm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationProcess Sw3NtSetInformationProcess +__asm__("Sw3NtSetInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestDeviceWakeup Sw3NtRequestDeviceWakeup +__asm__("Sw3NtRequestDeviceWakeup: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWakeupLatency Sw3NtRequestWakeupLatency +__asm__("Sw3NtRequestWakeupLatency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemTime Sw3NtQuerySystemTime +__asm__("Sw3NtQuerySystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManageHotPatch Sw3NtManageHotPatch +__asm__("Sw3NtManageHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinueEx Sw3NtContinueEx +__asm__("Sw3NtContinueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#endif diff --git a/output/syscalls-asm.h b/output/syscalls-asm.h new file mode 100644 index 0000000..06e6421 --- /dev/null +++ b/output/syscalls-asm.h @@ -0,0 +1,10132 @@ +#pragma once +#include + +#if _WIN64 + + + + + +#define Sw3ZwAccessCheck Sw3NtAccessCheck +__asm__("Sw3NtAccessCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWorkerFactoryWorkerReady Sw3NtWorkerFactoryWorkerReady +__asm__("Sw3NtWorkerFactoryWorkerReady: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcceptConnectPort Sw3NtAcceptConnectPort +__asm__("Sw3NtAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPagesScatter Sw3NtMapUserPhysicalPagesScatter +__asm__("Sw3NtMapUserPhysicalPagesScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForSingleObject Sw3NtWaitForSingleObject +__asm__("Sw3NtWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallbackReturn Sw3NtCallbackReturn +__asm__("Sw3NtCallbackReturn: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFile Sw3NtReadFile +__asm__("Sw3NtReadFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeviceIoControlFile Sw3NtDeviceIoControlFile +__asm__("Sw3NtDeviceIoControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFile Sw3NtWriteFile +__asm__("Sw3NtWriteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletion Sw3NtRemoveIoCompletion +__asm__("Sw3NtRemoveIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseSemaphore Sw3NtReleaseSemaphore +__asm__("Sw3NtReleaseSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePort Sw3NtReplyWaitReceivePort +__asm__("Sw3NtReplyWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyPort Sw3NtReplyPort +__asm__("Sw3NtReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationThread Sw3NtSetInformationThread +__asm__("Sw3NtSetInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEvent Sw3NtSetEvent +__asm__("Sw3NtSetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClose Sw3NtClose +__asm__("Sw3NtClose: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryObject Sw3NtQueryObject +__asm__("Sw3NtQueryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationFile Sw3NtQueryInformationFile +__asm__("Sw3NtQueryInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKey Sw3NtOpenKey +__asm__("Sw3NtOpenKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateValueKey Sw3NtEnumerateValueKey +__asm__("Sw3NtEnumerateValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFindAtom Sw3NtFindAtom +__asm__("Sw3NtFindAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultLocale Sw3NtQueryDefaultLocale +__asm__("Sw3NtQueryDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryKey Sw3NtQueryKey +__asm__("Sw3NtQueryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryValueKey Sw3NtQueryValueKey +__asm__("Sw3NtQueryValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemory Sw3NtAllocateVirtualMemory +__asm__("Sw3NtAllocateVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationProcess Sw3NtQueryInformationProcess +__asm__("Sw3NtQueryInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects32 Sw3NtWaitForMultipleObjects32 +__asm__("Sw3NtWaitForMultipleObjects32: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFileGather Sw3NtWriteFileGather +__asm__("Sw3NtWriteFileGather: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKey Sw3NtCreateKey +__asm__("Sw3NtCreateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeVirtualMemory Sw3NtFreeVirtualMemory +__asm__("Sw3NtFreeVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateClientOfPort Sw3NtImpersonateClientOfPort +__asm__("Sw3NtImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseMutant Sw3NtReleaseMutant +__asm__("Sw3NtReleaseMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationToken Sw3NtQueryInformationToken +__asm__("Sw3NtQueryInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWaitReplyPort Sw3NtRequestWaitReplyPort +__asm__("Sw3NtRequestWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVirtualMemory Sw3NtQueryVirtualMemory +__asm__("Sw3NtQueryVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadToken Sw3NtOpenThreadToken +__asm__("Sw3NtOpenThreadToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationThread Sw3NtQueryInformationThread +__asm__("Sw3NtQueryInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcess Sw3NtOpenProcess +__asm__("Sw3NtOpenProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationFile Sw3NtSetInformationFile +__asm__("Sw3NtSetInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSection Sw3NtMapViewOfSection +__asm__("Sw3NtMapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckAndAuditAlarm Sw3NtAccessCheckAndAuditAlarm +__asm__("Sw3NtAccessCheckAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSection Sw3NtUnmapViewOfSection +__asm__("Sw3NtUnmapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePortEx Sw3NtReplyWaitReceivePortEx +__asm__("Sw3NtReplyWaitReceivePortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateProcess Sw3NtTerminateProcess +__asm__("Sw3NtTerminateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEventBoostPriority Sw3NtSetEventBoostPriority +__asm__("Sw3NtSetEventBoostPriority: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFileScatter Sw3NtReadFileScatter +__asm__("Sw3NtReadFileScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadTokenEx Sw3NtOpenThreadTokenEx +__asm__("Sw3NtOpenThreadTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessTokenEx Sw3NtOpenProcessTokenEx +__asm__("Sw3NtOpenProcessTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPerformanceCounter Sw3NtQueryPerformanceCounter +__asm__("Sw3NtQueryPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateKey Sw3NtEnumerateKey +__asm__("Sw3NtEnumerateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenFile Sw3NtOpenFile +__asm__("Sw3NtOpenFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDelayExecution Sw3NtDelayExecution +__asm__("Sw3NtDelayExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFile Sw3NtQueryDirectoryFile +__asm__("Sw3NtQueryDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformation Sw3NtQuerySystemInformation +__asm__("Sw3NtQuerySystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSection Sw3NtOpenSection +__asm__("Sw3NtOpenSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimer Sw3NtQueryTimer +__asm__("Sw3NtQueryTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFsControlFile Sw3NtFsControlFile +__asm__("Sw3NtFsControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteVirtualMemory Sw3NtWriteVirtualMemory +__asm__("Sw3NtWriteVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCloseObjectAuditAlarm Sw3NtCloseObjectAuditAlarm +__asm__("Sw3NtCloseObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateObject Sw3NtDuplicateObject +__asm__("Sw3NtDuplicateObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAttributesFile Sw3NtQueryAttributesFile +__asm__("Sw3NtQueryAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearEvent Sw3NtClearEvent +__asm__("Sw3NtClearEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadVirtualMemory Sw3NtReadVirtualMemory +__asm__("Sw3NtReadVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEvent Sw3NtOpenEvent +__asm__("Sw3NtOpenEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustPrivilegesToken Sw3NtAdjustPrivilegesToken +__asm__("Sw3NtAdjustPrivilegesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateToken Sw3NtDuplicateToken +__asm__("Sw3NtDuplicateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinue Sw3NtContinue +__asm__("Sw3NtContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultUILanguage Sw3NtQueryDefaultUILanguage +__asm__("Sw3NtQueryDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThread Sw3NtQueueApcThread +__asm__("Sw3NtQueueApcThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwYieldExecution Sw3NtYieldExecution +__asm__("Sw3NtYieldExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtom Sw3NtAddAtom +__asm__("Sw3NtAddAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEvent Sw3NtCreateEvent +__asm__("Sw3NtCreateEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVolumeInformationFile Sw3NtQueryVolumeInformationFile +__asm__("Sw3NtQueryVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSection Sw3NtCreateSection +__asm__("Sw3NtCreateSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFile Sw3NtFlushBuffersFile +__asm__("Sw3NtFlushBuffersFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwApphelpCacheControl Sw3NtApphelpCacheControl +__asm__("Sw3NtApphelpCacheControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcessEx Sw3NtCreateProcessEx +__asm__("Sw3NtCreateProcessEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThread Sw3NtCreateThread +__asm__("Sw3NtCreateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsProcessInJob Sw3NtIsProcessInJob +__asm__("Sw3NtIsProcessInJob: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwProtectVirtualMemory Sw3NtProtectVirtualMemory +__asm__("Sw3NtProtectVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySection Sw3NtQuerySection +__asm__("Sw3NtQuerySection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeThread Sw3NtResumeThread +__asm__("Sw3NtResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateThread Sw3NtTerminateThread +__asm__("Sw3NtTerminateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadRequestData Sw3NtReadRequestData +__asm__("Sw3NtReadRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateFile Sw3NtCreateFile +__asm__("Sw3NtCreateFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEvent Sw3NtQueryEvent +__asm__("Sw3NtQueryEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteRequestData Sw3NtWriteRequestData +__asm__("Sw3NtWriteRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenDirectoryObject Sw3NtOpenDirectoryObject +__asm__("Sw3NtOpenDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeAndAuditAlarm Sw3NtAccessCheckByTypeAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects Sw3NtWaitForMultipleObjects +__asm__("Sw3NtWaitForMultipleObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationObject Sw3NtSetInformationObject +__asm__("Sw3NtSetInformationObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFile Sw3NtCancelIoFile +__asm__("Sw3NtCancelIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceEvent Sw3NtTraceEvent +__asm__("Sw3NtTraceEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPowerInformation Sw3NtPowerInformation +__asm__("Sw3NtPowerInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetValueKey Sw3NtSetValueKey +__asm__("Sw3NtSetValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer Sw3NtCancelTimer +__asm__("Sw3NtCancelTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer Sw3NtSetTimer +__asm__("Sw3NtSetTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByType Sw3NtAccessCheckByType +__asm__("Sw3NtAccessCheckByType: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultList Sw3NtAccessCheckByTypeResultList +__asm__("Sw3NtAccessCheckByTypeResultList: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarm Sw3NtAccessCheckByTypeResultListAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarmByHandle Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireProcessActivityReference Sw3NtAcquireProcessActivityReference +__asm__("Sw3NtAcquireProcessActivityReference: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtomEx Sw3NtAddAtomEx +__asm__("Sw3NtAddAtomEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddBootEntry Sw3NtAddBootEntry +__asm__("Sw3NtAddBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddDriverEntry Sw3NtAddDriverEntry +__asm__("Sw3NtAddDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustGroupsToken Sw3NtAdjustGroupsToken +__asm__("Sw3NtAdjustGroupsToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustTokenClaimsAndDeviceGroups Sw3NtAdjustTokenClaimsAndDeviceGroups +__asm__("Sw3NtAdjustTokenClaimsAndDeviceGroups: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertResumeThread Sw3NtAlertResumeThread +__asm__("Sw3NtAlertResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThread Sw3NtAlertThread +__asm__("Sw3NtAlertThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThreadByThreadId Sw3NtAlertThreadByThreadId +__asm__("Sw3NtAlertThreadByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateLocallyUniqueId Sw3NtAllocateLocallyUniqueId +__asm__("Sw3NtAllocateLocallyUniqueId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateReserveObject Sw3NtAllocateReserveObject +__asm__("Sw3NtAllocateReserveObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUserPhysicalPages Sw3NtAllocateUserPhysicalPages +__asm__("Sw3NtAllocateUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUuids Sw3NtAllocateUuids +__asm__("Sw3NtAllocateUuids: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemoryEx Sw3NtAllocateVirtualMemoryEx +__asm__("Sw3NtAllocateVirtualMemoryEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcAcceptConnectPort Sw3NtAlpcAcceptConnectPort +__asm__("Sw3NtAlpcAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCancelMessage Sw3NtAlpcCancelMessage +__asm__("Sw3NtAlpcCancelMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPort Sw3NtAlpcConnectPort +__asm__("Sw3NtAlpcConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPortEx Sw3NtAlpcConnectPortEx +__asm__("Sw3NtAlpcConnectPortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePort Sw3NtAlpcCreatePort +__asm__("Sw3NtAlpcCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePortSection Sw3NtAlpcCreatePortSection +__asm__("Sw3NtAlpcCreatePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateResourceReserve Sw3NtAlpcCreateResourceReserve +__asm__("Sw3NtAlpcCreateResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSectionView Sw3NtAlpcCreateSectionView +__asm__("Sw3NtAlpcCreateSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSecurityContext Sw3NtAlpcCreateSecurityContext +__asm__("Sw3NtAlpcCreateSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeletePortSection Sw3NtAlpcDeletePortSection +__asm__("Sw3NtAlpcDeletePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteResourceReserve Sw3NtAlpcDeleteResourceReserve +__asm__("Sw3NtAlpcDeleteResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSectionView Sw3NtAlpcDeleteSectionView +__asm__("Sw3NtAlpcDeleteSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSecurityContext Sw3NtAlpcDeleteSecurityContext +__asm__("Sw3NtAlpcDeleteSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDisconnectPort Sw3NtAlpcDisconnectPort +__asm__("Sw3NtAlpcDisconnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientContainerOfPort Sw3NtAlpcImpersonateClientContainerOfPort +__asm__("Sw3NtAlpcImpersonateClientContainerOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientOfPort Sw3NtAlpcImpersonateClientOfPort +__asm__("Sw3NtAlpcImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderProcess Sw3NtAlpcOpenSenderProcess +__asm__("Sw3NtAlpcOpenSenderProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderThread Sw3NtAlpcOpenSenderThread +__asm__("Sw3NtAlpcOpenSenderThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformation Sw3NtAlpcQueryInformation +__asm__("Sw3NtAlpcQueryInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformationMessage Sw3NtAlpcQueryInformationMessage +__asm__("Sw3NtAlpcQueryInformationMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcRevokeSecurityContext Sw3NtAlpcRevokeSecurityContext +__asm__("Sw3NtAlpcRevokeSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSendWaitReceivePort Sw3NtAlpcSendWaitReceivePort +__asm__("Sw3NtAlpcSendWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSetInformation Sw3NtAlpcSetInformation +__asm__("Sw3NtAlpcSetInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAreMappedFilesTheSame Sw3NtAreMappedFilesTheSame +__asm__("Sw3NtAreMappedFilesTheSame: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssignProcessToJobObject Sw3NtAssignProcessToJobObject +__asm__("Sw3NtAssignProcessToJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssociateWaitCompletionPacket Sw3NtAssociateWaitCompletionPacket +__asm__("Sw3NtAssociateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallEnclave Sw3NtCallEnclave +__asm__("Sw3NtCallEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFileEx Sw3NtCancelIoFileEx +__asm__("Sw3NtCancelIoFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelSynchronousIoFile Sw3NtCancelSynchronousIoFile +__asm__("Sw3NtCancelSynchronousIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer2 Sw3NtCancelTimer2 +__asm__("Sw3NtCancelTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelWaitCompletionPacket Sw3NtCancelWaitCompletionPacket +__asm__("Sw3NtCancelWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitComplete Sw3NtCommitComplete +__asm__("Sw3NtCommitComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitEnlistment Sw3NtCommitEnlistment +__asm__("Sw3NtCommitEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitRegistryTransaction Sw3NtCommitRegistryTransaction +__asm__("Sw3NtCommitRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitTransaction Sw3NtCommitTransaction +__asm__("Sw3NtCommitTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompactKeys Sw3NtCompactKeys +__asm__("Sw3NtCompactKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareObjects Sw3NtCompareObjects +__asm__("Sw3NtCompareObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareSigningLevels Sw3NtCompareSigningLevels +__asm__("Sw3NtCompareSigningLevels: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareTokens Sw3NtCompareTokens +__asm__("Sw3NtCompareTokens: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompleteConnectPort Sw3NtCompleteConnectPort +__asm__("Sw3NtCompleteConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompressKey Sw3NtCompressKey +__asm__("Sw3NtCompressKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConnectPort Sw3NtConnectPort +__asm__("Sw3NtConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter +__asm__("Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDebugObject Sw3NtCreateDebugObject +__asm__("Sw3NtCreateDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObject Sw3NtCreateDirectoryObject +__asm__("Sw3NtCreateDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObjectEx Sw3NtCreateDirectoryObjectEx +__asm__("Sw3NtCreateDirectoryObjectEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnclave Sw3NtCreateEnclave +__asm__("Sw3NtCreateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnlistment Sw3NtCreateEnlistment +__asm__("Sw3NtCreateEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEventPair Sw3NtCreateEventPair +__asm__("Sw3NtCreateEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIRTimer Sw3NtCreateIRTimer +__asm__("Sw3NtCreateIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIoCompletion Sw3NtCreateIoCompletion +__asm__("Sw3NtCreateIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobObject Sw3NtCreateJobObject +__asm__("Sw3NtCreateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobSet Sw3NtCreateJobSet +__asm__("Sw3NtCreateJobSet: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyTransacted Sw3NtCreateKeyTransacted +__asm__("Sw3NtCreateKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyedEvent Sw3NtCreateKeyedEvent +__asm__("Sw3NtCreateKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateLowBoxToken Sw3NtCreateLowBoxToken +__asm__("Sw3NtCreateLowBoxToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMailslotFile Sw3NtCreateMailslotFile +__asm__("Sw3NtCreateMailslotFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMutant Sw3NtCreateMutant +__asm__("Sw3NtCreateMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateNamedPipeFile Sw3NtCreateNamedPipeFile +__asm__("Sw3NtCreateNamedPipeFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePagingFile Sw3NtCreatePagingFile +__asm__("Sw3NtCreatePagingFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePartition Sw3NtCreatePartition +__asm__("Sw3NtCreatePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePort Sw3NtCreatePort +__asm__("Sw3NtCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePrivateNamespace Sw3NtCreatePrivateNamespace +__asm__("Sw3NtCreatePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcess Sw3NtCreateProcess +__asm__("Sw3NtCreateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfile Sw3NtCreateProfile +__asm__("Sw3NtCreateProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfileEx Sw3NtCreateProfileEx +__asm__("Sw3NtCreateProfileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateRegistryTransaction Sw3NtCreateRegistryTransaction +__asm__("Sw3NtCreateRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateResourceManager Sw3NtCreateResourceManager +__asm__("Sw3NtCreateResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSemaphore Sw3NtCreateSemaphore +__asm__("Sw3NtCreateSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSymbolicLinkObject Sw3NtCreateSymbolicLinkObject +__asm__("Sw3NtCreateSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThreadEx Sw3NtCreateThreadEx +__asm__("Sw3NtCreateThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer Sw3NtCreateTimer +__asm__("Sw3NtCreateTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer2 Sw3NtCreateTimer2 +__asm__("Sw3NtCreateTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateToken Sw3NtCreateToken +__asm__("Sw3NtCreateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTokenEx Sw3NtCreateTokenEx +__asm__("Sw3NtCreateTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransaction Sw3NtCreateTransaction +__asm__("Sw3NtCreateTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransactionManager Sw3NtCreateTransactionManager +__asm__("Sw3NtCreateTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateUserProcess Sw3NtCreateUserProcess +__asm__("Sw3NtCreateUserProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitCompletionPacket Sw3NtCreateWaitCompletionPacket +__asm__("Sw3NtCreateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitablePort Sw3NtCreateWaitablePort +__asm__("Sw3NtCreateWaitablePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWnfStateName Sw3NtCreateWnfStateName +__asm__("Sw3NtCreateWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWorkerFactory Sw3NtCreateWorkerFactory +__asm__("Sw3NtCreateWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugActiveProcess Sw3NtDebugActiveProcess +__asm__("Sw3NtDebugActiveProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugContinue Sw3NtDebugContinue +__asm__("Sw3NtDebugContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteAtom Sw3NtDeleteAtom +__asm__("Sw3NtDeleteAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteBootEntry Sw3NtDeleteBootEntry +__asm__("Sw3NtDeleteBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteDriverEntry Sw3NtDeleteDriverEntry +__asm__("Sw3NtDeleteDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteFile Sw3NtDeleteFile +__asm__("Sw3NtDeleteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteKey Sw3NtDeleteKey +__asm__("Sw3NtDeleteKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteObjectAuditAlarm Sw3NtDeleteObjectAuditAlarm +__asm__("Sw3NtDeleteObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeletePrivateNamespace Sw3NtDeletePrivateNamespace +__asm__("Sw3NtDeletePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteValueKey Sw3NtDeleteValueKey +__asm__("Sw3NtDeleteValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateData Sw3NtDeleteWnfStateData +__asm__("Sw3NtDeleteWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateName Sw3NtDeleteWnfStateName +__asm__("Sw3NtDeleteWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisableLastKnownGood Sw3NtDisableLastKnownGood +__asm__("Sw3NtDisableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisplayString Sw3NtDisplayString +__asm__("Sw3NtDisplayString: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDrawText Sw3NtDrawText +__asm__("Sw3NtDrawText: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnableLastKnownGood Sw3NtEnableLastKnownGood +__asm__("Sw3NtEnableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateBootEntries Sw3NtEnumerateBootEntries +__asm__("Sw3NtEnumerateBootEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateDriverEntries Sw3NtEnumerateDriverEntries +__asm__("Sw3NtEnumerateDriverEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateSystemEnvironmentValuesEx Sw3NtEnumerateSystemEnvironmentValuesEx +__asm__("Sw3NtEnumerateSystemEnvironmentValuesEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateTransactionObject Sw3NtEnumerateTransactionObject +__asm__("Sw3NtEnumerateTransactionObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwExtendSection Sw3NtExtendSection +__asm__("Sw3NtExtendSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterBootOption Sw3NtFilterBootOption +__asm__("Sw3NtFilterBootOption: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterToken Sw3NtFilterToken +__asm__("Sw3NtFilterToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterTokenEx Sw3NtFilterTokenEx +__asm__("Sw3NtFilterTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFileEx Sw3NtFlushBuffersFileEx +__asm__("Sw3NtFlushBuffersFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstallUILanguage Sw3NtFlushInstallUILanguage +__asm__("Sw3NtFlushInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstructionCache Sw3NtFlushInstructionCache +__asm__("Sw3NtFlushInstructionCache: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushKey Sw3NtFlushKey +__asm__("Sw3NtFlushKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushProcessWriteBuffers Sw3NtFlushProcessWriteBuffers +__asm__("Sw3NtFlushProcessWriteBuffers: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushVirtualMemory Sw3NtFlushVirtualMemory +__asm__("Sw3NtFlushVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushWriteBuffer Sw3NtFlushWriteBuffer +__asm__("Sw3NtFlushWriteBuffer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeUserPhysicalPages Sw3NtFreeUserPhysicalPages +__asm__("Sw3NtFreeUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeRegistry Sw3NtFreezeRegistry +__asm__("Sw3NtFreezeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeTransactions Sw3NtFreezeTransactions +__asm__("Sw3NtFreezeTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCachedSigningLevel Sw3NtGetCachedSigningLevel +__asm__("Sw3NtGetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCompleteWnfStateSubscription Sw3NtGetCompleteWnfStateSubscription +__asm__("Sw3NtGetCompleteWnfStateSubscription: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetContextThread Sw3NtGetContextThread +__asm__("Sw3NtGetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumber Sw3NtGetCurrentProcessorNumber +__asm__("Sw3NtGetCurrentProcessorNumber: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumberEx Sw3NtGetCurrentProcessorNumberEx +__asm__("Sw3NtGetCurrentProcessorNumberEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetDevicePowerState Sw3NtGetDevicePowerState +__asm__("Sw3NtGetDevicePowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetMUIRegistryInfo Sw3NtGetMUIRegistryInfo +__asm__("Sw3NtGetMUIRegistryInfo: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextProcess Sw3NtGetNextProcess +__asm__("Sw3NtGetNextProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextThread Sw3NtGetNextThread +__asm__("Sw3NtGetNextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNlsSectionPtr Sw3NtGetNlsSectionPtr +__asm__("Sw3NtGetNlsSectionPtr: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNotificationResourceManager Sw3NtGetNotificationResourceManager +__asm__("Sw3NtGetNotificationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetWriteWatch Sw3NtGetWriteWatch +__asm__("Sw3NtGetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateAnonymousToken Sw3NtImpersonateAnonymousToken +__asm__("Sw3NtImpersonateAnonymousToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateThread Sw3NtImpersonateThread +__asm__("Sw3NtImpersonateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeEnclave Sw3NtInitializeEnclave +__asm__("Sw3NtInitializeEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeNlsFiles Sw3NtInitializeNlsFiles +__asm__("Sw3NtInitializeNlsFiles: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeRegistry Sw3NtInitializeRegistry +__asm__("Sw3NtInitializeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitiatePowerAction Sw3NtInitiatePowerAction +__asm__("Sw3NtInitiatePowerAction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsSystemResumeAutomatic Sw3NtIsSystemResumeAutomatic +__asm__("Sw3NtIsSystemResumeAutomatic: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsUILanguageComitted Sw3NtIsUILanguageComitted +__asm__("Sw3NtIsUILanguageComitted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListenPort Sw3NtListenPort +__asm__("Sw3NtListenPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadDriver Sw3NtLoadDriver +__asm__("Sw3NtLoadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadEnclaveData Sw3NtLoadEnclaveData +__asm__("Sw3NtLoadEnclaveData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadHotPatch Sw3NtLoadHotPatch +__asm__("Sw3NtLoadHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey Sw3NtLoadKey +__asm__("Sw3NtLoadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey2 Sw3NtLoadKey2 +__asm__("Sw3NtLoadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKeyEx Sw3NtLoadKeyEx +__asm__("Sw3NtLoadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockFile Sw3NtLockFile +__asm__("Sw3NtLockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockProductActivationKeys Sw3NtLockProductActivationKeys +__asm__("Sw3NtLockProductActivationKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockRegistryKey Sw3NtLockRegistryKey +__asm__("Sw3NtLockRegistryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockVirtualMemory Sw3NtLockVirtualMemory +__asm__("Sw3NtLockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakePermanentObject Sw3NtMakePermanentObject +__asm__("Sw3NtMakePermanentObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakeTemporaryObject Sw3NtMakeTemporaryObject +__asm__("Sw3NtMakeTemporaryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManagePartition Sw3NtManagePartition +__asm__("Sw3NtManagePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapCMFModule Sw3NtMapCMFModule +__asm__("Sw3NtMapCMFModule: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPages Sw3NtMapUserPhysicalPages +__asm__("Sw3NtMapUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSectionEx Sw3NtMapViewOfSectionEx +__asm__("Sw3NtMapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyBootEntry Sw3NtModifyBootEntry +__asm__("Sw3NtModifyBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyDriverEntry Sw3NtModifyDriverEntry +__asm__("Sw3NtModifyDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFile Sw3NtNotifyChangeDirectoryFile +__asm__("Sw3NtNotifyChangeDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFileEx Sw3NtNotifyChangeDirectoryFileEx +__asm__("Sw3NtNotifyChangeDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeKey Sw3NtNotifyChangeKey +__asm__("Sw3NtNotifyChangeKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeMultipleKeys Sw3NtNotifyChangeMultipleKeys +__asm__("Sw3NtNotifyChangeMultipleKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeSession Sw3NtNotifyChangeSession +__asm__("Sw3NtNotifyChangeSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEnlistment Sw3NtOpenEnlistment +__asm__("Sw3NtOpenEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEventPair Sw3NtOpenEventPair +__asm__("Sw3NtOpenEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenIoCompletion Sw3NtOpenIoCompletion +__asm__("Sw3NtOpenIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenJobObject Sw3NtOpenJobObject +__asm__("Sw3NtOpenJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyEx Sw3NtOpenKeyEx +__asm__("Sw3NtOpenKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransacted Sw3NtOpenKeyTransacted +__asm__("Sw3NtOpenKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransactedEx Sw3NtOpenKeyTransactedEx +__asm__("Sw3NtOpenKeyTransactedEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyedEvent Sw3NtOpenKeyedEvent +__asm__("Sw3NtOpenKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenMutant Sw3NtOpenMutant +__asm__("Sw3NtOpenMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenObjectAuditAlarm Sw3NtOpenObjectAuditAlarm +__asm__("Sw3NtOpenObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPartition Sw3NtOpenPartition +__asm__("Sw3NtOpenPartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPrivateNamespace Sw3NtOpenPrivateNamespace +__asm__("Sw3NtOpenPrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessToken Sw3NtOpenProcessToken +__asm__("Sw3NtOpenProcessToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenRegistryTransaction Sw3NtOpenRegistryTransaction +__asm__("Sw3NtOpenRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenResourceManager Sw3NtOpenResourceManager +__asm__("Sw3NtOpenResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSemaphore Sw3NtOpenSemaphore +__asm__("Sw3NtOpenSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSession Sw3NtOpenSession +__asm__("Sw3NtOpenSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSymbolicLinkObject Sw3NtOpenSymbolicLinkObject +__asm__("Sw3NtOpenSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThread Sw3NtOpenThread +__asm__("Sw3NtOpenThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTimer Sw3NtOpenTimer +__asm__("Sw3NtOpenTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransaction Sw3NtOpenTransaction +__asm__("Sw3NtOpenTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransactionManager Sw3NtOpenTransactionManager +__asm__("Sw3NtOpenTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPlugPlayControl Sw3NtPlugPlayControl +__asm__("Sw3NtPlugPlayControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareComplete Sw3NtPrePrepareComplete +__asm__("Sw3NtPrePrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareEnlistment Sw3NtPrePrepareEnlistment +__asm__("Sw3NtPrePrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareComplete Sw3NtPrepareComplete +__asm__("Sw3NtPrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareEnlistment Sw3NtPrepareEnlistment +__asm__("Sw3NtPrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeCheck Sw3NtPrivilegeCheck +__asm__("Sw3NtPrivilegeCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeObjectAuditAlarm Sw3NtPrivilegeObjectAuditAlarm +__asm__("Sw3NtPrivilegeObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegedServiceAuditAlarm Sw3NtPrivilegedServiceAuditAlarm +__asm__("Sw3NtPrivilegedServiceAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationComplete Sw3NtPropagationComplete +__asm__("Sw3NtPropagationComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationFailed Sw3NtPropagationFailed +__asm__("Sw3NtPropagationFailed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPulseEvent Sw3NtPulseEvent +__asm__("Sw3NtPulseEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAuxiliaryCounterFrequency Sw3NtQueryAuxiliaryCounterFrequency +__asm__("Sw3NtQueryAuxiliaryCounterFrequency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootEntryOrder Sw3NtQueryBootEntryOrder +__asm__("Sw3NtQueryBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootOptions Sw3NtQueryBootOptions +__asm__("Sw3NtQueryBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDebugFilterState Sw3NtQueryDebugFilterState +__asm__("Sw3NtQueryDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFileEx Sw3NtQueryDirectoryFileEx +__asm__("Sw3NtQueryDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryObject Sw3NtQueryDirectoryObject +__asm__("Sw3NtQueryDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDriverEntryOrder Sw3NtQueryDriverEntryOrder +__asm__("Sw3NtQueryDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEaFile Sw3NtQueryEaFile +__asm__("Sw3NtQueryEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryFullAttributesFile Sw3NtQueryFullAttributesFile +__asm__("Sw3NtQueryFullAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationAtom Sw3NtQueryInformationAtom +__asm__("Sw3NtQueryInformationAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationByName Sw3NtQueryInformationByName +__asm__("Sw3NtQueryInformationByName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationEnlistment Sw3NtQueryInformationEnlistment +__asm__("Sw3NtQueryInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationJobObject Sw3NtQueryInformationJobObject +__asm__("Sw3NtQueryInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationPort Sw3NtQueryInformationPort +__asm__("Sw3NtQueryInformationPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationResourceManager Sw3NtQueryInformationResourceManager +__asm__("Sw3NtQueryInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransaction Sw3NtQueryInformationTransaction +__asm__("Sw3NtQueryInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransactionManager Sw3NtQueryInformationTransactionManager +__asm__("Sw3NtQueryInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationWorkerFactory Sw3NtQueryInformationWorkerFactory +__asm__("Sw3NtQueryInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInstallUILanguage Sw3NtQueryInstallUILanguage +__asm__("Sw3NtQueryInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIntervalProfile Sw3NtQueryIntervalProfile +__asm__("Sw3NtQueryIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIoCompletion Sw3NtQueryIoCompletion +__asm__("Sw3NtQueryIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryLicenseValue Sw3NtQueryLicenseValue +__asm__("Sw3NtQueryLicenseValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMultipleValueKey Sw3NtQueryMultipleValueKey +__asm__("Sw3NtQueryMultipleValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMutant Sw3NtQueryMutant +__asm__("Sw3NtQueryMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeys Sw3NtQueryOpenSubKeys +__asm__("Sw3NtQueryOpenSubKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeysEx Sw3NtQueryOpenSubKeysEx +__asm__("Sw3NtQueryOpenSubKeysEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPortInformationProcess Sw3NtQueryPortInformationProcess +__asm__("Sw3NtQueryPortInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryQuotaInformationFile Sw3NtQueryQuotaInformationFile +__asm__("Sw3NtQueryQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityAttributesToken Sw3NtQuerySecurityAttributesToken +__asm__("Sw3NtQuerySecurityAttributesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityObject Sw3NtQuerySecurityObject +__asm__("Sw3NtQuerySecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityPolicy Sw3NtQuerySecurityPolicy +__asm__("Sw3NtQuerySecurityPolicy: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySemaphore Sw3NtQuerySemaphore +__asm__("Sw3NtQuerySemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySymbolicLinkObject Sw3NtQuerySymbolicLinkObject +__asm__("Sw3NtQuerySymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValue Sw3NtQuerySystemEnvironmentValue +__asm__("Sw3NtQuerySystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValueEx Sw3NtQuerySystemEnvironmentValueEx +__asm__("Sw3NtQuerySystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformationEx Sw3NtQuerySystemInformationEx +__asm__("Sw3NtQuerySystemInformationEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimerResolution Sw3NtQueryTimerResolution +__asm__("Sw3NtQueryTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateData Sw3NtQueryWnfStateData +__asm__("Sw3NtQueryWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateNameInformation Sw3NtQueryWnfStateNameInformation +__asm__("Sw3NtQueryWnfStateNameInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThreadEx Sw3NtQueueApcThreadEx +__asm__("Sw3NtQueueApcThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseException Sw3NtRaiseException +__asm__("Sw3NtRaiseException: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseHardError Sw3NtRaiseHardError +__asm__("Sw3NtRaiseHardError: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadOnlyEnlistment Sw3NtReadOnlyEnlistment +__asm__("Sw3NtReadOnlyEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverEnlistment Sw3NtRecoverEnlistment +__asm__("Sw3NtRecoverEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverResourceManager Sw3NtRecoverResourceManager +__asm__("Sw3NtRecoverResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverTransactionManager Sw3NtRecoverTransactionManager +__asm__("Sw3NtRecoverTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterProtocolAddressInformation Sw3NtRegisterProtocolAddressInformation +__asm__("Sw3NtRegisterProtocolAddressInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterThreadTerminatePort Sw3NtRegisterThreadTerminatePort +__asm__("Sw3NtRegisterThreadTerminatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseKeyedEvent Sw3NtReleaseKeyedEvent +__asm__("Sw3NtReleaseKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseWorkerFactoryWorker Sw3NtReleaseWorkerFactoryWorker +__asm__("Sw3NtReleaseWorkerFactoryWorker: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletionEx Sw3NtRemoveIoCompletionEx +__asm__("Sw3NtRemoveIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveProcessDebug Sw3NtRemoveProcessDebug +__asm__("Sw3NtRemoveProcessDebug: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameKey Sw3NtRenameKey +__asm__("Sw3NtRenameKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameTransactionManager Sw3NtRenameTransactionManager +__asm__("Sw3NtRenameTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplaceKey Sw3NtReplaceKey +__asm__("Sw3NtReplaceKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplacePartitionUnit Sw3NtReplacePartitionUnit +__asm__("Sw3NtReplacePartitionUnit: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReplyPort Sw3NtReplyWaitReplyPort +__asm__("Sw3NtReplyWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestPort Sw3NtRequestPort +__asm__("Sw3NtRequestPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetEvent Sw3NtResetEvent +__asm__("Sw3NtResetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetWriteWatch Sw3NtResetWriteWatch +__asm__("Sw3NtResetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRestoreKey Sw3NtRestoreKey +__asm__("Sw3NtRestoreKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeProcess Sw3NtResumeProcess +__asm__("Sw3NtResumeProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRevertContainerImpersonation Sw3NtRevertContainerImpersonation +__asm__("Sw3NtRevertContainerImpersonation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackComplete Sw3NtRollbackComplete +__asm__("Sw3NtRollbackComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackEnlistment Sw3NtRollbackEnlistment +__asm__("Sw3NtRollbackEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackRegistryTransaction Sw3NtRollbackRegistryTransaction +__asm__("Sw3NtRollbackRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackTransaction Sw3NtRollbackTransaction +__asm__("Sw3NtRollbackTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollforwardTransactionManager Sw3NtRollforwardTransactionManager +__asm__("Sw3NtRollforwardTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKey Sw3NtSaveKey +__asm__("Sw3NtSaveKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKeyEx Sw3NtSaveKeyEx +__asm__("Sw3NtSaveKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveMergedKeys Sw3NtSaveMergedKeys +__asm__("Sw3NtSaveMergedKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSecureConnectPort Sw3NtSecureConnectPort +__asm__("Sw3NtSecureConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSerializeBoot Sw3NtSerializeBoot +__asm__("Sw3NtSerializeBoot: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootEntryOrder Sw3NtSetBootEntryOrder +__asm__("Sw3NtSetBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootOptions Sw3NtSetBootOptions +__asm__("Sw3NtSetBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel Sw3NtSetCachedSigningLevel +__asm__("Sw3NtSetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel2 Sw3NtSetCachedSigningLevel2 +__asm__("Sw3NtSetCachedSigningLevel2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetContextThread Sw3NtSetContextThread +__asm__("Sw3NtSetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDebugFilterState Sw3NtSetDebugFilterState +__asm__("Sw3NtSetDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultHardErrorPort Sw3NtSetDefaultHardErrorPort +__asm__("Sw3NtSetDefaultHardErrorPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultLocale Sw3NtSetDefaultLocale +__asm__("Sw3NtSetDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultUILanguage Sw3NtSetDefaultUILanguage +__asm__("Sw3NtSetDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDriverEntryOrder Sw3NtSetDriverEntryOrder +__asm__("Sw3NtSetDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEaFile Sw3NtSetEaFile +__asm__("Sw3NtSetEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighEventPair Sw3NtSetHighEventPair +__asm__("Sw3NtSetHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighWaitLowEventPair Sw3NtSetHighWaitLowEventPair +__asm__("Sw3NtSetHighWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIRTimer Sw3NtSetIRTimer +__asm__("Sw3NtSetIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationDebugObject Sw3NtSetInformationDebugObject +__asm__("Sw3NtSetInformationDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationEnlistment Sw3NtSetInformationEnlistment +__asm__("Sw3NtSetInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationJobObject Sw3NtSetInformationJobObject +__asm__("Sw3NtSetInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationKey Sw3NtSetInformationKey +__asm__("Sw3NtSetInformationKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationResourceManager Sw3NtSetInformationResourceManager +__asm__("Sw3NtSetInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationSymbolicLink Sw3NtSetInformationSymbolicLink +__asm__("Sw3NtSetInformationSymbolicLink: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationToken Sw3NtSetInformationToken +__asm__("Sw3NtSetInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransaction Sw3NtSetInformationTransaction +__asm__("Sw3NtSetInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransactionManager Sw3NtSetInformationTransactionManager +__asm__("Sw3NtSetInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationVirtualMemory Sw3NtSetInformationVirtualMemory +__asm__("Sw3NtSetInformationVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationWorkerFactory Sw3NtSetInformationWorkerFactory +__asm__("Sw3NtSetInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIntervalProfile Sw3NtSetIntervalProfile +__asm__("Sw3NtSetIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletion Sw3NtSetIoCompletion +__asm__("Sw3NtSetIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletionEx Sw3NtSetIoCompletionEx +__asm__("Sw3NtSetIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLdtEntries Sw3NtSetLdtEntries +__asm__("Sw3NtSetLdtEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowEventPair Sw3NtSetLowEventPair +__asm__("Sw3NtSetLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowWaitHighEventPair Sw3NtSetLowWaitHighEventPair +__asm__("Sw3NtSetLowWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetQuotaInformationFile Sw3NtSetQuotaInformationFile +__asm__("Sw3NtSetQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSecurityObject Sw3NtSetSecurityObject +__asm__("Sw3NtSetSecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValue Sw3NtSetSystemEnvironmentValue +__asm__("Sw3NtSetSystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValueEx Sw3NtSetSystemEnvironmentValueEx +__asm__("Sw3NtSetSystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemInformation Sw3NtSetSystemInformation +__asm__("Sw3NtSetSystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemPowerState Sw3NtSetSystemPowerState +__asm__("Sw3NtSetSystemPowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemTime Sw3NtSetSystemTime +__asm__("Sw3NtSetSystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetThreadExecutionState Sw3NtSetThreadExecutionState +__asm__("Sw3NtSetThreadExecutionState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer2 Sw3NtSetTimer2 +__asm__("Sw3NtSetTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerEx Sw3NtSetTimerEx +__asm__("Sw3NtSetTimerEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerResolution Sw3NtSetTimerResolution +__asm__("Sw3NtSetTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetUuidSeed Sw3NtSetUuidSeed +__asm__("Sw3NtSetUuidSeed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetVolumeInformationFile Sw3NtSetVolumeInformationFile +__asm__("Sw3NtSetVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetWnfProcessNotificationEvent Sw3NtSetWnfProcessNotificationEvent +__asm__("Sw3NtSetWnfProcessNotificationEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownSystem Sw3NtShutdownSystem +__asm__("Sw3NtShutdownSystem: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownWorkerFactory Sw3NtShutdownWorkerFactory +__asm__("Sw3NtShutdownWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSignalAndWaitForSingleObject Sw3NtSignalAndWaitForSingleObject +__asm__("Sw3NtSignalAndWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSinglePhaseReject Sw3NtSinglePhaseReject +__asm__("Sw3NtSinglePhaseReject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartProfile Sw3NtStartProfile +__asm__("Sw3NtStartProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStopProfile Sw3NtStopProfile +__asm__("Sw3NtStopProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSubscribeWnfStateChange Sw3NtSubscribeWnfStateChange +__asm__("Sw3NtSubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendProcess Sw3NtSuspendProcess +__asm__("Sw3NtSuspendProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendThread Sw3NtSuspendThread +__asm__("Sw3NtSuspendThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSystemDebugControl Sw3NtSystemDebugControl +__asm__("Sw3NtSystemDebugControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateEnclave Sw3NtTerminateEnclave +__asm__("Sw3NtTerminateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateJobObject Sw3NtTerminateJobObject +__asm__("Sw3NtTerminateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTestAlert Sw3NtTestAlert +__asm__("Sw3NtTestAlert: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawRegistry Sw3NtThawRegistry +__asm__("Sw3NtThawRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawTransactions Sw3NtThawTransactions +__asm__("Sw3NtThawTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceControl Sw3NtTraceControl +__asm__("Sw3NtTraceControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTranslateFilePath Sw3NtTranslateFilePath +__asm__("Sw3NtTranslateFilePath: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUmsThreadYield Sw3NtUmsThreadYield +__asm__("Sw3NtUmsThreadYield: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadDriver Sw3NtUnloadDriver +__asm__("Sw3NtUnloadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey Sw3NtUnloadKey +__asm__("Sw3NtUnloadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey2 Sw3NtUnloadKey2 +__asm__("Sw3NtUnloadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKeyEx Sw3NtUnloadKeyEx +__asm__("Sw3NtUnloadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockFile Sw3NtUnlockFile +__asm__("Sw3NtUnlockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockVirtualMemory Sw3NtUnlockVirtualMemory +__asm__("Sw3NtUnlockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSectionEx Sw3NtUnmapViewOfSectionEx +__asm__("Sw3NtUnmapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnsubscribeWnfStateChange Sw3NtUnsubscribeWnfStateChange +__asm__("Sw3NtUnsubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUpdateWnfStateData Sw3NtUpdateWnfStateData +__asm__("Sw3NtUpdateWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwVdmControl Sw3NtVdmControl +__asm__("Sw3NtVdmControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForAlertByThreadId Sw3NtWaitForAlertByThreadId +__asm__("Sw3NtWaitForAlertByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForDebugEvent Sw3NtWaitForDebugEvent +__asm__("Sw3NtWaitForDebugEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForKeyedEvent Sw3NtWaitForKeyedEvent +__asm__("Sw3NtWaitForKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWorkViaWorkerFactory Sw3NtWaitForWorkViaWorkerFactory +__asm__("Sw3NtWaitForWorkViaWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitHighEventPair Sw3NtWaitHighEventPair +__asm__("Sw3NtWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitLowEventPair Sw3NtWaitLowEventPair +__asm__("Sw3NtWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireCMFViewOwnership Sw3NtAcquireCMFViewOwnership +__asm__("Sw3NtAcquireCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelDeviceWakeupRequest Sw3NtCancelDeviceWakeupRequest +__asm__("Sw3NtCancelDeviceWakeupRequest: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearAllSavepointsTransaction Sw3NtClearAllSavepointsTransaction +__asm__("Sw3NtClearAllSavepointsTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearSavepointTransaction Sw3NtClearSavepointTransaction +__asm__("Sw3NtClearSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackSavepointTransaction Sw3NtRollbackSavepointTransaction +__asm__("Sw3NtRollbackSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointTransaction Sw3NtSavepointTransaction +__asm__("Sw3NtSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointComplete Sw3NtSavepointComplete +__asm__("Sw3NtSavepointComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSectionEx Sw3NtCreateSectionEx +__asm__("Sw3NtCreateSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateCrossVmEvent Sw3NtCreateCrossVmEvent +__asm__("Sw3NtCreateCrossVmEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetPlugPlayEvent Sw3NtGetPlugPlayEvent +__asm__("Sw3NtGetPlugPlayEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListTransactions Sw3NtListTransactions +__asm__("Sw3NtListTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMarshallTransaction Sw3NtMarshallTransaction +__asm__("Sw3NtMarshallTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPullTransaction Sw3NtPullTransaction +__asm__("Sw3NtPullTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseCMFViewOwnership Sw3NtReleaseCMFViewOwnership +__asm__("Sw3NtReleaseCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWnfNotifications Sw3NtWaitForWnfNotifications +__asm__("Sw3NtWaitForWnfNotifications: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartTm Sw3NtStartTm +__asm__("Sw3NtStartTm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationProcess Sw3NtSetInformationProcess +__asm__("Sw3NtSetInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestDeviceWakeup Sw3NtRequestDeviceWakeup +__asm__("Sw3NtRequestDeviceWakeup: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWakeupLatency Sw3NtRequestWakeupLatency +__asm__("Sw3NtRequestWakeupLatency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemTime Sw3NtQuerySystemTime +__asm__("Sw3NtQuerySystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManageHotPatch Sw3NtManageHotPatch +__asm__("Sw3NtManageHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinueEx Sw3NtContinueEx +__asm__("Sw3NtContinueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#endif diff --git a/output/syscalls.c b/output/syscalls.c new file mode 100644 index 0000000..0e21d2e --- /dev/null +++ b/output/syscalls.c @@ -0,0 +1,306 @@ +#include "syscalls.h" + +//#define DEBUG + +#define JUMPER + +#ifdef _M_IX86 + +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) { + return (PVOID)__readfsdword(0xC0); +} + +__declspec(naked) BOOL local_is_wow64(void) +{ + __asm { + mov eax, fs:[0xc0] + test eax, eax + jne wow64 + mov eax, 0 + ret + wow64: + mov eax, 1 + ret + } +} + + +#endif + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +SW3_SYSCALL_LIST SW3_SyscallList; + +// SEARCH_AND_REPLACE +#ifdef SEARCH_AND_REPLACE +// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release +EXTERN void SearchAndReplace(unsigned char[], unsigned char[]); +#endif + +DWORD SW3_HashSyscall(PCSTR FunctionName) +{ + DWORD i = 0; + DWORD Hash = SW3_SEED; + + while (FunctionName[i]) + { + WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++); + Hash ^= PartialName + SW3_ROR8(Hash); + } + + return Hash; +} + +#ifndef JUMPER +PVOID SC_Address(PVOID NtApiAddress) +{ + return NULL; +} +#else +PVOID SC_Address(PVOID NtApiAddress) +{ + DWORD searchLimit = 512; + PVOID SyscallAddress; + + #ifdef _WIN64 + // If the process is 64-bit on a 64-bit OS, we need to search for syscall + BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 }; + ULONG distance_to_syscall = 0x12; + #else + // If the process is 32-bit on a 32-bit OS, we need to search for sysenter + BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 }; + ULONG distance_to_syscall = 0x0f; + #endif + + #ifdef _M_IX86 + // If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved + if (local_is_wow64()) + { + #ifdef DEBUG + // printf("[+] Running 32-bit app on x64 (WOW64)\n"); + #endif + return NULL; + } + #endif + + // we don't really care if there is a 'jmp' between + // NtApiAddress and the 'syscall; ret' instructions + SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall); + + int match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // the 'syscall; ret' intructions have not been found, + // we will try to use one near it, similarly to HalosGate + + for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++) + { + // let's try with an Nt* API below our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall + num_jumps * 0x20); + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // let's try with an Nt* API above our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall - num_jumps * 0x20); + + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + } + +#ifdef DEBUG + // printf("Syscall Opcodes not found!\n"); +#endif + + return NULL; +} +#endif + + +BOOL SW3_PopulateSyscallList() +{ + // Return early if the list is already populated. + if (SW3_SyscallList.Count) return TRUE; + + #ifdef _WIN64 + PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60); + #else + PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30); + #endif + PSW3_PEB_LDR_DATA Ldr = Peb->Ldr; + PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; + PVOID DllBase = NULL; + + // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second + // in the list, so it's safer to loop through the full list and find it. + PSW3_LDR_DATA_TABLE_ENTRY LdrEntry; + for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0]) + { + DllBase = LdrEntry->DllBase; + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase; + PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew); + PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory; + DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if (VirtualAddress == 0) continue; + + ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress); + + // If this is NTDLL.dll, exit loop. + PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name); + + if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue; + if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break; + } + + if (!ExportDirectory) return FALSE; + + DWORD NumberOfNames = ExportDirectory->NumberOfNames; + PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions); + PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames); + PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals); + + // Populate SW3_SyscallList with unsorted Zw* entries. + DWORD i = 0; + PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries; + do + { + PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]); + + // Is this a system call? + if (*(USHORT*)FunctionName == 0x775a) + { + Entries[i].Hash = SW3_HashSyscall(FunctionName); + Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]]; + Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address)); + + i++; + if (i == SW3_MAX_ENTRIES) break; + } + } while (--NumberOfNames); + + // Save total number of system calls found. + SW3_SyscallList.Count = i; + + // Sort the list by address in ascending order. + for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++) + { + for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++) + { + if (Entries[j].Address > Entries[j + 1].Address) + { + // Swap entries. + SW3_SYSCALL_ENTRY TempEntry; + + TempEntry.Hash = Entries[j].Hash; + TempEntry.Address = Entries[j].Address; + TempEntry.SyscallAddress = Entries[j].SyscallAddress; + + Entries[j].Hash = Entries[j + 1].Hash; + Entries[j].Address = Entries[j + 1].Address; + Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress; + + Entries[j + 1].Hash = TempEntry.Hash; + Entries[j + 1].Address = TempEntry.Address; + Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress; + } + } + } + + return TRUE; +} + +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return -1; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return i; + } + } + + return -1; +} + +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return SW3_SyscallList.Entries[i].SyscallAddress; + } + } + + return NULL; +} + +DWORD LCG() { + static DWORD seed = 123987654; + return (seed >> 16) & 0x7FFF; // return a pseudo-random number +} + +EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + DWORD index = LCG() % SW3_SyscallList.Count; + + while (FunctionHash == SW3_SyscallList.Entries[index].Hash){ + // Spoofing the syscall return address + index = LCG() % SW3_SyscallList.Count; + } + return SW3_SyscallList.Entries[index].SyscallAddress; +} diff --git a/output/syscalls.h b/output/syscalls.h new file mode 100644 index 0000000..213d46d --- /dev/null +++ b/output/syscalls.h @@ -0,0 +1,4057 @@ +#pragma once + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +#ifndef SW3_HEADER_H_ +#define SW3_HEADER_H_ + +#include +#include "syscalls-asm.h" + +#ifndef _NTDEF_ +typedef _Return_type_success_(return >= 0) LONG NTSTATUS; +typedef NTSTATUS* PNTSTATUS; +#endif + +#define SW3_SEED 0xCC6A5286 +#define SW3_ROL8(v) (v << 8 | v >> 24) +#define SW3_ROR8(v) (v >> 8 | v << 24) +#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) +#define SW3_MAX_ENTRIES 600 +#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) + +// Typedefs are prefixed to avoid pollution. + +typedef struct _SW3_SYSCALL_ENTRY +{ +DWORD Hash; +DWORD Address; +PVOID SyscallAddress; +} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; + +typedef struct _SW3_SYSCALL_LIST +{ +DWORD Count; +SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; +} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; + +typedef struct _SW3_PEB_LDR_DATA { +BYTE Reserved1[8]; +PVOID Reserved2[3]; +LIST_ENTRY InMemoryOrderModuleList; +} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; + +typedef struct _SW3_LDR_DATA_TABLE_ENTRY { +PVOID Reserved1[2]; +LIST_ENTRY InMemoryOrderLinks; +PVOID Reserved2[2]; +PVOID DllBase; +} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; + +typedef struct _SW3_PEB { +BYTE Reserved1[2]; +BYTE BeingDebugged; +BYTE Reserved2[1]; +PVOID Reserved3[2]; +PSW3_PEB_LDR_DATA Ldr; +} SW3_PEB, *PSW3_PEB; + +DWORD SW3_HashSyscall(PCSTR FunctionName); +BOOL SW3_PopulateSyscallList(); +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); +typedef struct _UNICODE_STRING +{ +USHORT Length; +USHORT MaximumLength; +PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_HANDLE +{ +ULONG ProcessId; +BYTE ObjectTypeNumber; +BYTE Flags; +USHORT Handle; +PVOID Object; +ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ +PVOID pValue; +ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ +ULONG64 Version; +UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ +GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef enum _KCONTINUE_TYPE +{ +KCONTINUE_UNWIND, +KCONTINUE_RESUME, +KCONTINUE_LONGJUMP, +KCONTINUE_SET, +KCONTINUE_LAST +} KCONTINUE_TYPE; + +typedef struct _IO_STATUS_BLOCK +{ +union +{ +NTSTATUS Status; +VOID* Pointer; +}; +ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef enum _PS_CREATE_STATE +{ +PsCreateInitialState, +PsCreateFailOnFileOpen, +PsCreateFailOnSectionCreate, +PsCreateFailExeFormat, +PsCreateFailMachineMismatch, +PsCreateFailExeName, +PsCreateSuccess, +PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ +ULONG HandleCount; +SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _CLIENT_ID +{ +HANDLE UniqueProcess; +HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ +HardwareProfileChangeEvent, +TargetDeviceChangeEvent, +DeviceClassChangeEvent, +CustomDeviceEvent, +DeviceInstallEvent, +DeviceArrivalEvent, +PowerEvent, +VetoEvent, +BlockedDriverEvent, +InvalidIDEvent, +MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE +{ +PNP_VetoTypeUnknown, // unspecified +PNP_VetoLegacyDevice, // instance path +PNP_VetoPendingClose, // instance path +PNP_VetoWindowsApp, // module +PNP_VetoWindowsService, // service +PNP_VetoOutstandingOpen, // instance path +PNP_VetoDevice, // instance path +PNP_VetoDriver, // driver service name +PNP_VetoIllegalDeviceRequest, // instance path +PNP_VetoInsufficientPower, // unspecified +PNP_VetoNonDisableable, // instance path +PNP_VetoLegacyDriver, // service +PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ +UNICODE_STRING Name; +USHORT ValueType; +USHORT Reserved; +ULONG Flags; +ULONG ValueCount; +union +{ +PLONG64 pInt64; +PULONG64 pUint64; +PUNICODE_STRING pString; +PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; +PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; +} Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef VOID(KNORMAL_ROUTINE) ( +IN PVOID NormalContext, +IN PVOID SystemArgument1, +IN PVOID SystemArgument2); + +typedef struct _PS_ATTRIBUTE +{ +ULONG Attribute; +SIZE_T Size; +union +{ +ULONG Value; +PVOID ValuePtr; +} u1; +PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _WNF_STATE_NAME +{ +ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ +(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ +(p)->RootDirectory = r; \ +(p)->Attributes = a; \ +(p)->ObjectName = n; \ +(p)->SecurityDescriptor = s; \ +(p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef struct _KEY_VALUE_ENTRY +{ +PUNICODE_STRING ValueName; +ULONG DataLength; +ULONG DataOffset; +ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ +KeyWriteTimeInformation, +KeyWow64FlagsInformation, +KeyControlFlagsInformation, +KeySetVirtualizationInformation, +KeySetDebugInformation, +KeySetHandleTagsInformation, +MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ +SystemBasicInformation = 0, +SystemPerformanceInformation = 2, +SystemTimeOfDayInformation = 3, +SystemProcessInformation = 5, +SystemProcessorPerformanceInformation = 8, +SystemHandleInformation = 16, +SystemInterruptInformation = 23, +SystemExceptionInformation = 33, +SystemRegistryQuotaInformation = 37, +SystemLookasideInformation = 45, +SystemCodeIntegrityInformation = 103, +SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _PROCESSINFOCLASS +{ +ProcessBasicInformation = 0, +ProcessDebugPort = 7, +ProcessWow64Information = 26, +ProcessImageFileName = 27, +ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ +PVOID VirtualAddress; +SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ +ULONG Version; +ULONG Reserved; +LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef struct _FILE_PATH +{ +ULONG Version; +ULONG Length; +ULONG Type; +CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER QuotaUsed; +LARGE_INTEGER QuotaThreshold; +LARGE_INTEGER QuotaLimit; +SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER AllocationSize; +LARGE_INTEGER EndOfFile; +ULONG FileAttributes; +ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ +FilterBootOptionOperationOpenSystemStore, +FilterBootOptionOperationSetElement, +FilterBootOptionOperationDeleteElement, +FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef enum _EVENT_TYPE +{ +NotificationEvent = 0, +SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ +ULONG NextEntryOffset; +UCHAR Flags; +UCHAR EaNameLength; +USHORT EaValueLength; +CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ +ULONG NextEntryOffset; +BYTE EaNameLength; +CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _BOOT_OPTIONS +{ +ULONG Version; +ULONG Length; +ULONG Timeout; +ULONG CurrentBootEntryId; +ULONG NextBootEntryId; +WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef enum _WNF_DATA_SCOPE +{ +WnfDataScopeSystem = 0, +WnfDataScopeSession = 1, +WnfDataScopeUser = 2, +WnfDataScopeProcess = 3, +WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ +WnfWellKnownStateName = 0, +WnfPermanentStateName = 1, +WnfPersistentStateName = 2, +WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ +VmPrefetchInformation, +VmPagePriorityInformation, +VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef enum _IO_SESSION_EVENT +{ +IoSessionEventIgnore, +IoSessionEventCreated, +IoSessionEventTerminated, +IoSessionEventConnected, +IoSessionEventDisconnected, +IoSessionEventLogon, +IoSessionEventLogoff, +IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _PORT_INFORMATION_CLASS +{ +PortBasicInformation, +#if DEVL +PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ +PlugPlayControlEnumerateDevice, +PlugPlayControlRegisterNewDevice, +PlugPlayControlDeregisterDevice, +PlugPlayControlInitializeDevice, +PlugPlayControlStartDevice, +PlugPlayControlUnlockDevice, +PlugPlayControlQueryAndRemoveDevice, +PlugPlayControlUserResponse, +PlugPlayControlGenerateLegacyDevice, +PlugPlayControlGetInterfaceDeviceList, +PlugPlayControlProperty, +PlugPlayControlDeviceClassAssociation, +PlugPlayControlGetRelatedDevice, +PlugPlayControlGetInterfaceDeviceAlias, +PlugPlayControlDeviceStatus, +PlugPlayControlGetDeviceDepth, +PlugPlayControlQueryDeviceRelations, +PlugPlayControlTargetDeviceRelation, +PlugPlayControlQueryConflictList, +PlugPlayControlRetrieveDock, +PlugPlayControlResetDevice, +PlugPlayControlHaltDevice, +PlugPlayControlGetBlockedDriverList, +MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ +IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ +ViewShare = 1, +ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _DEBUGOBJECTINFOCLASS +{ +DebugObjectFlags = 1, +MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ +SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef struct _PS_ATTRIBUTE_LIST +{ +SIZE_T TotalLength; +PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _VDMSERVICECLASS +{ +VdmStartExecution, +VdmQueueInterrupt, +VdmDelayInterrupt, +VdmInitialize, +VdmFeatures, +VdmSetInt21Handler, +VdmQueryDir, +VdmPrinterDirectIoOpen, +VdmPrinterDirectIoClose, +VdmPrinterInitialize, +VdmSetLdtEntries, +VdmSetProcessLdtInfo, +VdmAdlibEmulation, +VdmPMCliControl, +VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef struct _PS_CREATE_INFO +{ +SIZE_T Size; +PS_CREATE_STATE State; +union +{ +// PsCreateInitialState +struct { +union { +ULONG InitFlags; +struct { +UCHAR WriteOutputOnExit : 1; +UCHAR DetectManifest : 1; +UCHAR IFEOSkipDebugger : 1; +UCHAR IFEODoNotPropagateKeyState : 1; +UCHAR SpareBits1 : 4; +UCHAR SpareBits2 : 8; +USHORT ProhibitedImageCharacteristics : 16; +}; +}; +ACCESS_MASK AdditionalFileAccess; +} InitState; +// PsCreateFailOnSectionCreate +struct { +HANDLE FileHandle; +} FailSection; +// PsCreateFailExeFormat +struct { +USHORT DllCharacteristics; +} ExeFormat; +// PsCreateFailExeName +struct { +HANDLE IFEOKey; +} ExeName; +// PsCreateSuccess +struct { +union { +ULONG OutputFlags; +struct { +UCHAR ProtectedProcess : 1; +UCHAR AddressSpaceOverride : 1; +UCHAR DevOverrideEnabled : 1; // from Image File Execution Options +UCHAR ManifestDetected : 1; +UCHAR ProtectedProcessLight : 1; +UCHAR SpareBits1 : 3; +UCHAR SpareBits2 : 8; +USHORT SpareBits3 : 16; +}; +}; +HANDLE FileHandle; +HANDLE SectionHandle; +ULONGLONG UserProcessParametersNative; +ULONG UserProcessParametersWow64; +ULONG CurrentParameterFlags; +ULONGLONG PebAddressNative; +ULONG PebAddressWow64; +ULONGLONG ManifestAddress; +ULONG ManifestSize; +} SuccessState; +}; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _MEMORY_INFORMATION_CLASS +{ +MemoryBasicInformation, +MemoryWorkingSetInformation, +MemoryMappedFilenameInformation, +MemoryRegionInformation, +MemoryWorkingSetExInformation, +MemorySharedCommitInformation, +MemoryImageInformation, +MemoryRegionInformationEx, +MemoryPrivilegedBasicInformation, +MemoryEnclaveImageInformation, +MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ +MemoryReserveUserApc, +MemoryReserveIoCompletion, +MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ +AlpcBasicInformation, +AlpcPortInformation, +AlpcAssociateCompletionPortInformation, +AlpcConnectedSIDInformation, +AlpcServerInformation, +AlpcMessageZoneInformation, +AlpcRegisterCompletionListInformation, +AlpcUnregisterCompletionListInformation, +AlpcAdjustCompletionListConcurrencyCountInformation, +AlpcRegisterCallbackInformation, +AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _ALPC_CONTEXT_ATTR +{ +PVOID PortContext; +PVOID MessageContext; +ULONG SequenceNumber; +ULONG MessageID; +ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ +ULONG Flags; +HANDLE SectionHandle; +PVOID ViewBase; +SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef struct _ALPC_SECURITY_ATTR +{ +ULONG Flags; +PSECURITY_QUALITY_OF_SERVICE SecurityQos; +HANDLE ContextHandle; +ULONG Reserved1; +ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef PVOID* PPVOID; + +typedef enum _KPROFILE_SOURCE +{ +ProfileTime = 0, +ProfileAlignmentFixup = 1, +ProfileTotalIssues = 2, +ProfilePipelineDry = 3, +ProfileLoadInstructions = 4, +ProfilePipelineFrozen = 5, +ProfileBranchInstructions = 6, +ProfileTotalNonissues = 7, +ProfileDcacheMisses = 8, +ProfileIcacheMisses = 9, +ProfileCacheMisses = 10, +ProfileBranchMispredictions = 11, +ProfileStoreInstructions = 12, +ProfileFpInstructions = 13, +ProfileIntegerInstructions = 14, +Profile2Issue = 15, +Profile3Issue = 16, +Profile4Issue = 17, +ProfileSpecialInstructions = 18, +ProfileTotalCycles = 19, +ProfileIcacheIssues = 20, +ProfileDcacheAccesses = 21, +ProfileMemoryBarrierCycles = 22, +ProfileLoadLinkedIssues = 23, +ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ +AlpcMessageSidInformation, +AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _WORKERFACTORYINFOCLASS +{ +WorkerFactoryTimeout, +WorkerFactoryRetryTimeout, +WorkerFactoryIdleTimeout, +WorkerFactoryBindingCount, +WorkerFactoryThreadMinimum, +WorkerFactoryThreadMaximum, +WorkerFactoryPaused, +WorkerFactoryBasicInformation, +WorkerFactoryAdjustThreadGoal, +WorkerFactoryCallbackType, +WorkerFactoryStackInformation, +MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ +SystemMemoryPartitionInformation, +SystemMemoryPartitionMoveMemory, +SystemMemoryPartitionAddPagefile, +SystemMemoryPartitionCombineMemory, +SystemMemoryPartitionInitialAddMemory, +SystemMemoryPartitionGetMemoryEvents, +SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +typedef enum _MUTANT_INFORMATION_CLASS +{ +MutantBasicInformation, +MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ +AtomBasicInformation, +AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _SHUTDOWN_ACTION { +ShutdownNoReboot, +ShutdownReboot, +ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( +IN PVOID TimerContext, +IN ULONG TimerLowValue, +IN LONG TimerHighValue); + +typedef enum _KEY_VALUE_INFORMATION_CLASS { +KeyValueBasicInformation = 0, +KeyValueFullInformation, +KeyValuePartialInformation, +KeyValueFullInformationAlign64, +KeyValuePartialInformationAlign64, +MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef LANGID* PLANGID; + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ +GUID EventGuid; +PLUGPLAY_EVENT_CATEGORY EventCategory; +PULONG Result; +ULONG Flags; +ULONG TotalSize; +PVOID DeviceObject; + +union +{ +struct +{ +GUID ClassGuid; +WCHAR SymbolicLinkName[1]; +} DeviceClass; +struct +{ +WCHAR DeviceIds[1]; +} TargetDevice; +struct +{ +WCHAR DeviceId[1]; +} InstallDevice; +struct +{ +PVOID NotificationStructure; +WCHAR DeviceIds[1]; +} CustomNotification; +struct +{ +PVOID Notification; +} ProfileNotification; +struct +{ +ULONG NotificationCode; +ULONG NotificationData; +} PowerNotification; +struct +{ +PNP_VETO_TYPE VetoType; +WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName +} VetoNotification; +struct +{ +GUID BlockedDriverGuid; +} BlockedDriverNotification; +struct +{ +WCHAR ParentId[1]; +} InvalidIDNotification; +} u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( +IN PVOID ApcContext, +IN PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG Reserved); + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ +DirectoryNotifyInformation = 1, +DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_INFORMATION_CLASS +{ +EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ +unsigned long AllocatedAttributes; +unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ +ULONG Flags; +SECURITY_QUALITY_OF_SERVICE SecurityQos; +SIZE_T MaxMessageLength; +SIZE_T MemoryBandwidth; +SIZE_T MaxPoolUsage; +SIZE_T MaxSectionSize; +SIZE_T MaxViewSize; +SIZE_T MaxTotalSectionSize; +ULONG DupObjectTypes; +#ifdef _WIN64 +ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _IO_SESSION_STATE +{ +IoSessionStateCreated = 1, +IoSessionStateInitialized = 2, +IoSessionStateConnected = 3, +IoSessionStateDisconnected = 4, +IoSessionStateDisconnectedLoggedOn = 5, +IoSessionStateLoggedOn = 6, +IoSessionStateLoggedOff = 7, +IoSessionStateTerminated = 8, +IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ +unsigned __int64 SubscriptionId; +WNF_STATE_NAME StateName; +unsigned long ChangeStamp; +unsigned long StateDataSize; +unsigned long EventMask; +WNF_TYPE_ID TypeId; +unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef enum _DEBUG_CONTROL_CODE +{ +SysDbgQueryModuleInformation = 0, +SysDbgQueryTraceInformation = 1, +SysDbgSetTracePoint = 2, +SysDbgSetSpecialCall = 3, +SysDbgClearSpecialCalls = 4, +SysDbgQuerySpecialCalls = 5, +SysDbgBreakPoint = 6, +SysDbgQueryVersion = 7, +SysDbgReadVirtual = 8, +SysDbgWriteVirtual = 9, +SysDbgReadPhysical = 10, +SysDbgWritePhysical = 11, +SysDbgReadControlSpace = 12, +SysDbgWriteControlSpace = 13, +SysDbgReadIoSpace = 14, +SysDbgWriteIoSpace = 15, +SysDbgReadMsr = 16, +SysDbgWriteMsr = 17, +SysDbgReadBusData = 18, +SysDbgWriteBusData = 19, +SysDbgCheckLowMemory = 20, +SysDbgEnableKernelDebugger = 21, +SysDbgDisableKernelDebugger = 22, +SysDbgGetAutoKdEnable = 23, +SysDbgSetAutoKdEnable = 24, +SysDbgGetPrintBufferSize = 25, +SysDbgSetPrintBufferSize = 26, +SysDbgGetKdUmExceptionEnable = 27, +SysDbgSetKdUmExceptionEnable = 28, +SysDbgGetTriageDump = 29, +SysDbgGetKdBlockEnable = 30, +SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef struct _PORT_MESSAGE +{ +union +{ +union +{ +struct +{ +short DataLength; +short TotalLength; +} s1; +unsigned long Length; +}; +} u1; +union +{ +union +{ +struct +{ +short Type; +short DataInfoOffset; +} s2; +unsigned long ZeroInit; +}; +} u2; +union +{ +CLIENT_ID ClientId; +double DoNotUseThisField; +}; +unsigned long MessageId; +union +{ +unsigned __int64 ClientViewSize; +struct +{ +unsigned long CallbackId; +long __PADDING__[1]; +}; +}; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _FILE_BASIC_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_READ +{ +ULONG Length; +ULONG ViewSize; +ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _PORT_SECTION_WRITE +{ +ULONG Length; +HANDLE SectionHandle; +ULONG SectionOffset; +ULONG ViewSize; +PVOID ViewBase; +PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef enum _TIMER_TYPE +{ +NotificationTimer, +SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _BOOT_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG BootFilePathOffset; +ULONG OsOptionsLength; +UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ +TimerSetCoalescableTimer, +MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS +{ +FileFsVolumeInformation = 1, +FileFsLabelInformation = 2, +FileFsSizeInformation = 3, +FileFsDeviceInformation = 4, +FileFsAttributeInformation = 5, +FileFsControlInformation = 6, +FileFsFullSizeInformation = 7, +FileFsObjectIdInformation = 8, +FileFsDriverPathInformation = 9, +FileFsVolumeFlagsInformation = 10, +FileFsSectorSizeInformation = 11, +FileFsDataCopyInformation = 12, +FileFsMetadataSizeInformation = 13, +FileFsFullSizeInformationEx = 14, +FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _WAIT_TYPE +{ +WaitAll = 0, +WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _USER_STACK +{ +PVOID FixedStackBase; +PVOID FixedStackLimit; +PVOID ExpandableStackBase; +PVOID ExpandableStackLimit; +PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef enum _SECTION_INFORMATION_CLASS +{ +SectionBasicInformation, +SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef enum _APPHELPCACHESERVICECLASS +{ +ApphelpCacheServiceLookup = 0, +ApphelpCacheServiceRemove = 1, +ApphelpCacheServiceUpdate = 2, +ApphelpCacheServiceFlush = 3, +ApphelpCacheServiceDump = 4, +ApphelpDBGReadRegistry = 0x100, +ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ +USHORT Version; +USHORT Reserved; +ULONG AttributeCount; +union +{ +PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; +} Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ +PVOID KeyContext; +PVOID ApcContext; +IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _THREADINFOCLASS +{ +ThreadBasicInformation, +ThreadTimes, +ThreadPriority, +ThreadBasePriority, +ThreadAffinityMask, +ThreadImpersonationToken, +ThreadDescriptorTableEntry, +ThreadEnableAlignmentFaultFixup, +ThreadEventPair_Reusable, +ThreadQuerySetWin32StartAddress, +ThreadZeroTlsCell, +ThreadPerformanceCount, +ThreadAmILastThread, +ThreadIdealProcessor, +ThreadPriorityBoost, +ThreadSetTlsArrayAddress, +ThreadIsIoPending, +ThreadHideFromDebugger, +ThreadBreakOnTermination, +MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ +ObjectBasicInformation, +ObjectNameInformation, +ObjectTypeInformation, +ObjectAllTypesInformation, +ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ +FileDirectoryInformation = 1, +FileFullDirectoryInformation = 2, +FileBothDirectoryInformation = 3, +FileBasicInformation = 4, +FileStandardInformation = 5, +FileInternalInformation = 6, +FileEaInformation = 7, +FileAccessInformation = 8, +FileNameInformation = 9, +FileRenameInformation = 10, +FileLinkInformation = 11, +FileNamesInformation = 12, +FileDispositionInformation = 13, +FilePositionInformation = 14, +FileFullEaInformation = 15, +FileModeInformation = 16, +FileAlignmentInformation = 17, +FileAllInformation = 18, +FileAllocationInformation = 19, +FileEndOfFileInformation = 20, +FileAlternateNameInformation = 21, +FileStreamInformation = 22, +FilePipeInformation = 23, +FilePipeLocalInformation = 24, +FilePipeRemoteInformation = 25, +FileMailslotQueryInformation = 26, +FileMailslotSetInformation = 27, +FileCompressionInformation = 28, +FileObjectIdInformation = 29, +FileCompletionInformation = 30, +FileMoveClusterInformation = 31, +FileQuotaInformation = 32, +FileReparsePointInformation = 33, +FileNetworkOpenInformation = 34, +FileAttributeTagInformation = 35, +FileTrackingInformation = 36, +FileIdBothDirectoryInformation = 37, +FileIdFullDirectoryInformation = 38, +FileValidDataLengthInformation = 39, +FileShortNameInformation = 40, +FileIoCompletionNotificationInformation = 41, +FileIoStatusBlockRangeInformation = 42, +FileIoPriorityHintInformation = 43, +FileSfioReserveInformation = 44, +FileSfioVolumeInformation = 45, +FileHardLinkInformation = 46, +FileProcessIdsUsingFileInformation = 47, +FileNormalizedNameInformation = 48, +FileNetworkPhysicalNameInformation = 49, +FileIdGlobalTxDirectoryInformation = 50, +FileIsRemoteDeviceInformation = 51, +FileUnusedInformation = 52, +FileNumaNodeInformation = 53, +FileStandardLinkInformation = 54, +FileRemoteProtocolInformation = 55, +FileRenameInformationBypassAccessCheck = 56, +FileLinkInformationBypassAccessCheck = 57, +FileVolumeNameInformation = 58, +FileIdInformation = 59, +FileIdExtdDirectoryInformation = 60, +FileReplaceCompletionInformation = 61, +FileHardLinkFullIdInformation = 62, +FileIdExtdBothDirectoryInformation = 63, +FileDispositionInformationEx = 64, +FileRenameInformationEx = 65, +FileRenameInformationExBypassAccessCheck = 66, +FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ +KeyBasicInformation = 0, +KeyNodeInformation = 1, +KeyFullInformation = 2, +KeyNameInformation = 3, +KeyCachedInformation = 4, +KeyFlagsInformation = 5, +KeyVirtualizationInformation = 6, +KeyHandleTagsInformation = 7, +MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef struct _OBJECT_ATTRIBUTES +{ +ULONG Length; +HANDLE RootDirectory; +PUNICODE_STRING ObjectName; +ULONG Attributes; +PVOID SecurityDescriptor; +PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef enum _TIMER_INFORMATION_CLASS +{ +TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef struct _KCONTINUE_ARGUMENT +{ +KCONTINUE_TYPE ContinueType; +ULONG ContinueFlags; +ULONGLONG Reserved[2]; +} KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; + +EXTERN_C NTSTATUS Sw3NtAccessCheck( +IN PSECURITY_DESCRIPTOR pSecurityDescriptor, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiaredAccess, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS Sw3NtWorkerFactoryWorkerReady( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtAcceptConnectPort( +OUT PHANDLE ServerPortHandle, +IN ULONG AlternativeReceivePortHandle OPTIONAL, +IN PPORT_MESSAGE ConnectionReply, +IN BOOLEAN AcceptConnection, +IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, +OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPagesScatter( +IN PVOID VirtualAddresses, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForSingleObject( +IN HANDLE ObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallbackReturn( +IN PVOID OutputBuffer OPTIONAL, +IN ULONG OutputLength, +IN NTSTATUS Status); + +EXTERN_C NTSTATUS Sw3NtReadFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +OUT PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeviceIoControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG IoControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletion( +IN HANDLE IoCompletionHandle, +OUT PULONG KeyContext, +OUT PULONG ApcContext, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseSemaphore( +IN HANDLE SemaphoreHandle, +IN LONG ReleaseCount, +OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePort( +IN HANDLE PortHandle, +OUT PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS Sw3NtReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtSetInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +IN PVOID ThreadInformation, +IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtClose( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtQueryObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +OUT PVOID ObjectInformation OPTIONAL, +IN ULONG ObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtOpenKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtEnumerateValueKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtFindAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultLocale( +IN BOOLEAN UserProfile, +OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtQueryKey( +IN HANDLE KeyHandle, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtQueryValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN ULONG ZeroBits, +IN OUT PSIZE_T RegionSize, +IN ULONG AllocationType, +IN ULONG Protect); + +EXTERN_C NTSTATUS Sw3NtQueryInformationProcess( +IN HANDLE ProcessHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +OUT PVOID ProcessInformation, +IN ULONG ProcessInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects32( +IN ULONG ObjectCount, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteFileGather( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFreeVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG FreeType); + +EXTERN_C NTSTATUS Sw3NtImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS Sw3NtReleaseMutant( +IN HANDLE MutantHandle, +OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +OUT PVOID TokenInformation, +IN ULONG TokenInformationLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtRequestWaitReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage, +OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtQueryVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN MEMORY_INFORMATION_CLASS MemoryInformationClass, +OUT PVOID MemoryInformation, +IN SIZE_T MemoryInformationLength, +OUT PSIZE_T ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadToken( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +OUT PVOID ThreadInformation, +IN ULONG ThreadInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSection( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG ZeroBits, +IN SIZE_T CommitSize, +IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, +IN OUT PSIZE_T ViewSize, +IN SECTION_INHERIT InheritDisposition, +IN ULONG AllocationType, +IN ULONG Win32Protect); + +EXTERN_C NTSTATUS Sw3NtAccessCheckAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN ACCESS_MASK DesiredAccess, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSection( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePortEx( +IN HANDLE PortHandle, +OUT PULONG PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateProcess( +IN HANDLE ProcessHandle OPTIONAL, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtSetEventBoostPriority( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadFileScatter( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadTokenEx( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenProcessTokenEx( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryPerformanceCounter( +OUT PLARGE_INTEGER PerformanceCounter, +OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtEnumerateKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtOpenFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtDelayExecution( +IN BOOLEAN Alertable, +IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN BOOLEAN ReturnSingleEntry, +IN PUNICODE_STRING FileName OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN OUT PVOID SystemInformation, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtQueryTimer( +IN HANDLE TimerHandle, +IN TIMER_INFORMATION_CLASS TimerInformationClass, +OUT PVOID TimerInformation, +IN ULONG TimerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFsControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG FsControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T NumberOfBytesToWrite, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCloseObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDuplicateObject( +IN HANDLE SourceProcessHandle, +IN HANDLE SourceHandle, +IN HANDLE TargetProcessHandle OPTIONAL, +OUT PHANDLE TargetHandle OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Options); + +EXTERN_C NTSTATUS Sw3NtQueryAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtClearEvent( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +OUT PVOID Buffer, +IN SIZE_T BufferSize, +OUT PSIZE_T NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAdjustPrivilegesToken( +IN HANDLE TokenHandle, +IN BOOLEAN DisableAllPrivileges, +IN PTOKEN_PRIVILEGES NewState OPTIONAL, +IN ULONG BufferLength, +OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDuplicateToken( +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN BOOLEAN EffectiveOnly, +IN TOKEN_TYPE TokenType, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtContinue( +IN PCONTEXT ContextRecord, +IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultUILanguage( +OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueueApcThread( +IN HANDLE ThreadHandle, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtYieldExecution(); + +EXTERN_C NTSTATUS Sw3NtAddAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN EVENT_TYPE EventType, +IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS Sw3NtQueryVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FsInformation, +IN ULONG Length, +IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS Sw3NtCreateSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtApphelpCacheControl( +IN APPHELPCACHESERVICECLASS Service, +IN PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtCreateProcessEx( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL, +IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS Sw3NtCreateThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +OUT PCLIENT_ID ClientId, +IN PCONTEXT ThreadContext, +IN PUSER_STACK InitialTeb, +IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS Sw3NtIsProcessInJob( +IN HANDLE ProcessHandle, +IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtProtectVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG NewProtect, +OUT PULONG OldProtect); + +EXTERN_C NTSTATUS Sw3NtQuerySection( +IN HANDLE SectionHandle, +IN SECTION_INFORMATION_CLASS SectionInformationClass, +OUT PVOID SectionInformation, +IN ULONG SectionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResumeThread( +IN HANDLE ThreadHandle, +IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateThread( +IN HANDLE ThreadHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtReadRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG DataEntryIndex, +OUT PVOID Buffer, +IN ULONG BufferSize, +OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER AllocationSize OPTIONAL, +IN ULONG FileAttributes, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN PVOID EaBuffer OPTIONAL, +IN ULONG EaLength); + +EXTERN_C NTSTATUS Sw3NtQueryEvent( +IN HANDLE EventHandle, +IN EVENT_INFORMATION_CLASS EventInformationClass, +OUT PVOID EventInformation, +IN ULONG EventInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Request, +IN ULONG DataIndex, +IN PVOID Buffer, +IN ULONG Length, +OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects( +IN ULONG Count, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +IN PVOID ObjectInformation, +IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtCancelIoFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtTraceEvent( +IN HANDLE TraceHandle, +IN ULONG Flags, +IN ULONG FieldSize, +IN PVOID Fields); + +EXTERN_C NTSTATUS Sw3NtPowerInformation( +IN POWER_INFORMATION_LEVEL InformationLevel, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtSetValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN ULONG TitleIndex OPTIONAL, +IN ULONG Type, +IN PVOID SystemData, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtCancelTimer( +IN HANDLE TimerHandle, +OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, +IN PVOID TimerContext OPTIONAL, +IN BOOLEAN ResumeTimer, +IN LONG Period OPTIONAL, +OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByType( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ULONG DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultList( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS Sw3NtAddAtomEx( +IN PWSTR AtomName, +IN ULONG Length, +IN PRTL_ATOM Atom, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAddBootEntry( +IN PBOOT_ENTRY BootEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAddDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAdjustGroupsToken( +IN HANDLE TokenHandle, +IN BOOLEAN ResetToDefault, +IN PTOKEN_GROUPS NewState OPTIONAL, +IN ULONG BufferLength OPTIONAL, +OUT PTOKEN_GROUPS PreviousState OPTIONAL, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtAdjustTokenClaimsAndDeviceGroups( +IN HANDLE TokenHandle, +IN BOOLEAN UserResetToDefault, +IN BOOLEAN DeviceResetToDefault, +IN BOOLEAN DeviceGroupsResetToDefault, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, +IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, +IN ULONG UserBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, +IN ULONG DeviceBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, +IN ULONG DeviceGroupsBufferLength, +OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, +OUT PULONG UserReturnLength OPTIONAL, +OUT PULONG DeviceReturnLength OPTIONAL, +OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertResumeThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertThread( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtAlertThreadByThreadId( +IN ULONG ThreadId); + +EXTERN_C NTSTATUS Sw3NtAllocateLocallyUniqueId( +OUT PLUID Luid); + +EXTERN_C NTSTATUS Sw3NtAllocateReserveObject( +OUT PHANDLE MemoryReserveHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS Sw3NtAllocateUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtAllocateUuids( +OUT PLARGE_INTEGER Time, +OUT PULONG Range, +OUT PULONG Sequence, +OUT PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemoryEx( +IN HANDLE ProcessHandle, +IN OUT PPVOID lpAddress, +IN ULONG_PTR ZeroBits, +IN OUT PSIZE_T pSize, +IN ULONG flAllocationType, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtAlpcAcceptConnectPort( +OUT PHANDLE PortHandle, +IN HANDLE ConnectionPortHandle, +IN ULONG Flags, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ConnectionRequest, +IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, +IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS Sw3NtAlpcCancelMessage( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PULONG BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPortEx( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, +IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN SIZE_T SectionSize, +OUT PHANDLE AlpcSectionHandle, +OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN SIZE_T MessageSize, +OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS Sw3NtAlpcDeletePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PVOID ViewBase); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDisconnectPort( +IN HANDLE PortHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientContainerOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN PVOID Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderProcess( +OUT PHANDLE ProcessHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderThread( +OUT PHANDLE ThreadHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformation( +IN HANDLE PortHandle OPTIONAL, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformationMessage( +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, +OUT PVOID MessageInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcRevokeSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcSendWaitReceivePort( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PPORT_MESSAGE SendMessage OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcSetInformation( +IN HANDLE PortHandle, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN PVOID PortInformation OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtAreMappedFilesTheSame( +IN PVOID File1MappedAsAnImage, +IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS Sw3NtAssignProcessToJobObject( +IN HANDLE JobHandle, +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtAssociateWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN HANDLE IoCompletionHandle, +IN HANDLE TargetObjectHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation, +OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallEnclave( +IN PENCLAVE_ROUTINE Routine, +IN PVOID Parameter, +IN BOOLEAN WaitForThread, +IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCancelIoFileEx( +IN HANDLE FileHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelSynchronousIoFile( +IN HANDLE ThreadHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelTimer2( +IN HANDLE TimerHandle, +IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtCancelWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS Sw3NtCommitComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtCommitTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtCompactKeys( +IN ULONG Count, +IN HANDLE KeyArray); + +EXTERN_C NTSTATUS Sw3NtCompareObjects( +IN HANDLE FirstObjectHandle, +IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS Sw3NtCompareSigningLevels( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS Sw3NtCompareTokens( +IN HANDLE FirstTokenHandle, +IN HANDLE SecondTokenHandle, +OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS Sw3NtCompleteConnectPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtCompressKey( +IN HANDLE Key); + +EXTERN_C NTSTATUS Sw3NtConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtCreateDebugObject( +OUT PHANDLE DebugObjectHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObjectEx( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE ShadowDirectoryHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateEnclave( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG_PTR ZeroBits, +IN SIZE_T Size, +IN SIZE_T InitialCommitment, +IN ULONG EnclaveType, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN HANDLE TransactionHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN NOTIFICATION_MASK NotificationMask, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateIRTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobSet( +IN ULONG NumJob, +IN PJOB_SET_ARRAY UserJobSet, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +IN HANDLE TransactionHandle, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateLowBoxToken( +OUT PHANDLE TokenHandle, +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PSID PackageSid, +IN ULONG CapabilityCount, +IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, +IN ULONG HandleCount, +IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateMailslotFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CreateOptions, +IN ULONG MailslotQuota, +IN ULONG MaximumMessageSize, +IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS Sw3NtCreateMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS Sw3NtCreateNamedPipeFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN BOOLEAN NamedPipeType, +IN BOOLEAN ReadMode, +IN BOOLEAN CompletionMode, +IN ULONG MaximumInstances, +IN ULONG InboundQuota, +IN ULONG OutboundQuota, +IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePagingFile( +IN PUNICODE_STRING PageFileName, +IN PULARGE_INTEGER MinimumSize, +IN PULARGE_INTEGER MaximumSize, +IN ULONG Priority); + +EXTERN_C NTSTATUS Sw3NtCreatePartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG PreferredNode); + +EXTERN_C NTSTATUS Sw3NtCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN BOOLEAN InheritObjectTable, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateProfile( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN ULONG ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN ULONG Affinity); + +EXTERN_C NTSTATUS Sw3NtCreateProfileEx( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN SIZE_T ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN USHORT GroupCount, +IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS Sw3NtCreateRegistryTransaction( +OUT PHANDLE Handle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN DWORD Flags); + +EXTERN_C NTSTATUS Sw3NtCreateResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID RmGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LONG InitialCount, +IN LONG MaximumCount); + +EXTERN_C NTSTATUS Sw3NtCreateSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS Sw3NtCreateThreadEx( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +IN PVOID StartRoutine, +IN PVOID Argument OPTIONAL, +IN ULONG CreateFlags, +IN SIZE_T ZeroBits, +IN SIZE_T StackSize, +IN SIZE_T MaximumStackSize, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS Sw3NtCreateTimer2( +OUT PHANDLE TimerHandle, +IN PVOID Reserved1 OPTIONAL, +IN PVOID Reserved2 OPTIONAL, +IN ULONG Attributes, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateToken( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTokenEx( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS DeviceGroups OPTIONAL, +IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LPGUID Uow OPTIONAL, +IN HANDLE TmHandle OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG IsolationLevel OPTIONAL, +IN ULONG IsolationFlags OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateUserProcess( +OUT PHANDLE ProcessHandle, +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK ProcessDesiredAccess, +IN ACCESS_MASK ThreadDesiredAccess, +IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, +IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, +IN ULONG ProcessFlags, +IN ULONG ThreadFlags, +IN PVOID ProcessParameters OPTIONAL, +IN OUT PPS_CREATE_INFO CreateInfo, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitCompletionPacket( +OUT PHANDLE WaitCompletionPacketHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitablePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWnfStateName( +OUT PCWNF_STATE_NAME StateName, +IN WNF_STATE_NAME_LIFETIME NameLifetime, +IN WNF_DATA_SCOPE DataScope, +IN BOOLEAN PersistData, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN ULONG MaximumStateSize, +IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateWorkerFactory( +OUT PHANDLE WorkerFactoryHandleReturn, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE CompletionPortHandle, +IN HANDLE WorkerProcessHandle, +IN PVOID StartRoutine, +IN PVOID StartParameter OPTIONAL, +IN ULONG MaxThreadCount OPTIONAL, +IN SIZE_T StackReserve OPTIONAL, +IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDebugActiveProcess( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtDebugContinue( +IN HANDLE DebugObjectHandle, +IN PCLIENT_ID ClientId, +IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS Sw3NtDeleteAtom( +IN USHORT Atom); + +EXTERN_C NTSTATUS Sw3NtDeleteBootEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteDriverEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteFile( +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtDeleteKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDeletePrivateNamespace( +IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateName( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtDisplayString( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtDrawText( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtEnumerateBootEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateDriverEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateSystemEnvironmentValuesEx( +IN ULONG InformationClass, +OUT PVOID Buffer, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateTransactionObject( +IN HANDLE RootObjectHandle OPTIONAL, +IN KTMOBJECT_TYPE QueryType, +IN OUT PKTMOBJECT_CURSOR ObjectCursor, +IN ULONG ObjectCursorLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtExtendSection( +IN HANDLE SectionHandle, +IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS Sw3NtFilterBootOption( +IN FILTER_BOOT_OPTION_OPERATION FilterOperation, +IN ULONG ObjectType, +IN ULONG ElementType, +IN PVOID SystemData OPTIONAL, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtFilterToken( +IN HANDLE ExistingTokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFilterTokenEx( +IN HANDLE TokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +IN ULONG DisableUserClaimsCount, +IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, +IN ULONG DisableDeviceClaimsCount, +IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, +IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFileEx( +IN HANDLE FileHandle, +IN ULONG Flags, +IN PVOID Parameters, +IN ULONG ParametersSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushInstallUILanguage( +IN LANGID InstallUILanguage, +IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS Sw3NtFlushInstructionCache( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtFlushKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS Sw3NtFlushVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN OUT PULONG RegionSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS Sw3NtFreeUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtFreezeRegistry( +IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS Sw3NtFreezeTransactions( +IN PLARGE_INTEGER FreezeTimeout, +IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS Sw3NtGetCachedSigningLevel( +IN HANDLE File, +OUT PULONG Flags, +OUT PSE_SIGNING_LEVEL SigningLevel, +OUT PUCHAR Thumbprint OPTIONAL, +IN OUT PULONG ThumbprintSize OPTIONAL, +OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetCompleteWnfStateSubscription( +IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, +IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, +IN ULONG OldDescriptorEventMask OPTIONAL, +IN ULONG OldDescriptorStatus OPTIONAL, +OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, +IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS Sw3NtGetContextThread( +IN HANDLE ThreadHandle, +IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumberEx( +OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetDevicePowerState( +IN HANDLE Device, +OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS Sw3NtGetMUIRegistryInfo( +IN ULONG Flags, +IN OUT PULONG DataSize, +OUT PVOID SystemData); + +EXTERN_C NTSTATUS Sw3NtGetNextProcess( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS Sw3NtGetNextThread( +IN HANDLE ProcessHandle, +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS Sw3NtGetNlsSectionPtr( +IN ULONG SectionType, +IN ULONG SectionData, +IN PVOID ContextData, +OUT PVOID SectionPointer, +OUT PULONG SectionSize); + +EXTERN_C NTSTATUS Sw3NtGetNotificationResourceManager( +IN HANDLE ResourceManagerHandle, +OUT PTRANSACTION_NOTIFICATION TransactionNotification, +IN ULONG NotificationLength, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PULONG ReturnLength OPTIONAL, +IN ULONG Asynchronous, +IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetWriteWatch( +IN HANDLE ProcessHandle, +IN ULONG Flags, +IN PVOID BaseAddress, +IN ULONG RegionSize, +OUT PULONG UserAddressArray, +IN OUT PULONG EntriesInUserAddressArray, +OUT PULONG Granularity); + +EXTERN_C NTSTATUS Sw3NtImpersonateAnonymousToken( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtImpersonateThread( +IN HANDLE ServerThreadHandle, +IN HANDLE ClientThreadHandle, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS Sw3NtInitializeEnclave( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtInitializeNlsFiles( +OUT PVOID BaseAddress, +OUT PLCID DefaultLocaleId, +OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS Sw3NtInitializeRegistry( +IN USHORT BootCondition); + +EXTERN_C NTSTATUS Sw3NtInitiatePowerAction( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE LightestSystemState, +IN ULONG Flags, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS Sw3NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS Sw3NtListenPort( +IN HANDLE PortHandle, +OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS Sw3NtLoadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtLoadEnclaveData( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T BufferSize, +IN ULONG Protect, +IN PVOID PageInformation, +IN ULONG PageInformationLength, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLoadHotPatch( +IN PUNICODE_STRING HotPatchName, +IN ULONG LoadFlag); + +EXTERN_C NTSTATUS Sw3NtLoadKey( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS Sw3NtLoadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtLoadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags, +IN HANDLE TrustClassKey OPTIONAL, +IN HANDLE Event OPTIONAL, +IN ACCESS_MASK DesiredAccess OPTIONAL, +OUT PHANDLE RootHandle OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key, +IN BOOLEAN FailImmediately, +IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS Sw3NtLockProductActivationKeys( +IN OUT PULONG pPrivateVer OPTIONAL, +OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockRegistryKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtLockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PULONG RegionSize, +IN ULONG MapType); + +EXTERN_C NTSTATUS Sw3NtMakePermanentObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtMakeTemporaryObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtManagePartition( +IN HANDLE TargetHandle, +IN HANDLE SourceHandle, +IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, +IN OUT PVOID PartitionInformation, +IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS Sw3NtMapCMFModule( +IN ULONG What, +IN ULONG Index, +OUT PULONG CacheIndexOut OPTIONAL, +OUT PULONG CacheFlagsOut OPTIONAL, +OUT PULONG ViewSizeOut OPTIONAL, +OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPages( +IN PVOID VirtualAddress, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSectionEx( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PLARGE_INTEGER SectionOffset, +IN OUT PPVOID BaseAddress, +IN OUT PSIZE_T ViewSize, +IN ULONG AllocationType, +IN ULONG Protect, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtModifyBootEntry( +IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS Sw3NtModifyDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_NOTIFY_INFORMATION Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeKey( +IN HANDLE KeyHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeMultipleKeys( +IN HANDLE MasterKeyHandle, +IN ULONG Count OPTIONAL, +IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeSession( +IN HANDLE SessionHandle, +IN ULONG ChangeSequenceNumber, +IN PLARGE_INTEGER ChangeTimeStamp, +IN IO_SESSION_EVENT Event, +IN IO_SESSION_STATE NewState, +IN IO_SESSION_STATE PreviousState, +IN PVOID Payload OPTIONAL, +IN ULONG PayloadSize); + +EXTERN_C NTSTATUS Sw3NtOpenEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN LPGUID EnlistmentGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenKeyEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransactedEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN ACCESS_MASK GrantedAccess, +IN PPRIVILEGE_SET Privileges OPTIONAL, +IN BOOLEAN ObjectCreation, +IN BOOLEAN AccessGranted, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtOpenPartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenPrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtOpenProcessToken( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenRegistryTransaction( +OUT PHANDLE RegistryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID ResourceManagerGuid OPTIONAL, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSession( +OUT PHANDLE SessionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN LPGUID Uow, +IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN LPGUID TmIdentity OPTIONAL, +IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPlugPlayControl( +IN PLUGPLAY_CONTROL_CLASS PnPControlClass, +IN OUT PVOID PnPControlData, +IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS Sw3NtPrePrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrePrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrivilegeCheck( +IN HANDLE ClientToken, +IN OUT PPRIVILEGE_SET RequiredPrivileges, +OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS Sw3NtPrivilegeObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPrivilegedServiceAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PUNICODE_STRING ServiceName, +IN HANDLE ClientToken, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPropagationComplete( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN ULONG BufferLength, +IN PVOID Buffer); + +EXTERN_C NTSTATUS Sw3NtPropagationFailed( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS Sw3NtPulseEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryAuxiliaryCounterFrequency( +OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS Sw3NtQueryBootEntryOrder( +OUT PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryBootOptions( +OUT PBOOT_OPTIONS BootOptions OPTIONAL, +IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS Sw3NtQueryDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN ULONG QueryFlags, +IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryObject( +IN HANDLE DirectoryHandle, +OUT PVOID Buffer OPTIONAL, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN BOOLEAN RestartScan, +IN OUT PULONG Context, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDriverEntryOrder( +IN PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_FULL_EA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, +IN ULONG EaListLength, +IN PULONG EaIndex OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQueryFullAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtQueryInformationAtom( +IN USHORT Atom, +IN ATOM_INFORMATION_CLASS AtomInformationClass, +OUT PVOID AtomInformation, +IN ULONG AtomInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationByName( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtQueryInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +OUT PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +OUT PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationPort( +IN HANDLE PortHandle, +IN PORT_INFORMATION_CLASS PortInformationClass, +OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +OUT PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +OUT PVOID TransactionInformation, +IN ULONG TransactionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransactionManager( +IN HANDLE TransactionManagerHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, +OUT PVOID TransactionManagerInformation, +IN ULONG TransactionManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +OUT PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInstallUILanguage( +OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueryIntervalProfile( +IN KPROFILE_SOURCE ProfileSource, +OUT PULONG Interval); + +EXTERN_C NTSTATUS Sw3NtQueryIoCompletion( +IN HANDLE IoCompletionHandle, +IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, +OUT PVOID IoCompletionInformation, +IN ULONG IoCompletionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryLicenseValue( +IN PUNICODE_STRING ValueName, +OUT PULONG Type OPTIONAL, +OUT PVOID SystemData OPTIONAL, +IN ULONG DataSize, +OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS Sw3NtQueryMultipleValueKey( +IN HANDLE KeyHandle, +IN OUT PKEY_VALUE_ENTRY ValueEntries, +IN ULONG EntryCount, +OUT PVOID ValueBuffer, +IN PULONG BufferLength, +OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryMutant( +IN HANDLE MutantHandle, +IN MUTANT_INFORMATION_CLASS MutantInformationClass, +OUT PVOID MutantInformation, +IN ULONG MutantInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeys( +IN POBJECT_ATTRIBUTES TargetKey, +OUT PULONG HandleCount); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeysEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG BufferLength, +OUT PVOID Buffer, +OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS Sw3NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS Sw3NtQueryQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, +IN ULONG SidListLength, +IN PSID StartSid OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityAttributesToken( +IN HANDLE TokenHandle, +IN PUNICODE_STRING Attributes OPTIONAL, +IN ULONG NumberOfAttributes, +OUT PVOID Buffer, +IN ULONG Length, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityObject( +IN HANDLE Handle, +IN SECURITY_INFORMATION SecurityInformation, +OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN ULONG Length, +OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityPolicy( +IN ULONG_PTR UnknownParameter1, +IN ULONG_PTR UnknownParameter2, +IN ULONG_PTR UnknownParameter3, +IN ULONG_PTR UnknownParameter4, +IN ULONG_PTR UnknownParameter5, +IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS Sw3NtQuerySemaphore( +IN HANDLE SemaphoreHandle, +IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, +OUT PVOID SemaphoreInformation, +IN ULONG SemaphoreInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySymbolicLinkObject( +IN HANDLE LinkHandle, +IN OUT PUNICODE_STRING LinkTarget, +OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +OUT PVOID VariableValue, +IN ULONG ValueLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +OUT PVOID Value OPTIONAL, +IN OUT PULONG ValueLength, +OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformationEx( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID InputBuffer, +IN ULONG InputBufferLength, +OUT PVOID SystemInformation OPTIONAL, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryTimerResolution( +OUT PULONG MaximumTime, +OUT PULONG MinimumTime, +OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +OUT PWNF_CHANGE_STAMP ChangeStamp, +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateNameInformation( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID NameInfoClass, +IN PVOID ExplicitScope OPTIONAL, +OUT PVOID InfoBuffer, +IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS Sw3NtQueueApcThreadEx( +IN HANDLE ThreadHandle, +IN HANDLE UserApcReserveHandle OPTIONAL, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRaiseException( +IN PEXCEPTION_RECORD ExceptionRecord, +IN PCONTEXT ContextRecord, +IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS Sw3NtRaiseHardError( +IN NTSTATUS ErrorStatus, +IN ULONG NumberOfParameters, +IN ULONG UnicodeStringParameterMask, +IN PULONG_PTR Parameters, +IN ULONG ValidResponseOptions, +OUT PULONG Response); + +EXTERN_C NTSTATUS Sw3NtReadOnlyEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverEnlistment( +IN HANDLE EnlistmentHandle, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverResourceManager( +IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRecoverTransactionManager( +IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRegisterProtocolAddressInformation( +IN HANDLE ResourceManager, +IN LPGUID ProtocolId, +IN ULONG ProtocolInformationSize, +IN PVOID ProtocolInformation, +IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRegisterThreadTerminatePort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtReleaseKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID KeyValue, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseWorkerFactoryWorker( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletionEx( +IN HANDLE IoCompletionHandle, +OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, +IN ULONG Count, +OUT PULONG NumEntriesRemoved, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS Sw3NtRemoveProcessDebug( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtRenameKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS Sw3NtRenameTransactionManager( +IN PUNICODE_STRING LogFileName, +IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS Sw3NtReplaceKey( +IN POBJECT_ATTRIBUTES NewFile, +IN HANDLE TargetHandle, +IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS Sw3NtReplacePartitionUnit( +IN PUNICODE_STRING TargetInstancePath, +IN PUNICODE_STRING SpareInstancePath, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReplyPort( +IN HANDLE PortHandle, +IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtRequestPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS Sw3NtResetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResetWriteWatch( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN ULONG RegionSize); + +EXTERN_C NTSTATUS Sw3NtRestoreKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtResumeProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS Sw3NtRollbackComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtRollbackTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtRollforwardTransactionManager( +IN HANDLE TransactionManagerHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSaveKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSaveKeyEx( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Format); + +EXTERN_C NTSTATUS Sw3NtSaveMergedKeys( +IN HANDLE HighPrecedenceKeyHandle, +IN HANDLE LowPrecedenceKeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSecureConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSerializeBoot(); + +EXTERN_C NTSTATUS Sw3NtSetBootEntryOrder( +IN PULONG Ids, +IN ULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetBootOptions( +IN PBOOT_OPTIONS BootOptions, +IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel( +IN ULONG Flags, +IN SE_SIGNING_LEVEL InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel2( +IN ULONG Flags, +IN ULONG InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL, +IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetContextThread( +IN HANDLE ThreadHandle, +IN PCONTEXT Context); + +EXTERN_C NTSTATUS Sw3NtSetDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level, +IN BOOLEAN State); + +EXTERN_C NTSTATUS Sw3NtSetDefaultHardErrorPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtSetDefaultLocale( +IN BOOLEAN UserProfile, +IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtSetDefaultUILanguage( +IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtSetDriverEntryOrder( +IN PULONG Ids, +IN PULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_FULL_EA_INFORMATION EaBuffer, +IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS Sw3NtSetHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetHighWaitLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetIRTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationDebugObject( +IN HANDLE DebugObject, +IN DEBUGOBJECTINFOCLASS InformationClass, +IN PVOID Information, +IN ULONG InformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +IN PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +IN PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationKey( +IN HANDLE KeyHandle, +IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, +IN PVOID KeySetInformation, +IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +IN PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationSymbolicLink( +IN HANDLE Handle, +IN ULONG Class, +IN PVOID Buffer, +IN ULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +IN PVOID TokenInformation, +IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransactionManager( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationVirtualMemory( +IN HANDLE ProcessHandle, +IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, +IN ULONG_PTR NumberOfEntries, +IN PMEMORY_RANGE_ENTRY VirtualAddresses, +IN PVOID VmInformation, +IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +IN PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetIntervalProfile( +IN ULONG Interval, +IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletion( +IN HANDLE IoCompletionHandle, +IN ULONG CompletionKey, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN NTSTATUS CompletionStatus, +IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletionEx( +IN HANDLE IoCompletionHandle, +IN HANDLE IoCompletionPacketHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS Sw3NtSetLdtEntries( +IN ULONG Selector0, +IN ULONG Entry0Low, +IN ULONG Entry0Hi, +IN ULONG Selector1, +IN ULONG Entry1Low, +IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS Sw3NtSetLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetLowWaitHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtSetSecurityObject( +IN HANDLE ObjectHandle, +IN SECURITY_INFORMATION SecurityInformationClass, +IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +IN PVOID Value OPTIONAL, +IN ULONG ValueLength, +IN ULONG Attributes); + +EXTERN_C NTSTATUS Sw3NtSetSystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID SystemInformation, +IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetSystemPowerState( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE MinSystemState, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtSetSystemTime( +IN PLARGE_INTEGER SystemTime, +OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetThreadExecutionState( +IN EXECUTION_STATE ExecutionState, +OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS Sw3NtSetTimer2( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PLARGE_INTEGER Period OPTIONAL, +IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtSetTimerEx( +IN HANDLE TimerHandle, +IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, +IN OUT PVOID TimerSetInformation OPTIONAL, +IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetTimerResolution( +IN ULONG DesiredResolution, +IN BOOLEAN SetResolution, +OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS Sw3NtSetUuidSeed( +IN PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtSetVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileSystemInformation, +IN ULONG Length, +IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS Sw3NtSetWnfProcessNotificationEvent( +IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS Sw3NtShutdownSystem( +IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS Sw3NtShutdownWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS Sw3NtSignalAndWaitForSingleObject( +IN HANDLE hObjectToSignal, +IN HANDLE hObjectToWaitOn, +IN BOOLEAN bAlertable, +IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSinglePhaseReject( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtStartProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtStopProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtSubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName, +IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, +IN ULONG EventMask, +OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSuspendProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtSuspendThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS Sw3NtSystemDebugControl( +IN DEBUG_CONTROL_CODE Command, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateEnclave( +IN PVOID BaseAddress, +IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS Sw3NtTerminateJobObject( +IN HANDLE JobHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtTestAlert(); + +EXTERN_C NTSTATUS Sw3NtThawRegistry(); + +EXTERN_C NTSTATUS Sw3NtThawTransactions(); + +EXTERN_C NTSTATUS Sw3NtTraceControl( +IN ULONG FunctionCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtTranslateFilePath( +IN PFILE_PATH InputFilePath, +IN ULONG OutputType, +OUT PFILE_PATH OutputFilePath OPTIONAL, +IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUmsThreadYield( +IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS Sw3NtUnloadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey( +IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnloadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUnlockFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key); + +EXTERN_C NTSTATUS Sw3NtUnlockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID * BaseAddress, +IN PSIZE_T NumberOfBytesToUnlock, +IN ULONG LockType); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSectionEx( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnsubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtUpdateWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID Buffer OPTIONAL, +IN ULONG Length OPTIONAL, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +IN WNF_CHANGE_STAMP MatchingChangeStamp, +IN ULONG CheckStamp); + +EXTERN_C NTSTATUS Sw3NtVdmControl( +IN VDMSERVICECLASS Service, +IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtWaitForAlertByThreadId( +IN HANDLE Handle, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForDebugEvent( +IN HANDLE DebugObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS Sw3NtWaitForKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID Key, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForWorkViaWorkerFactory( +IN HANDLE WorkerFactoryHandle, +OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS Sw3NtWaitHighEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtWaitLowEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtAcquireCMFViewOwnership( +OUT BOOLEAN TimeStamp, +OUT BOOLEAN TokenTaken, +IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS Sw3NtCancelDeviceWakeupRequest( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtClearAllSavepointsTransaction( +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtClearSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtRollbackSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Flag, +OUT ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointComplete( +IN HANDLE TransactionHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSectionEx( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL, +IN PMEM_EXTENDED_PARAMETER ExtendedParameters, +IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS Sw3NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS Sw3NtGetPlugPlayEvent( +IN HANDLE EventHandle, +IN PVOID Context OPTIONAL, +OUT PPLUGPLAY_EVENT_BLOCK EventBlock, +IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS Sw3NtListTransactions(); + +EXTERN_C NTSTATUS Sw3NtMarshallTransaction(); + +EXTERN_C NTSTATUS Sw3NtPullTransaction(); + +EXTERN_C NTSTATUS Sw3NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS Sw3NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS Sw3NtStartTm(); + +EXTERN_C NTSTATUS Sw3NtSetInformationProcess( +IN HANDLE DeviceHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +IN PVOID ProcessInformation, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtRequestDeviceWakeup( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtRequestWakeupLatency( +IN ULONG LatencyTime); + +EXTERN_C NTSTATUS Sw3NtQuerySystemTime( +OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS Sw3NtManageHotPatch( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtContinueEx( +IN PCONTEXT ContextRecord, +IN PKCONTINUE_ARGUMENT ContinueArgument); + +#endif diff --git a/sample_bof/Makefile b/sample_bof/Makefile new file mode 100644 index 0000000..e69de29 diff --git a/sample_bof/beacon.h b/sample_bof/beacon.h new file mode 100644 index 0000000..3b9c96e --- /dev/null +++ b/sample_bof/beacon.h @@ -0,0 +1,370 @@ +/* + * Beacon Object Files (BOF) + * ------------------------- + * A Beacon Object File is a light-weight post exploitation tool that runs + * with Beacon's inline-execute command. + * + * Additional BOF resources are available here: + * - https://github.com/Cobalt-Strike/bof_template + * + * Cobalt Strike 4.x + * ChangeLog: + * 1/25/2022: updated for 4.5 + * 7/18/2023: Added BeaconInformation API for 4.9 + * 7/31/2023: Added Key/Value store APIs for 4.9 + * BeaconAddValue, BeaconGetValue, and BeaconRemoveValue + * 8/31/2023: Added Data store APIs for 4.9 + * BeaconDataStoreGetItem, BeaconDataStoreProtectItem, + * BeaconDataStoreUnprotectItem, and BeaconDataStoreMaxEntries + * 9/01/2023: Added BeaconGetCustomUserData API for 4.9 + * 3/21/2024: Updated BeaconInformation API for 4.10 to return a BOOL + * Updated the BEACON_INFO data structure to add new parameters + * 4/19/2024: Added BeaconGetSyscallInformation API for 4.10 + * 4/25/2024: Added APIs to call Beacon's system call implementation + */ +#ifndef _BEACON_H_ +#define _BEACON_H_ +#include + +#ifdef __cplusplus +extern "C" { +#endif // __cplusplus + +/* data API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} datap; + +DECLSPEC_IMPORT void BeaconDataParse(datap * parser, char * buffer, int size); +DECLSPEC_IMPORT char * BeaconDataPtr(datap * parser, int size); +DECLSPEC_IMPORT int BeaconDataInt(datap * parser); +DECLSPEC_IMPORT short BeaconDataShort(datap * parser); +DECLSPEC_IMPORT int BeaconDataLength(datap * parser); +DECLSPEC_IMPORT char * BeaconDataExtract(datap * parser, int * size); + +/* format API */ +typedef struct { + char * original; /* the original buffer [so we can free it] */ + char * buffer; /* current pointer into our buffer */ + int length; /* remaining length of data */ + int size; /* total size of this buffer */ +} formatp; + +DECLSPEC_IMPORT void BeaconFormatAlloc(formatp * format, int maxsz); +DECLSPEC_IMPORT void BeaconFormatReset(formatp * format); +DECLSPEC_IMPORT void BeaconFormatAppend(formatp * format, const char * text, int len); +DECLSPEC_IMPORT void BeaconFormatPrintf(formatp * format, const char * fmt, ...); +DECLSPEC_IMPORT char * BeaconFormatToString(formatp * format, int * size); +DECLSPEC_IMPORT void BeaconFormatFree(formatp * format); +DECLSPEC_IMPORT void BeaconFormatInt(formatp * format, int value); + +/* Output Functions */ +#define CALLBACK_OUTPUT 0x0 +#define CALLBACK_OUTPUT_OEM 0x1e +#define CALLBACK_OUTPUT_UTF8 0x20 +#define CALLBACK_ERROR 0x0d +#define CALLBACK_CUSTOM 0x1000 +#define CALLBACK_CUSTOM_LAST 0x13ff + + +DECLSPEC_IMPORT void BeaconOutput(int type, const char * data, int len); +DECLSPEC_IMPORT void BeaconPrintf(int type, const char * fmt, ...); + + +/* Token Functions */ +DECLSPEC_IMPORT BOOL BeaconUseToken(HANDLE token); +DECLSPEC_IMPORT void BeaconRevertToken(); +DECLSPEC_IMPORT BOOL BeaconIsAdmin(); + +/* Spawn+Inject Functions */ +DECLSPEC_IMPORT void BeaconGetSpawnTo(BOOL x86, char * buffer, int length); +DECLSPEC_IMPORT void BeaconInjectProcess(HANDLE hProc, int pid, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT void BeaconInjectTemporaryProcess(PROCESS_INFORMATION * pInfo, char * payload, int p_len, int p_offset, char * arg, int a_len); +DECLSPEC_IMPORT BOOL BeaconSpawnTemporaryProcess(BOOL x86, BOOL ignoreToken, STARTUPINFO * si, PROCESS_INFORMATION * pInfo); +DECLSPEC_IMPORT void BeaconCleanupProcess(PROCESS_INFORMATION * pInfo); + +/* Utility Functions */ +DECLSPEC_IMPORT BOOL toWideChar(char * src, wchar_t * dst, int max); + +/* Beacon Information */ +/* + * ptr - pointer to the base address of the allocated memory. + * size - the number of bytes allocated for the ptr. + */ +typedef struct { + char * ptr; + size_t size; +} HEAP_RECORD; +#define MASK_SIZE 13 + +/* Information the user can set in the USER_DATA via a UDRL */ +typedef enum { + PURPOSE_EMPTY, + PURPOSE_GENERIC_BUFFER, + PURPOSE_BEACON_MEMORY, + PURPOSE_SLEEPMASK_MEMORY, + PURPOSE_BOF_MEMORY, + PURPOSE_USER_DEFINED_MEMORY = 1000 +} ALLOCATED_MEMORY_PURPOSE; + +typedef enum { + LABEL_EMPTY, + LABEL_BUFFER, + LABEL_PEHEADER, + LABEL_TEXT, + LABEL_RDATA, + LABEL_DATA, + LABEL_PDATA, + LABEL_RELOC, + LABEL_USER_DEFINED = 1000 +} ALLOCATED_MEMORY_LABEL; + +typedef enum { + METHOD_UNKNOWN, + METHOD_VIRTUALALLOC, + METHOD_HEAPALLOC, + METHOD_MODULESTOMP, + METHOD_NTMAPVIEW, + METHOD_USER_DEFINED = 1000, +} ALLOCATED_MEMORY_ALLOCATION_METHOD; + +/** +* This structure allows the user to provide additional information +* about the allocated heap for cleanup. It is mandatory to provide +* the HeapHandle but the DestroyHeap Boolean can be used to indicate +* whether the clean up code should destroy the heap or simply free the pages. +* This is useful in situations where a loader allocates memory in the +* processes current heap. +*/ +typedef struct _HEAPALLOC_INFO { + PVOID HeapHandle; + BOOL DestroyHeap; +} HEAPALLOC_INFO, *PHEAPALLOC_INFO; + +typedef struct _MODULESTOMP_INFO { + HMODULE ModuleHandle; +} MODULESTOMP_INFO, *PMODULESTOMP_INFO; + +typedef union _ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION { + HEAPALLOC_INFO HeapAllocInfo; + MODULESTOMP_INFO ModuleStompInfo; + PVOID Custom; +} ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION, *PALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION; + +typedef struct _ALLOCATED_MEMORY_CLEANUP_INFORMATION { + BOOL Cleanup; + ALLOCATED_MEMORY_ALLOCATION_METHOD AllocationMethod; + ALLOCATED_MEMORY_ADDITIONAL_CLEANUP_INFORMATION AdditionalCleanupInformation; +} ALLOCATED_MEMORY_CLEANUP_INFORMATION, *PALLOCATED_MEMORY_CLEANUP_INFORMATION; + +typedef struct _ALLOCATED_MEMORY_SECTION { + ALLOCATED_MEMORY_LABEL Label; // A label to simplify Sleepmask development + PVOID BaseAddress; // Pointer to virtual address of section + SIZE_T VirtualSize; // Virtual size of the section + DWORD CurrentProtect; // Current memory protection of the section + DWORD PreviousProtect; // The previous memory protection of the section (prior to masking/unmasking) + BOOL MaskSection; // A boolean to indicate whether the section should be masked +} ALLOCATED_MEMORY_SECTION, *PALLOCATED_MEMORY_SECTION; + +typedef struct _ALLOCATED_MEMORY_REGION { + ALLOCATED_MEMORY_PURPOSE Purpose; // A label to indicate the purpose of the allocated memory + PVOID AllocationBase; // The base address of the allocated memory block + SIZE_T RegionSize; // The size of the allocated memory block + DWORD Type; // The type of memory allocated + ALLOCATED_MEMORY_SECTION Sections[8]; // An array of section information structures + ALLOCATED_MEMORY_CLEANUP_INFORMATION CleanupInformation; // Information required to cleanup the allocation +} ALLOCATED_MEMORY_REGION, *PALLOCATED_MEMORY_REGION; + +typedef struct { + ALLOCATED_MEMORY_REGION AllocatedMemoryRegions[6]; +} ALLOCATED_MEMORY, *PALLOCATED_MEMORY; + +/* + * version - The version of the beacon dll was added for release 4.10 + * version format: 0xMMmmPP, where MM = Major, mm = Minor, and PP = Patch + * e.g. 0x040900 -> CS 4.9 + * 0x041000 -> CS 4.10 + * + * sleep_mask_ptr - pointer to the sleep mask base address + * sleep_mask_text_size - the sleep mask text section size + * sleep_mask_total_size - the sleep mask total memory size + * + * beacon_ptr - pointer to beacon's base address + * The stage.obfuscate flag affects this value when using CS default loader. + * true: beacon_ptr = allocated_buffer - 0x1000 (Not a valid address) + * false: beacon_ptr = allocated_buffer (A valid address) + * For a UDRL the beacon_ptr will be set to the 1st argument to DllMain + * when the 2nd argument is set to DLL_PROCESS_ATTACH. + * heap_records - list of memory addresses on the heap beacon wants to mask. + * The list is terminated by the HEAP_RECORD.ptr set to NULL. + * mask - the mask that beacon randomly generated to apply + * + * Added in version 4.10 + * allocatedMemory - An ALLOCATED_MEMORY structure that can be set in the USER_DATA + * via a UDRL. + */ +typedef struct { + unsigned int version; + char * sleep_mask_ptr; + DWORD sleep_mask_text_size; + DWORD sleep_mask_total_size; + + char * beacon_ptr; + HEAP_RECORD * heap_records; + char mask[MASK_SIZE]; + + ALLOCATED_MEMORY allocatedMemory; +} BEACON_INFO, *PBEACON_INFO; + +DECLSPEC_IMPORT BOOL BeaconInformation(PBEACON_INFO info); + +/* Key/Value store functions + * These functions are used to associate a key to a memory address and save + * that information into beacon. These memory addresses can then be + * retrieved in a subsequent execution of a BOF. + * + * key - the key will be converted to a hash which is used to locate the + * memory address. + * + * ptr - a memory address to save. + * + * Considerations: + * - The contents at the memory address is not masked by beacon. + * - The contents at the memory address is not released by beacon. + * + */ +DECLSPEC_IMPORT BOOL BeaconAddValue(const char * key, void * ptr); +DECLSPEC_IMPORT void * BeaconGetValue(const char * key); +DECLSPEC_IMPORT BOOL BeaconRemoveValue(const char * key); + +/* Beacon Data Store functions + * These functions are used to access items in Beacon's Data Store. + * BeaconDataStoreGetItem returns NULL if the index does not exist. + * + * The contents are masked by default, and BOFs must unprotect the entry + * before accessing the data buffer. BOFs must also protect the entry + * after the data is not used anymore. + * + */ + +#define DATA_STORE_TYPE_EMPTY 0 +#define DATA_STORE_TYPE_GENERAL_FILE 1 + +typedef struct { + int type; + DWORD64 hash; + BOOL masked; + char* buffer; + size_t length; +} DATA_STORE_OBJECT, *PDATA_STORE_OBJECT; + +DECLSPEC_IMPORT PDATA_STORE_OBJECT BeaconDataStoreGetItem(size_t index); +DECLSPEC_IMPORT void BeaconDataStoreProtectItem(size_t index); +DECLSPEC_IMPORT void BeaconDataStoreUnprotectItem(size_t index); +DECLSPEC_IMPORT size_t BeaconDataStoreMaxEntries(); + +/* Beacon User Data functions */ +DECLSPEC_IMPORT char * BeaconGetCustomUserData(); + +/* Beacon System call */ +/* Syscalls API */ +typedef struct +{ + PVOID fnAddr; + PVOID jmpAddr; + DWORD sysnum; +} SYSCALL_API_ENTRY, *PSYSCALL_API_ENTRY; + +typedef struct +{ + SYSCALL_API_ENTRY ntAllocateVirtualMemory; + SYSCALL_API_ENTRY ntProtectVirtualMemory; + SYSCALL_API_ENTRY ntFreeVirtualMemory; + SYSCALL_API_ENTRY ntGetContextThread; + SYSCALL_API_ENTRY ntSetContextThread; + SYSCALL_API_ENTRY ntResumeThread; + SYSCALL_API_ENTRY ntCreateThreadEx; + SYSCALL_API_ENTRY ntOpenProcess; + SYSCALL_API_ENTRY ntOpenThread; + SYSCALL_API_ENTRY ntClose; + SYSCALL_API_ENTRY ntCreateSection; + SYSCALL_API_ENTRY ntMapViewOfSection; + SYSCALL_API_ENTRY ntUnmapViewOfSection; + SYSCALL_API_ENTRY ntQueryVirtualMemory; + SYSCALL_API_ENTRY ntDuplicateObject; + SYSCALL_API_ENTRY ntReadVirtualMemory; + SYSCALL_API_ENTRY ntWriteVirtualMemory; + SYSCALL_API_ENTRY ntReadFile; + SYSCALL_API_ENTRY ntWriteFile; + SYSCALL_API_ENTRY ntCreateFile; +} SYSCALL_API, *PSYSCALL_API; + +/* Additional Run Time Library (RTL) addresses used to support system calls. + * If they are not set then system calls that require them will fall back + * to the Standard Windows API. + * + * Required to support the following system calls: + * ntCreateFile + */ +typedef struct +{ + PVOID rtlDosPathNameToNtPathNameUWithStatusAddr; + PVOID rtlFreeHeapAddr; + PVOID rtlGetProcessHeapAddr; +} RTL_API, *PRTL_API; + +typedef struct +{ + PSYSCALL_API syscalls; + PRTL_API rtls; +} BEACON_SYSCALLS, *PBEACON_SYSCALLS; + +DECLSPEC_IMPORT BOOL BeaconGetSyscallInformation(PBEACON_SYSCALLS info, BOOL resolveIfNotInitialized); + +/* Beacon System call functions which will use the current system call method */ +DECLSPEC_IMPORT LPVOID BeaconVirtualAlloc(LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); +DECLSPEC_IMPORT LPVOID BeaconVirtualAllocEx(HANDLE processHandle, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType, DWORD flProtect); +DECLSPEC_IMPORT BOOL BeaconVirtualProtect(LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); +DECLSPEC_IMPORT BOOL BeaconVirtualProtectEx(HANDLE processHandle, LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect); +DECLSPEC_IMPORT BOOL BeaconVirtualFree(LPVOID lpAddress, SIZE_T dwSize, DWORD dwFreeType); +DECLSPEC_IMPORT BOOL BeaconGetThreadContext(HANDLE threadHandle, PCONTEXT threadContext); +DECLSPEC_IMPORT BOOL BeaconSetThreadContext(HANDLE threadHandle, PCONTEXT threadContext); +DECLSPEC_IMPORT DWORD BeaconResumeThread(HANDLE threadHandle); +DECLSPEC_IMPORT HANDLE BeaconOpenProcess(DWORD desiredAccess, BOOL inheritHandle, DWORD processId); +DECLSPEC_IMPORT HANDLE BeaconOpenThread(DWORD desiredAccess, BOOL inheritHandle, DWORD threadId); +DECLSPEC_IMPORT BOOL BeaconCloseHandle(HANDLE object); +DECLSPEC_IMPORT BOOL BeaconUnmapViewOfFile(LPCVOID baseAddress); +DECLSPEC_IMPORT SIZE_T BeaconVirtualQuery(LPCVOID address, PMEMORY_BASIC_INFORMATION buffer, SIZE_T length); +DECLSPEC_IMPORT BOOL BeaconDuplicateHandle(HANDLE hSourceProcessHandle, HANDLE hSourceHandle, HANDLE hTargetProcessHandle, LPHANDLE lpTargetHandle, DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwOptions); +DECLSPEC_IMPORT BOOL BeaconReadProcessMemory(HANDLE hProcess, LPCVOID lpBaseAddress, LPVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesRead); +DECLSPEC_IMPORT BOOL BeaconWriteProcessMemory(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T *lpNumberOfBytesWritten); + +/* Beacon Gate APIs */ +DECLSPEC_IMPORT VOID BeaconDisableBeaconGate(); +DECLSPEC_IMPORT VOID BeaconEnableBeaconGate(); + +/* Beacon User Data + * + * version format: 0xMMmmPP, where MM = Major, mm = Minor, and PP = Patch + * e.g. 0x040900 -> CS 4.9 + * 0x041000 -> CS 4.10 +*/ + +#define DLL_BEACON_USER_DATA 0x0d +#define BEACON_USER_DATA_CUSTOM_SIZE 32 +typedef struct +{ + unsigned int version; + PSYSCALL_API syscalls; + char custom[BEACON_USER_DATA_CUSTOM_SIZE]; + PRTL_API rtls; + PALLOCATED_MEMORY allocatedMemory; +} USER_DATA, * PUSER_DATA; + +#ifdef __cplusplus +} +#endif // __cplusplus +#endif // _BEACON_H_ diff --git a/sample_bof/main.c b/sample_bof/main.c new file mode 100644 index 0000000..e69de29 diff --git a/sample_bof/syscalls-aio.h b/sample_bof/syscalls-aio.h new file mode 100644 index 0000000..7502710 --- /dev/null +++ b/sample_bof/syscalls-aio.h @@ -0,0 +1,14499 @@ +#pragma once +#include + + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +#ifndef SW3_HEADER_H_ +#define SW3_HEADER_H_ + + + + +#ifndef _NTDEF_ +typedef _Return_type_success_(return >= 0) LONG NTSTATUS; +typedef NTSTATUS* PNTSTATUS; +#endif + +#define SW3_SEED 0xCC6A5286 +#define SW3_ROL8(v) (v << 8 | v >> 24) +#define SW3_ROR8(v) (v >> 8 | v << 24) +#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) +#define SW3_MAX_ENTRIES 600 +#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) + +// Typedefs are prefixed to avoid pollution. + +typedef struct _SW3_SYSCALL_ENTRY +{ +DWORD Hash; +DWORD Address; +PVOID SyscallAddress; +} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; + +typedef struct _SW3_SYSCALL_LIST +{ +DWORD Count; +SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; +} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; + +typedef struct _SW3_PEB_LDR_DATA { +BYTE Reserved1[8]; +PVOID Reserved2[3]; +LIST_ENTRY InMemoryOrderModuleList; +} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; + +typedef struct _SW3_LDR_DATA_TABLE_ENTRY { +PVOID Reserved1[2]; +LIST_ENTRY InMemoryOrderLinks; +PVOID Reserved2[2]; +PVOID DllBase; +} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; + +typedef struct _SW3_PEB { +BYTE Reserved1[2]; +BYTE BeingDebugged; +BYTE Reserved2[1]; +PVOID Reserved3[2]; +PSW3_PEB_LDR_DATA Ldr; +} SW3_PEB, *PSW3_PEB; + +DWORD SW3_HashSyscall(PCSTR FunctionName); +BOOL SW3_PopulateSyscallList(); +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); +typedef struct _UNICODE_STRING +{ +USHORT Length; +USHORT MaximumLength; +PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_HANDLE +{ +ULONG ProcessId; +BYTE ObjectTypeNumber; +BYTE Flags; +USHORT Handle; +PVOID Object; +ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ +PVOID pValue; +ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ +ULONG64 Version; +UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ +GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef enum _KCONTINUE_TYPE +{ +KCONTINUE_UNWIND, +KCONTINUE_RESUME, +KCONTINUE_LONGJUMP, +KCONTINUE_SET, +KCONTINUE_LAST +} KCONTINUE_TYPE; + +typedef struct _IO_STATUS_BLOCK +{ +union +{ +NTSTATUS Status; +VOID* Pointer; +}; +ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef enum _PS_CREATE_STATE +{ +PsCreateInitialState, +PsCreateFailOnFileOpen, +PsCreateFailOnSectionCreate, +PsCreateFailExeFormat, +PsCreateFailMachineMismatch, +PsCreateFailExeName, +PsCreateSuccess, +PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ +ULONG HandleCount; +SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _CLIENT_ID +{ +HANDLE UniqueProcess; +HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ +HardwareProfileChangeEvent, +TargetDeviceChangeEvent, +DeviceClassChangeEvent, +CustomDeviceEvent, +DeviceInstallEvent, +DeviceArrivalEvent, +PowerEvent, +VetoEvent, +BlockedDriverEvent, +InvalidIDEvent, +MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE +{ +PNP_VetoTypeUnknown, // unspecified +PNP_VetoLegacyDevice, // instance path +PNP_VetoPendingClose, // instance path +PNP_VetoWindowsApp, // module +PNP_VetoWindowsService, // service +PNP_VetoOutstandingOpen, // instance path +PNP_VetoDevice, // instance path +PNP_VetoDriver, // driver service name +PNP_VetoIllegalDeviceRequest, // instance path +PNP_VetoInsufficientPower, // unspecified +PNP_VetoNonDisableable, // instance path +PNP_VetoLegacyDriver, // service +PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ +UNICODE_STRING Name; +USHORT ValueType; +USHORT Reserved; +ULONG Flags; +ULONG ValueCount; +union +{ +PLONG64 pInt64; +PULONG64 pUint64; +PUNICODE_STRING pString; +PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; +PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; +} Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef VOID(KNORMAL_ROUTINE) ( +IN PVOID NormalContext, +IN PVOID SystemArgument1, +IN PVOID SystemArgument2); + +typedef struct _PS_ATTRIBUTE +{ +ULONG Attribute; +SIZE_T Size; +union +{ +ULONG Value; +PVOID ValuePtr; +} u1; +PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _WNF_STATE_NAME +{ +ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ +(p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ +(p)->RootDirectory = r; \ +(p)->Attributes = a; \ +(p)->ObjectName = n; \ +(p)->SecurityDescriptor = s; \ +(p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef struct _KEY_VALUE_ENTRY +{ +PUNICODE_STRING ValueName; +ULONG DataLength; +ULONG DataOffset; +ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ +KeyWriteTimeInformation, +KeyWow64FlagsInformation, +KeyControlFlagsInformation, +KeySetVirtualizationInformation, +KeySetDebugInformation, +KeySetHandleTagsInformation, +MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ +SystemBasicInformation = 0, +SystemPerformanceInformation = 2, +SystemTimeOfDayInformation = 3, +SystemProcessInformation = 5, +SystemProcessorPerformanceInformation = 8, +SystemHandleInformation = 16, +SystemInterruptInformation = 23, +SystemExceptionInformation = 33, +SystemRegistryQuotaInformation = 37, +SystemLookasideInformation = 45, +SystemCodeIntegrityInformation = 103, +SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _PROCESSINFOCLASS +{ +ProcessBasicInformation = 0, +ProcessDebugPort = 7, +ProcessWow64Information = 26, +ProcessImageFileName = 27, +ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ +PVOID VirtualAddress; +SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ +ULONG Version; +ULONG Reserved; +LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef struct _FILE_PATH +{ +ULONG Version; +ULONG Length; +ULONG Type; +CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER QuotaUsed; +LARGE_INTEGER QuotaThreshold; +LARGE_INTEGER QuotaLimit; +SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ +ULONG NextEntryOffset; +ULONG SidLength; +SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +LARGE_INTEGER AllocationSize; +LARGE_INTEGER EndOfFile; +ULONG FileAttributes; +ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ +FilterBootOptionOperationOpenSystemStore, +FilterBootOptionOperationSetElement, +FilterBootOptionOperationDeleteElement, +FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef enum _EVENT_TYPE +{ +NotificationEvent = 0, +SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ +ULONG NextEntryOffset; +UCHAR Flags; +UCHAR EaNameLength; +USHORT EaValueLength; +CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ +ULONG NextEntryOffset; +BYTE EaNameLength; +CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _BOOT_OPTIONS +{ +ULONG Version; +ULONG Length; +ULONG Timeout; +ULONG CurrentBootEntryId; +ULONG NextBootEntryId; +WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef enum _WNF_DATA_SCOPE +{ +WnfDataScopeSystem = 0, +WnfDataScopeSession = 1, +WnfDataScopeUser = 2, +WnfDataScopeProcess = 3, +WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ +WnfWellKnownStateName = 0, +WnfPermanentStateName = 1, +WnfPersistentStateName = 2, +WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ +VmPrefetchInformation, +VmPagePriorityInformation, +VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef enum _IO_SESSION_EVENT +{ +IoSessionEventIgnore, +IoSessionEventCreated, +IoSessionEventTerminated, +IoSessionEventConnected, +IoSessionEventDisconnected, +IoSessionEventLogon, +IoSessionEventLogoff, +IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _PORT_INFORMATION_CLASS +{ +PortBasicInformation, +#if DEVL +PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ +PlugPlayControlEnumerateDevice, +PlugPlayControlRegisterNewDevice, +PlugPlayControlDeregisterDevice, +PlugPlayControlInitializeDevice, +PlugPlayControlStartDevice, +PlugPlayControlUnlockDevice, +PlugPlayControlQueryAndRemoveDevice, +PlugPlayControlUserResponse, +PlugPlayControlGenerateLegacyDevice, +PlugPlayControlGetInterfaceDeviceList, +PlugPlayControlProperty, +PlugPlayControlDeviceClassAssociation, +PlugPlayControlGetRelatedDevice, +PlugPlayControlGetInterfaceDeviceAlias, +PlugPlayControlDeviceStatus, +PlugPlayControlGetDeviceDepth, +PlugPlayControlQueryDeviceRelations, +PlugPlayControlTargetDeviceRelation, +PlugPlayControlQueryConflictList, +PlugPlayControlRetrieveDock, +PlugPlayControlResetDevice, +PlugPlayControlHaltDevice, +PlugPlayControlGetBlockedDriverList, +MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ +IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ +ViewShare = 1, +ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _DEBUGOBJECTINFOCLASS +{ +DebugObjectFlags = 1, +MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ +SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef struct _PS_ATTRIBUTE_LIST +{ +SIZE_T TotalLength; +PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _VDMSERVICECLASS +{ +VdmStartExecution, +VdmQueueInterrupt, +VdmDelayInterrupt, +VdmInitialize, +VdmFeatures, +VdmSetInt21Handler, +VdmQueryDir, +VdmPrinterDirectIoOpen, +VdmPrinterDirectIoClose, +VdmPrinterInitialize, +VdmSetLdtEntries, +VdmSetProcessLdtInfo, +VdmAdlibEmulation, +VdmPMCliControl, +VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef struct _PS_CREATE_INFO +{ +SIZE_T Size; +PS_CREATE_STATE State; +union +{ +// PsCreateInitialState +struct { +union { +ULONG InitFlags; +struct { +UCHAR WriteOutputOnExit : 1; +UCHAR DetectManifest : 1; +UCHAR IFEOSkipDebugger : 1; +UCHAR IFEODoNotPropagateKeyState : 1; +UCHAR SpareBits1 : 4; +UCHAR SpareBits2 : 8; +USHORT ProhibitedImageCharacteristics : 16; +}; +}; +ACCESS_MASK AdditionalFileAccess; +} InitState; +// PsCreateFailOnSectionCreate +struct { +HANDLE FileHandle; +} FailSection; +// PsCreateFailExeFormat +struct { +USHORT DllCharacteristics; +} ExeFormat; +// PsCreateFailExeName +struct { +HANDLE IFEOKey; +} ExeName; +// PsCreateSuccess +struct { +union { +ULONG OutputFlags; +struct { +UCHAR ProtectedProcess : 1; +UCHAR AddressSpaceOverride : 1; +UCHAR DevOverrideEnabled : 1; // from Image File Execution Options +UCHAR ManifestDetected : 1; +UCHAR ProtectedProcessLight : 1; +UCHAR SpareBits1 : 3; +UCHAR SpareBits2 : 8; +USHORT SpareBits3 : 16; +}; +}; +HANDLE FileHandle; +HANDLE SectionHandle; +ULONGLONG UserProcessParametersNative; +ULONG UserProcessParametersWow64; +ULONG CurrentParameterFlags; +ULONGLONG PebAddressNative; +ULONG PebAddressWow64; +ULONGLONG ManifestAddress; +ULONG ManifestSize; +} SuccessState; +}; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _MEMORY_INFORMATION_CLASS +{ +MemoryBasicInformation, +MemoryWorkingSetInformation, +MemoryMappedFilenameInformation, +MemoryRegionInformation, +MemoryWorkingSetExInformation, +MemorySharedCommitInformation, +MemoryImageInformation, +MemoryRegionInformationEx, +MemoryPrivilegedBasicInformation, +MemoryEnclaveImageInformation, +MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ +MemoryReserveUserApc, +MemoryReserveIoCompletion, +MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ +AlpcBasicInformation, +AlpcPortInformation, +AlpcAssociateCompletionPortInformation, +AlpcConnectedSIDInformation, +AlpcServerInformation, +AlpcMessageZoneInformation, +AlpcRegisterCompletionListInformation, +AlpcUnregisterCompletionListInformation, +AlpcAdjustCompletionListConcurrencyCountInformation, +AlpcRegisterCallbackInformation, +AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _ALPC_CONTEXT_ATTR +{ +PVOID PortContext; +PVOID MessageContext; +ULONG SequenceNumber; +ULONG MessageID; +ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ +ULONG Flags; +HANDLE SectionHandle; +PVOID ViewBase; +SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef struct _ALPC_SECURITY_ATTR +{ +ULONG Flags; +PSECURITY_QUALITY_OF_SERVICE SecurityQos; +HANDLE ContextHandle; +ULONG Reserved1; +ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef PVOID* PPVOID; + +typedef enum _KPROFILE_SOURCE +{ +ProfileTime = 0, +ProfileAlignmentFixup = 1, +ProfileTotalIssues = 2, +ProfilePipelineDry = 3, +ProfileLoadInstructions = 4, +ProfilePipelineFrozen = 5, +ProfileBranchInstructions = 6, +ProfileTotalNonissues = 7, +ProfileDcacheMisses = 8, +ProfileIcacheMisses = 9, +ProfileCacheMisses = 10, +ProfileBranchMispredictions = 11, +ProfileStoreInstructions = 12, +ProfileFpInstructions = 13, +ProfileIntegerInstructions = 14, +Profile2Issue = 15, +Profile3Issue = 16, +Profile4Issue = 17, +ProfileSpecialInstructions = 18, +ProfileTotalCycles = 19, +ProfileIcacheIssues = 20, +ProfileDcacheAccesses = 21, +ProfileMemoryBarrierCycles = 22, +ProfileLoadLinkedIssues = 23, +ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ +AlpcMessageSidInformation, +AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _WORKERFACTORYINFOCLASS +{ +WorkerFactoryTimeout, +WorkerFactoryRetryTimeout, +WorkerFactoryIdleTimeout, +WorkerFactoryBindingCount, +WorkerFactoryThreadMinimum, +WorkerFactoryThreadMaximum, +WorkerFactoryPaused, +WorkerFactoryBasicInformation, +WorkerFactoryAdjustThreadGoal, +WorkerFactoryCallbackType, +WorkerFactoryStackInformation, +MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ +SystemMemoryPartitionInformation, +SystemMemoryPartitionMoveMemory, +SystemMemoryPartitionAddPagefile, +SystemMemoryPartitionCombineMemory, +SystemMemoryPartitionInitialAddMemory, +SystemMemoryPartitionGetMemoryEvents, +SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +typedef enum _MUTANT_INFORMATION_CLASS +{ +MutantBasicInformation, +MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ +AtomBasicInformation, +AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _SHUTDOWN_ACTION { +ShutdownNoReboot, +ShutdownReboot, +ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( +IN PVOID TimerContext, +IN ULONG TimerLowValue, +IN LONG TimerHighValue); + +typedef enum _KEY_VALUE_INFORMATION_CLASS { +KeyValueBasicInformation = 0, +KeyValueFullInformation, +KeyValuePartialInformation, +KeyValueFullInformationAlign64, +KeyValuePartialInformationAlign64, +MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef LANGID* PLANGID; + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ +GUID EventGuid; +PLUGPLAY_EVENT_CATEGORY EventCategory; +PULONG Result; +ULONG Flags; +ULONG TotalSize; +PVOID DeviceObject; + +union +{ +struct +{ +GUID ClassGuid; +WCHAR SymbolicLinkName[1]; +} DeviceClass; +struct +{ +WCHAR DeviceIds[1]; +} TargetDevice; +struct +{ +WCHAR DeviceId[1]; +} InstallDevice; +struct +{ +PVOID NotificationStructure; +WCHAR DeviceIds[1]; +} CustomNotification; +struct +{ +PVOID Notification; +} ProfileNotification; +struct +{ +ULONG NotificationCode; +ULONG NotificationData; +} PowerNotification; +struct +{ +PNP_VETO_TYPE VetoType; +WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName +} VetoNotification; +struct +{ +GUID BlockedDriverGuid; +} BlockedDriverNotification; +struct +{ +WCHAR ParentId[1]; +} InvalidIDNotification; +} u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( +IN PVOID ApcContext, +IN PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG Reserved); + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ +DirectoryNotifyInformation = 1, +DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_INFORMATION_CLASS +{ +EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ +unsigned long AllocatedAttributes; +unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ +ULONG Flags; +SECURITY_QUALITY_OF_SERVICE SecurityQos; +SIZE_T MaxMessageLength; +SIZE_T MemoryBandwidth; +SIZE_T MaxPoolUsage; +SIZE_T MaxSectionSize; +SIZE_T MaxViewSize; +SIZE_T MaxTotalSectionSize; +ULONG DupObjectTypes; +#ifdef _WIN64 +ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _IO_SESSION_STATE +{ +IoSessionStateCreated = 1, +IoSessionStateInitialized = 2, +IoSessionStateConnected = 3, +IoSessionStateDisconnected = 4, +IoSessionStateDisconnectedLoggedOn = 5, +IoSessionStateLoggedOn = 6, +IoSessionStateLoggedOff = 7, +IoSessionStateTerminated = 8, +IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ +unsigned __int64 SubscriptionId; +WNF_STATE_NAME StateName; +unsigned long ChangeStamp; +unsigned long StateDataSize; +unsigned long EventMask; +WNF_TYPE_ID TypeId; +unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef enum _DEBUG_CONTROL_CODE +{ +SysDbgQueryModuleInformation = 0, +SysDbgQueryTraceInformation = 1, +SysDbgSetTracePoint = 2, +SysDbgSetSpecialCall = 3, +SysDbgClearSpecialCalls = 4, +SysDbgQuerySpecialCalls = 5, +SysDbgBreakPoint = 6, +SysDbgQueryVersion = 7, +SysDbgReadVirtual = 8, +SysDbgWriteVirtual = 9, +SysDbgReadPhysical = 10, +SysDbgWritePhysical = 11, +SysDbgReadControlSpace = 12, +SysDbgWriteControlSpace = 13, +SysDbgReadIoSpace = 14, +SysDbgWriteIoSpace = 15, +SysDbgReadMsr = 16, +SysDbgWriteMsr = 17, +SysDbgReadBusData = 18, +SysDbgWriteBusData = 19, +SysDbgCheckLowMemory = 20, +SysDbgEnableKernelDebugger = 21, +SysDbgDisableKernelDebugger = 22, +SysDbgGetAutoKdEnable = 23, +SysDbgSetAutoKdEnable = 24, +SysDbgGetPrintBufferSize = 25, +SysDbgSetPrintBufferSize = 26, +SysDbgGetKdUmExceptionEnable = 27, +SysDbgSetKdUmExceptionEnable = 28, +SysDbgGetTriageDump = 29, +SysDbgGetKdBlockEnable = 30, +SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef struct _PORT_MESSAGE +{ +union +{ +union +{ +struct +{ +short DataLength; +short TotalLength; +} s1; +unsigned long Length; +}; +} u1; +union +{ +union +{ +struct +{ +short Type; +short DataInfoOffset; +} s2; +unsigned long ZeroInit; +}; +} u2; +union +{ +CLIENT_ID ClientId; +double DoNotUseThisField; +}; +unsigned long MessageId; +union +{ +unsigned __int64 ClientViewSize; +struct +{ +unsigned long CallbackId; +long __PADDING__[1]; +}; +}; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _FILE_BASIC_INFORMATION +{ +LARGE_INTEGER CreationTime; +LARGE_INTEGER LastAccessTime; +LARGE_INTEGER LastWriteTime; +LARGE_INTEGER ChangeTime; +ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_READ +{ +ULONG Length; +ULONG ViewSize; +ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _PORT_SECTION_WRITE +{ +ULONG Length; +HANDLE SectionHandle; +ULONG SectionOffset; +ULONG ViewSize; +PVOID ViewBase; +PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef enum _TIMER_TYPE +{ +NotificationTimer, +SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _BOOT_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG BootFilePathOffset; +ULONG OsOptionsLength; +UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY +{ +ULONG Version; +ULONG Length; +ULONG Id; +ULONG Attributes; +ULONG FriendlyNameOffset; +ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ +TimerSetCoalescableTimer, +MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS +{ +FileFsVolumeInformation = 1, +FileFsLabelInformation = 2, +FileFsSizeInformation = 3, +FileFsDeviceInformation = 4, +FileFsAttributeInformation = 5, +FileFsControlInformation = 6, +FileFsFullSizeInformation = 7, +FileFsObjectIdInformation = 8, +FileFsDriverPathInformation = 9, +FileFsVolumeFlagsInformation = 10, +FileFsSectorSizeInformation = 11, +FileFsDataCopyInformation = 12, +FileFsMetadataSizeInformation = 13, +FileFsFullSizeInformationEx = 14, +FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _WAIT_TYPE +{ +WaitAll = 0, +WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _USER_STACK +{ +PVOID FixedStackBase; +PVOID FixedStackLimit; +PVOID ExpandableStackBase; +PVOID ExpandableStackLimit; +PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef enum _SECTION_INFORMATION_CLASS +{ +SectionBasicInformation, +SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef enum _APPHELPCACHESERVICECLASS +{ +ApphelpCacheServiceLookup = 0, +ApphelpCacheServiceRemove = 1, +ApphelpCacheServiceUpdate = 2, +ApphelpCacheServiceFlush = 3, +ApphelpCacheServiceDump = 4, +ApphelpDBGReadRegistry = 0x100, +ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ +USHORT Version; +USHORT Reserved; +ULONG AttributeCount; +union +{ +PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; +} Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ +PVOID KeyContext; +PVOID ApcContext; +IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _THREADINFOCLASS +{ +ThreadBasicInformation, +ThreadTimes, +ThreadPriority, +ThreadBasePriority, +ThreadAffinityMask, +ThreadImpersonationToken, +ThreadDescriptorTableEntry, +ThreadEnableAlignmentFaultFixup, +ThreadEventPair_Reusable, +ThreadQuerySetWin32StartAddress, +ThreadZeroTlsCell, +ThreadPerformanceCount, +ThreadAmILastThread, +ThreadIdealProcessor, +ThreadPriorityBoost, +ThreadSetTlsArrayAddress, +ThreadIsIoPending, +ThreadHideFromDebugger, +ThreadBreakOnTermination, +MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ +ObjectBasicInformation, +ObjectNameInformation, +ObjectTypeInformation, +ObjectAllTypesInformation, +ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ +FileDirectoryInformation = 1, +FileFullDirectoryInformation = 2, +FileBothDirectoryInformation = 3, +FileBasicInformation = 4, +FileStandardInformation = 5, +FileInternalInformation = 6, +FileEaInformation = 7, +FileAccessInformation = 8, +FileNameInformation = 9, +FileRenameInformation = 10, +FileLinkInformation = 11, +FileNamesInformation = 12, +FileDispositionInformation = 13, +FilePositionInformation = 14, +FileFullEaInformation = 15, +FileModeInformation = 16, +FileAlignmentInformation = 17, +FileAllInformation = 18, +FileAllocationInformation = 19, +FileEndOfFileInformation = 20, +FileAlternateNameInformation = 21, +FileStreamInformation = 22, +FilePipeInformation = 23, +FilePipeLocalInformation = 24, +FilePipeRemoteInformation = 25, +FileMailslotQueryInformation = 26, +FileMailslotSetInformation = 27, +FileCompressionInformation = 28, +FileObjectIdInformation = 29, +FileCompletionInformation = 30, +FileMoveClusterInformation = 31, +FileQuotaInformation = 32, +FileReparsePointInformation = 33, +FileNetworkOpenInformation = 34, +FileAttributeTagInformation = 35, +FileTrackingInformation = 36, +FileIdBothDirectoryInformation = 37, +FileIdFullDirectoryInformation = 38, +FileValidDataLengthInformation = 39, +FileShortNameInformation = 40, +FileIoCompletionNotificationInformation = 41, +FileIoStatusBlockRangeInformation = 42, +FileIoPriorityHintInformation = 43, +FileSfioReserveInformation = 44, +FileSfioVolumeInformation = 45, +FileHardLinkInformation = 46, +FileProcessIdsUsingFileInformation = 47, +FileNormalizedNameInformation = 48, +FileNetworkPhysicalNameInformation = 49, +FileIdGlobalTxDirectoryInformation = 50, +FileIsRemoteDeviceInformation = 51, +FileUnusedInformation = 52, +FileNumaNodeInformation = 53, +FileStandardLinkInformation = 54, +FileRemoteProtocolInformation = 55, +FileRenameInformationBypassAccessCheck = 56, +FileLinkInformationBypassAccessCheck = 57, +FileVolumeNameInformation = 58, +FileIdInformation = 59, +FileIdExtdDirectoryInformation = 60, +FileReplaceCompletionInformation = 61, +FileHardLinkFullIdInformation = 62, +FileIdExtdBothDirectoryInformation = 63, +FileDispositionInformationEx = 64, +FileRenameInformationEx = 65, +FileRenameInformationExBypassAccessCheck = 66, +FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ +KeyBasicInformation = 0, +KeyNodeInformation = 1, +KeyFullInformation = 2, +KeyNameInformation = 3, +KeyCachedInformation = 4, +KeyFlagsInformation = 5, +KeyVirtualizationInformation = 6, +KeyHandleTagsInformation = 7, +MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef struct _OBJECT_ATTRIBUTES +{ +ULONG Length; +HANDLE RootDirectory; +PUNICODE_STRING ObjectName; +ULONG Attributes; +PVOID SecurityDescriptor; +PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef enum _TIMER_INFORMATION_CLASS +{ +TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef struct _KCONTINUE_ARGUMENT +{ +KCONTINUE_TYPE ContinueType; +ULONG ContinueFlags; +ULONGLONG Reserved[2]; +} KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; + +EXTERN_C NTSTATUS Sw3NtAccessCheck( +IN PSECURITY_DESCRIPTOR pSecurityDescriptor, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiaredAccess, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS Sw3NtWorkerFactoryWorkerReady( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtAcceptConnectPort( +OUT PHANDLE ServerPortHandle, +IN ULONG AlternativeReceivePortHandle OPTIONAL, +IN PPORT_MESSAGE ConnectionReply, +IN BOOLEAN AcceptConnection, +IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, +OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPagesScatter( +IN PVOID VirtualAddresses, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForSingleObject( +IN HANDLE ObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallbackReturn( +IN PVOID OutputBuffer OPTIONAL, +IN ULONG OutputLength, +IN NTSTATUS Status); + +EXTERN_C NTSTATUS Sw3NtReadFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +OUT PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeviceIoControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG IoControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID Buffer, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletion( +IN HANDLE IoCompletionHandle, +OUT PULONG KeyContext, +OUT PULONG ApcContext, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseSemaphore( +IN HANDLE SemaphoreHandle, +IN LONG ReleaseCount, +OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePort( +IN HANDLE PortHandle, +OUT PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS Sw3NtReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtSetInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +IN PVOID ThreadInformation, +IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtClose( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtQueryObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +OUT PVOID ObjectInformation OPTIONAL, +IN ULONG ObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtOpenKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtEnumerateValueKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtFindAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultLocale( +IN BOOLEAN UserProfile, +OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtQueryKey( +IN HANDLE KeyHandle, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtQueryValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, +OUT PVOID KeyValueInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN ULONG ZeroBits, +IN OUT PSIZE_T RegionSize, +IN ULONG AllocationType, +IN ULONG Protect); + +EXTERN_C NTSTATUS Sw3NtQueryInformationProcess( +IN HANDLE ProcessHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +OUT PVOID ProcessInformation, +IN ULONG ProcessInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects32( +IN ULONG ObjectCount, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteFileGather( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKey( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFreeVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG FreeType); + +EXTERN_C NTSTATUS Sw3NtImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS Sw3NtReleaseMutant( +IN HANDLE MutantHandle, +OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +OUT PVOID TokenInformation, +IN ULONG TokenInformationLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtRequestWaitReplyPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage, +OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtQueryVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN MEMORY_INFORMATION_CLASS MemoryInformationClass, +OUT PVOID MemoryInformation, +IN SIZE_T MemoryInformationLength, +OUT PSIZE_T ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadToken( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryInformationThread( +IN HANDLE ThreadHandle, +IN THREADINFOCLASS ThreadInformationClass, +OUT PVOID ThreadInformation, +IN ULONG ThreadInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSection( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG ZeroBits, +IN SIZE_T CommitSize, +IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, +IN OUT PSIZE_T ViewSize, +IN SECTION_INHERIT InheritDisposition, +IN ULONG AllocationType, +IN ULONG Win32Protect); + +EXTERN_C NTSTATUS Sw3NtAccessCheckAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN ACCESS_MASK DesiredAccess, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PBOOLEAN AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSection( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePortEx( +IN HANDLE PortHandle, +OUT PULONG PortContext OPTIONAL, +IN PPORT_MESSAGE ReplyMessage OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateProcess( +IN HANDLE ProcessHandle OPTIONAL, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtSetEventBoostPriority( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadFileScatter( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_SEGMENT_ELEMENT SegmentArray, +IN ULONG Length, +IN PLARGE_INTEGER ByteOffset OPTIONAL, +IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadTokenEx( +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN BOOLEAN OpenAsSelf, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenProcessTokenEx( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryPerformanceCounter( +OUT PLARGE_INTEGER PerformanceCounter, +OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtEnumerateKey( +IN HANDLE KeyHandle, +IN ULONG Index, +IN KEY_INFORMATION_CLASS KeyInformationClass, +OUT PVOID KeyInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtOpenFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtDelayExecution( +IN BOOLEAN Alertable, +IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN BOOLEAN ReturnSingleEntry, +IN PUNICODE_STRING FileName OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN OUT PVOID SystemInformation, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtQueryTimer( +IN HANDLE TimerHandle, +IN TIMER_INFORMATION_CLASS TimerInformationClass, +OUT PVOID TimerInformation, +IN ULONG TimerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFsControlFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG FsControlCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T NumberOfBytesToWrite, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCloseObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDuplicateObject( +IN HANDLE SourceProcessHandle, +IN HANDLE SourceHandle, +IN HANDLE TargetProcessHandle OPTIONAL, +OUT PHANDLE TargetHandle OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Options); + +EXTERN_C NTSTATUS Sw3NtQueryAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtClearEvent( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +OUT PVOID Buffer, +IN SIZE_T BufferSize, +OUT PSIZE_T NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAdjustPrivilegesToken( +IN HANDLE TokenHandle, +IN BOOLEAN DisableAllPrivileges, +IN PTOKEN_PRIVILEGES NewState OPTIONAL, +IN ULONG BufferLength, +OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDuplicateToken( +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN BOOLEAN EffectiveOnly, +IN TOKEN_TYPE TokenType, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtContinue( +IN PCONTEXT ContextRecord, +IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultUILanguage( +OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueueApcThread( +IN HANDLE ThreadHandle, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtYieldExecution(); + +EXTERN_C NTSTATUS Sw3NtAddAtom( +IN PWSTR AtomName OPTIONAL, +IN ULONG Length, +OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEvent( +OUT PHANDLE EventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN EVENT_TYPE EventType, +IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS Sw3NtQueryVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FsInformation, +IN ULONG Length, +IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS Sw3NtCreateSection( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtApphelpCacheControl( +IN APPHELPCACHESERVICECLASS Service, +IN PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtCreateProcessEx( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL, +IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS Sw3NtCreateThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +OUT PCLIENT_ID ClientId, +IN PCONTEXT ThreadContext, +IN PUSER_STACK InitialTeb, +IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS Sw3NtIsProcessInJob( +IN HANDLE ProcessHandle, +IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtProtectVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID * BaseAddress, +IN OUT PSIZE_T RegionSize, +IN ULONG NewProtect, +OUT PULONG OldProtect); + +EXTERN_C NTSTATUS Sw3NtQuerySection( +IN HANDLE SectionHandle, +IN SECTION_INFORMATION_CLASS SectionInformationClass, +OUT PVOID SectionInformation, +IN ULONG SectionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResumeThread( +IN HANDLE ThreadHandle, +IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateThread( +IN HANDLE ThreadHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtReadRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG DataEntryIndex, +OUT PVOID Buffer, +IN ULONG BufferSize, +OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PLARGE_INTEGER AllocationSize OPTIONAL, +IN ULONG FileAttributes, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN PVOID EaBuffer OPTIONAL, +IN ULONG EaLength); + +EXTERN_C NTSTATUS Sw3NtQueryEvent( +IN HANDLE EventHandle, +IN EVENT_INFORMATION_CLASS EventInformationClass, +OUT PVOID EventInformation, +IN ULONG EventInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteRequestData( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Request, +IN ULONG DataIndex, +IN PVOID Buffer, +IN ULONG Length, +OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects( +IN ULONG Count, +IN PHANDLE Handles, +IN WAIT_TYPE WaitType, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationObject( +IN HANDLE Handle, +IN OBJECT_INFORMATION_CLASS ObjectInformationClass, +IN PVOID ObjectInformation, +IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtCancelIoFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtTraceEvent( +IN HANDLE TraceHandle, +IN ULONG Flags, +IN ULONG FieldSize, +IN PVOID Fields); + +EXTERN_C NTSTATUS Sw3NtPowerInformation( +IN POWER_INFORMATION_LEVEL InformationLevel, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtSetValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName, +IN ULONG TitleIndex OPTIONAL, +IN ULONG Type, +IN PVOID SystemData, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtCancelTimer( +IN HANDLE TimerHandle, +OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, +IN PVOID TimerContext OPTIONAL, +IN BOOLEAN ResumeTimer, +IN LONG Period OPTIONAL, +OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByType( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ULONG DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultList( +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_TYPE_LIST ObjectTypeList, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +OUT PPRIVILEGE_SET PrivilegeSet, +IN OUT PULONG PrivilegeSetLength, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor, +IN PSID PrincipalSelfSid OPTIONAL, +IN ACCESS_MASK DesiredAccess, +IN AUDIT_EVENT_TYPE AuditType, +IN ULONG Flags, +IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, +IN ULONG ObjectTypeListLength, +IN PGENERIC_MAPPING GenericMapping, +IN BOOLEAN ObjectCreation, +OUT PACCESS_MASK GrantedAccess, +OUT PULONG AccessStatus, +OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS Sw3NtAddAtomEx( +IN PWSTR AtomName, +IN ULONG Length, +IN PRTL_ATOM Atom, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAddBootEntry( +IN PBOOT_ENTRY BootEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAddDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry, +OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAdjustGroupsToken( +IN HANDLE TokenHandle, +IN BOOLEAN ResetToDefault, +IN PTOKEN_GROUPS NewState OPTIONAL, +IN ULONG BufferLength OPTIONAL, +OUT PTOKEN_GROUPS PreviousState OPTIONAL, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtAdjustTokenClaimsAndDeviceGroups( +IN HANDLE TokenHandle, +IN BOOLEAN UserResetToDefault, +IN BOOLEAN DeviceResetToDefault, +IN BOOLEAN DeviceGroupsResetToDefault, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, +IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, +IN ULONG UserBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, +IN ULONG DeviceBufferLength, +OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, +IN ULONG DeviceGroupsBufferLength, +OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, +OUT PULONG UserReturnLength OPTIONAL, +OUT PULONG DeviceReturnLength OPTIONAL, +OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertResumeThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertThread( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtAlertThreadByThreadId( +IN ULONG ThreadId); + +EXTERN_C NTSTATUS Sw3NtAllocateLocallyUniqueId( +OUT PLUID Luid); + +EXTERN_C NTSTATUS Sw3NtAllocateReserveObject( +OUT PHANDLE MemoryReserveHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS Sw3NtAllocateUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtAllocateUuids( +OUT PLARGE_INTEGER Time, +OUT PULONG Range, +OUT PULONG Sequence, +OUT PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemoryEx( +IN HANDLE ProcessHandle, +IN OUT PPVOID lpAddress, +IN ULONG_PTR ZeroBits, +IN OUT PSIZE_T pSize, +IN ULONG flAllocationType, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtAlpcAcceptConnectPort( +OUT PHANDLE PortHandle, +IN HANDLE ConnectionPortHandle, +IN ULONG Flags, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN PVOID PortContext OPTIONAL, +IN PPORT_MESSAGE ConnectionRequest, +IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, +IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS Sw3NtAlpcCancelMessage( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PULONG BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPortEx( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, +IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, +IN ULONG Flags, +IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, +IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle OPTIONAL, +IN SIZE_T SectionSize, +OUT PHANDLE AlpcSectionHandle, +OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN SIZE_T MessageSize, +OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS Sw3NtAlpcDeletePortSection( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteResourceReserve( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSectionView( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PVOID ViewBase); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDisconnectPort( +IN HANDLE PortHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientContainerOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientOfPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE Message, +IN PVOID Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderProcess( +OUT PHANDLE ProcessHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderThread( +OUT PHANDLE ThreadHandle, +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ULONG Flags, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformation( +IN HANDLE PortHandle OPTIONAL, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformationMessage( +IN HANDLE PortHandle, +IN PPORT_MESSAGE PortMessage, +IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, +OUT PVOID MessageInformation OPTIONAL, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcRevokeSecurityContext( +IN HANDLE PortHandle, +IN ULONG Flags, +IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcSendWaitReceivePort( +IN HANDLE PortHandle, +IN ULONG Flags, +IN PPORT_MESSAGE SendMessage OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, +OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, +IN OUT PSIZE_T BufferLength OPTIONAL, +IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcSetInformation( +IN HANDLE PortHandle, +IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, +IN PVOID PortInformation OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtAreMappedFilesTheSame( +IN PVOID File1MappedAsAnImage, +IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS Sw3NtAssignProcessToJobObject( +IN HANDLE JobHandle, +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtAssociateWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN HANDLE IoCompletionHandle, +IN HANDLE TargetObjectHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation, +OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallEnclave( +IN PENCLAVE_ROUTINE Routine, +IN PVOID Parameter, +IN BOOLEAN WaitForThread, +IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCancelIoFileEx( +IN HANDLE FileHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelSynchronousIoFile( +IN HANDLE ThreadHandle, +IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelTimer2( +IN HANDLE TimerHandle, +IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtCancelWaitCompletionPacket( +IN HANDLE WaitCompletionPacketHandle, +IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS Sw3NtCommitComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtCommitTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtCompactKeys( +IN ULONG Count, +IN HANDLE KeyArray); + +EXTERN_C NTSTATUS Sw3NtCompareObjects( +IN HANDLE FirstObjectHandle, +IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS Sw3NtCompareSigningLevels( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS Sw3NtCompareTokens( +IN HANDLE FirstTokenHandle, +IN HANDLE SecondTokenHandle, +OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS Sw3NtCompleteConnectPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtCompressKey( +IN HANDLE Key); + +EXTERN_C NTSTATUS Sw3NtConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtCreateDebugObject( +OUT PHANDLE DebugObjectHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObject( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObjectEx( +OUT PHANDLE DirectoryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE ShadowDirectoryHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateEnclave( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN ULONG_PTR ZeroBits, +IN SIZE_T Size, +IN SIZE_T InitialCommitment, +IN ULONG EnclaveType, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN HANDLE TransactionHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN NOTIFICATION_MASK NotificationMask, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateIRTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobSet( +IN ULONG NumJob, +IN PJOB_SET_ARRAY UserJobSet, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG TitleIndex, +IN PUNICODE_STRING Class OPTIONAL, +IN ULONG CreateOptions, +IN HANDLE TransactionHandle, +OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateLowBoxToken( +OUT PHANDLE TokenHandle, +IN HANDLE ExistingTokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PSID PackageSid, +IN ULONG CapabilityCount, +IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, +IN ULONG HandleCount, +IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateMailslotFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CreateOptions, +IN ULONG MailslotQuota, +IN ULONG MaximumMessageSize, +IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS Sw3NtCreateMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS Sw3NtCreateNamedPipeFile( +OUT PHANDLE FileHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG ShareAccess, +IN ULONG CreateDisposition, +IN ULONG CreateOptions, +IN BOOLEAN NamedPipeType, +IN BOOLEAN ReadMode, +IN BOOLEAN CompletionMode, +IN ULONG MaximumInstances, +IN ULONG InboundQuota, +IN ULONG OutboundQuota, +IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePagingFile( +IN PUNICODE_STRING PageFileName, +IN PULARGE_INTEGER MinimumSize, +IN PULARGE_INTEGER MaximumSize, +IN ULONG Priority); + +EXTERN_C NTSTATUS Sw3NtCreatePartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG PreferredNode); + +EXTERN_C NTSTATUS Sw3NtCreatePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateProcess( +OUT PHANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ParentProcess, +IN BOOLEAN InheritObjectTable, +IN HANDLE SectionHandle OPTIONAL, +IN HANDLE DebugPort OPTIONAL, +IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateProfile( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN ULONG ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN ULONG Affinity); + +EXTERN_C NTSTATUS Sw3NtCreateProfileEx( +OUT PHANDLE ProfileHandle, +IN HANDLE Process OPTIONAL, +IN PVOID ProfileBase, +IN SIZE_T ProfileSize, +IN ULONG BucketSize, +IN PULONG Buffer, +IN ULONG BufferSize, +IN KPROFILE_SOURCE ProfileSource, +IN USHORT GroupCount, +IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS Sw3NtCreateRegistryTransaction( +OUT PHANDLE Handle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN DWORD Flags); + +EXTERN_C NTSTATUS Sw3NtCreateResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID RmGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LONG InitialCount, +IN LONG MaximumCount); + +EXTERN_C NTSTATUS Sw3NtCreateSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS Sw3NtCreateThreadEx( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE ProcessHandle, +IN PVOID StartRoutine, +IN PVOID Argument OPTIONAL, +IN ULONG CreateFlags, +IN SIZE_T ZeroBits, +IN SIZE_T StackSize, +IN SIZE_T MaximumStackSize, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS Sw3NtCreateTimer2( +OUT PHANDLE TimerHandle, +IN PVOID Reserved1 OPTIONAL, +IN PVOID Reserved2 OPTIONAL, +IN ULONG Attributes, +IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateToken( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTokenEx( +OUT PHANDLE TokenHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN TOKEN_TYPE TokenType, +IN PLUID AuthenticationId, +IN PLARGE_INTEGER ExpirationTime, +IN PTOKEN_USER User, +IN PTOKEN_GROUPS Groups, +IN PTOKEN_PRIVILEGES Privileges, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS DeviceGroups OPTIONAL, +IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, +IN PTOKEN_OWNER Owner OPTIONAL, +IN PTOKEN_PRIMARY_GROUP PrimaryGroup, +IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, +IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN LPGUID Uow OPTIONAL, +IN HANDLE TmHandle OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG IsolationLevel OPTIONAL, +IN ULONG IsolationFlags OPTIONAL, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN ULONG CreateOptions OPTIONAL, +IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateUserProcess( +OUT PHANDLE ProcessHandle, +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK ProcessDesiredAccess, +IN ACCESS_MASK ThreadDesiredAccess, +IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, +IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, +IN ULONG ProcessFlags, +IN ULONG ThreadFlags, +IN PVOID ProcessParameters OPTIONAL, +IN OUT PPS_CREATE_INFO CreateInfo, +IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitCompletionPacket( +OUT PHANDLE WaitCompletionPacketHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitablePort( +OUT PHANDLE PortHandle, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN ULONG MaxConnectionInfoLength, +IN ULONG MaxMessageLength, +IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWnfStateName( +OUT PCWNF_STATE_NAME StateName, +IN WNF_STATE_NAME_LIFETIME NameLifetime, +IN WNF_DATA_SCOPE DataScope, +IN BOOLEAN PersistData, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN ULONG MaximumStateSize, +IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateWorkerFactory( +OUT PHANDLE WorkerFactoryHandleReturn, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN HANDLE CompletionPortHandle, +IN HANDLE WorkerProcessHandle, +IN PVOID StartRoutine, +IN PVOID StartParameter OPTIONAL, +IN ULONG MaxThreadCount OPTIONAL, +IN SIZE_T StackReserve OPTIONAL, +IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDebugActiveProcess( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtDebugContinue( +IN HANDLE DebugObjectHandle, +IN PCLIENT_ID ClientId, +IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS Sw3NtDeleteAtom( +IN USHORT Atom); + +EXTERN_C NTSTATUS Sw3NtDeleteBootEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteDriverEntry( +IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteFile( +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtDeleteKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDeletePrivateNamespace( +IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteValueKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateName( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtDisplayString( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtDrawText( +IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtEnumerateBootEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateDriverEntries( +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateSystemEnvironmentValuesEx( +IN ULONG InformationClass, +OUT PVOID Buffer, +IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateTransactionObject( +IN HANDLE RootObjectHandle OPTIONAL, +IN KTMOBJECT_TYPE QueryType, +IN OUT PKTMOBJECT_CURSOR ObjectCursor, +IN ULONG ObjectCursorLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtExtendSection( +IN HANDLE SectionHandle, +IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS Sw3NtFilterBootOption( +IN FILTER_BOOT_OPTION_OPERATION FilterOperation, +IN ULONG ObjectType, +IN ULONG ElementType, +IN PVOID SystemData OPTIONAL, +IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtFilterToken( +IN HANDLE ExistingTokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFilterTokenEx( +IN HANDLE TokenHandle, +IN ULONG Flags, +IN PTOKEN_GROUPS SidsToDisable OPTIONAL, +IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, +IN PTOKEN_GROUPS RestrictedSids OPTIONAL, +IN ULONG DisableUserClaimsCount, +IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, +IN ULONG DisableDeviceClaimsCount, +IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, +IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, +IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, +IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, +OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFileEx( +IN HANDLE FileHandle, +IN ULONG Flags, +IN PVOID Parameters, +IN ULONG ParametersSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushInstallUILanguage( +IN LANGID InstallUILanguage, +IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS Sw3NtFlushInstructionCache( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtFlushKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS Sw3NtFlushVirtualMemory( +IN HANDLE ProcessHandle, +IN OUT PVOID BaseAddress, +IN OUT PULONG RegionSize, +OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS Sw3NtFreeUserPhysicalPages( +IN HANDLE ProcessHandle, +IN OUT PULONG NumberOfPages, +IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtFreezeRegistry( +IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS Sw3NtFreezeTransactions( +IN PLARGE_INTEGER FreezeTimeout, +IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS Sw3NtGetCachedSigningLevel( +IN HANDLE File, +OUT PULONG Flags, +OUT PSE_SIGNING_LEVEL SigningLevel, +OUT PUCHAR Thumbprint OPTIONAL, +IN OUT PULONG ThumbprintSize OPTIONAL, +OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetCompleteWnfStateSubscription( +IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, +IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, +IN ULONG OldDescriptorEventMask OPTIONAL, +IN ULONG OldDescriptorStatus OPTIONAL, +OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, +IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS Sw3NtGetContextThread( +IN HANDLE ThreadHandle, +IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumberEx( +OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetDevicePowerState( +IN HANDLE Device, +OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS Sw3NtGetMUIRegistryInfo( +IN ULONG Flags, +IN OUT PULONG DataSize, +OUT PVOID SystemData); + +EXTERN_C NTSTATUS Sw3NtGetNextProcess( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS Sw3NtGetNextThread( +IN HANDLE ProcessHandle, +IN HANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN ULONG HandleAttributes, +IN ULONG Flags, +OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS Sw3NtGetNlsSectionPtr( +IN ULONG SectionType, +IN ULONG SectionData, +IN PVOID ContextData, +OUT PVOID SectionPointer, +OUT PULONG SectionSize); + +EXTERN_C NTSTATUS Sw3NtGetNotificationResourceManager( +IN HANDLE ResourceManagerHandle, +OUT PTRANSACTION_NOTIFICATION TransactionNotification, +IN ULONG NotificationLength, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PULONG ReturnLength OPTIONAL, +IN ULONG Asynchronous, +IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetWriteWatch( +IN HANDLE ProcessHandle, +IN ULONG Flags, +IN PVOID BaseAddress, +IN ULONG RegionSize, +OUT PULONG UserAddressArray, +IN OUT PULONG EntriesInUserAddressArray, +OUT PULONG Granularity); + +EXTERN_C NTSTATUS Sw3NtImpersonateAnonymousToken( +IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtImpersonateThread( +IN HANDLE ServerThreadHandle, +IN HANDLE ClientThreadHandle, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS Sw3NtInitializeEnclave( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID EnclaveInformation, +IN ULONG EnclaveInformationLength, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtInitializeNlsFiles( +OUT PVOID BaseAddress, +OUT PLCID DefaultLocaleId, +OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS Sw3NtInitializeRegistry( +IN USHORT BootCondition); + +EXTERN_C NTSTATUS Sw3NtInitiatePowerAction( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE LightestSystemState, +IN ULONG Flags, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS Sw3NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS Sw3NtListenPort( +IN HANDLE PortHandle, +OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS Sw3NtLoadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtLoadEnclaveData( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PVOID Buffer, +IN SIZE_T BufferSize, +IN ULONG Protect, +IN PVOID PageInformation, +IN ULONG PageInformationLength, +OUT PSIZE_T NumberOfBytesWritten OPTIONAL, +OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLoadHotPatch( +IN PUNICODE_STRING HotPatchName, +IN ULONG LoadFlag); + +EXTERN_C NTSTATUS Sw3NtLoadKey( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS Sw3NtLoadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtLoadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN POBJECT_ATTRIBUTES SourceFile, +IN ULONG Flags, +IN HANDLE TrustClassKey OPTIONAL, +IN HANDLE Event OPTIONAL, +IN ACCESS_MASK DesiredAccess OPTIONAL, +OUT PHANDLE RootHandle OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key, +IN BOOLEAN FailImmediately, +IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS Sw3NtLockProductActivationKeys( +IN OUT PULONG pPrivateVer OPTIONAL, +OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockRegistryKey( +IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtLockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN PULONG RegionSize, +IN ULONG MapType); + +EXTERN_C NTSTATUS Sw3NtMakePermanentObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtMakeTemporaryObject( +IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtManagePartition( +IN HANDLE TargetHandle, +IN HANDLE SourceHandle, +IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, +IN OUT PVOID PartitionInformation, +IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS Sw3NtMapCMFModule( +IN ULONG What, +IN ULONG Index, +OUT PULONG CacheIndexOut OPTIONAL, +OUT PULONG CacheFlagsOut OPTIONAL, +OUT PULONG ViewSizeOut OPTIONAL, +OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPages( +IN PVOID VirtualAddress, +IN PULONG NumberOfPages, +IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSectionEx( +IN HANDLE SectionHandle, +IN HANDLE ProcessHandle, +IN OUT PLARGE_INTEGER SectionOffset, +IN OUT PPVOID BaseAddress, +IN OUT PSIZE_T ViewSize, +IN ULONG AllocationType, +IN ULONG Protect, +IN OUT PVOID DataBuffer OPTIONAL, +IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtModifyBootEntry( +IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS Sw3NtModifyDriverEntry( +IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFile( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_NOTIFY_INFORMATION Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID Buffer, +IN ULONG Length, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeKey( +IN HANDLE KeyHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeMultipleKeys( +IN HANDLE MasterKeyHandle, +IN ULONG Count OPTIONAL, +IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN ULONG CompletionFilter, +IN BOOLEAN WatchTree, +OUT PVOID Buffer OPTIONAL, +IN ULONG BufferSize, +IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeSession( +IN HANDLE SessionHandle, +IN ULONG ChangeSequenceNumber, +IN PLARGE_INTEGER ChangeTimeStamp, +IN IO_SESSION_EVENT Event, +IN IO_SESSION_STATE NewState, +IN IO_SESSION_STATE PreviousState, +IN PVOID Payload OPTIONAL, +IN ULONG PayloadSize); + +EXTERN_C NTSTATUS Sw3NtOpenEnlistment( +OUT PHANDLE EnlistmentHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE ResourceManagerHandle, +IN LPGUID EnlistmentGuid, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEventPair( +OUT PHANDLE EventPairHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenIoCompletion( +OUT PHANDLE IoCompletionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenJobObject( +OUT PHANDLE JobHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenKeyEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransacted( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransactedEx( +OUT PHANDLE KeyHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN ULONG OpenOptions, +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyedEvent( +OUT PHANDLE KeyedEventHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenMutant( +OUT PHANDLE MutantHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN PUNICODE_STRING ObjectTypeName, +IN PUNICODE_STRING ObjectName, +IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN ACCESS_MASK GrantedAccess, +IN PPRIVILEGE_SET Privileges OPTIONAL, +IN BOOLEAN ObjectCreation, +IN BOOLEAN AccessGranted, +OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtOpenPartition( +OUT PHANDLE PartitionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenPrivateNamespace( +OUT PHANDLE NamespaceHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtOpenProcessToken( +IN HANDLE ProcessHandle, +IN ACCESS_MASK DesiredAccess, +OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenRegistryTransaction( +OUT PHANDLE RegistryHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenResourceManager( +OUT PHANDLE ResourceManagerHandle, +IN ACCESS_MASK DesiredAccess, +IN HANDLE TmHandle, +IN LPGUID ResourceManagerGuid OPTIONAL, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSemaphore( +OUT PHANDLE SemaphoreHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSession( +OUT PHANDLE SessionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSymbolicLinkObject( +OUT PHANDLE LinkHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenThread( +OUT PHANDLE ThreadHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTimer( +OUT PHANDLE TimerHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenTransaction( +OUT PHANDLE TransactionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes, +IN LPGUID Uow, +IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTransactionManager( +OUT PHANDLE TmHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PUNICODE_STRING LogFileName OPTIONAL, +IN LPGUID TmIdentity OPTIONAL, +IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPlugPlayControl( +IN PLUGPLAY_CONTROL_CLASS PnPControlClass, +IN OUT PVOID PnPControlData, +IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS Sw3NtPrePrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrePrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrivilegeCheck( +IN HANDLE ClientToken, +IN OUT PPRIVILEGE_SET RequiredPrivileges, +OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS Sw3NtPrivilegeObjectAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PVOID HandleId OPTIONAL, +IN HANDLE ClientToken, +IN ACCESS_MASK DesiredAccess, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPrivilegedServiceAuditAlarm( +IN PUNICODE_STRING SubsystemName, +IN PUNICODE_STRING ServiceName, +IN HANDLE ClientToken, +IN PPRIVILEGE_SET Privileges, +IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPropagationComplete( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN ULONG BufferLength, +IN PVOID Buffer); + +EXTERN_C NTSTATUS Sw3NtPropagationFailed( +IN HANDLE ResourceManagerHandle, +IN ULONG RequestCookie, +IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS Sw3NtPulseEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryAuxiliaryCounterFrequency( +OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS Sw3NtQueryBootEntryOrder( +OUT PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryBootOptions( +OUT PBOOT_OPTIONS BootOptions OPTIONAL, +IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS Sw3NtQueryDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFileEx( +IN HANDLE FileHandle, +IN HANDLE Event OPTIONAL, +IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, +IN PVOID ApcContext OPTIONAL, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass, +IN ULONG QueryFlags, +IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryObject( +IN HANDLE DirectoryHandle, +OUT PVOID Buffer OPTIONAL, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN BOOLEAN RestartScan, +IN OUT PULONG Context, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDriverEntryOrder( +IN PULONG Ids OPTIONAL, +IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_FULL_EA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, +IN ULONG EaListLength, +IN PULONG EaIndex OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQueryFullAttributesFile( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtQueryInformationAtom( +IN USHORT Atom, +IN ATOM_INFORMATION_CLASS AtomInformationClass, +OUT PVOID AtomInformation, +IN ULONG AtomInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationByName( +IN POBJECT_ATTRIBUTES ObjectAttributes, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PVOID FileInformation, +IN ULONG Length, +IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtQueryInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +OUT PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +OUT PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationPort( +IN HANDLE PortHandle, +IN PORT_INFORMATION_CLASS PortInformationClass, +OUT PVOID PortInformation, +IN ULONG Length, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +OUT PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +OUT PVOID TransactionInformation, +IN ULONG TransactionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransactionManager( +IN HANDLE TransactionManagerHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, +OUT PVOID TransactionManagerInformation, +IN ULONG TransactionManagerInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +OUT PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInstallUILanguage( +OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueryIntervalProfile( +IN KPROFILE_SOURCE ProfileSource, +OUT PULONG Interval); + +EXTERN_C NTSTATUS Sw3NtQueryIoCompletion( +IN HANDLE IoCompletionHandle, +IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, +OUT PVOID IoCompletionInformation, +IN ULONG IoCompletionInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryLicenseValue( +IN PUNICODE_STRING ValueName, +OUT PULONG Type OPTIONAL, +OUT PVOID SystemData OPTIONAL, +IN ULONG DataSize, +OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS Sw3NtQueryMultipleValueKey( +IN HANDLE KeyHandle, +IN OUT PKEY_VALUE_ENTRY ValueEntries, +IN ULONG EntryCount, +OUT PVOID ValueBuffer, +IN PULONG BufferLength, +OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryMutant( +IN HANDLE MutantHandle, +IN MUTANT_INFORMATION_CLASS MutantInformationClass, +OUT PVOID MutantInformation, +IN ULONG MutantInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeys( +IN POBJECT_ATTRIBUTES TargetKey, +OUT PULONG HandleCount); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeysEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG BufferLength, +OUT PVOID Buffer, +OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS Sw3NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS Sw3NtQueryQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +OUT PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length, +IN BOOLEAN ReturnSingleEntry, +IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, +IN ULONG SidListLength, +IN PSID StartSid OPTIONAL, +IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityAttributesToken( +IN HANDLE TokenHandle, +IN PUNICODE_STRING Attributes OPTIONAL, +IN ULONG NumberOfAttributes, +OUT PVOID Buffer, +IN ULONG Length, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityObject( +IN HANDLE Handle, +IN SECURITY_INFORMATION SecurityInformation, +OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, +IN ULONG Length, +OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityPolicy( +IN ULONG_PTR UnknownParameter1, +IN ULONG_PTR UnknownParameter2, +IN ULONG_PTR UnknownParameter3, +IN ULONG_PTR UnknownParameter4, +IN ULONG_PTR UnknownParameter5, +IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS Sw3NtQuerySemaphore( +IN HANDLE SemaphoreHandle, +IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, +OUT PVOID SemaphoreInformation, +IN ULONG SemaphoreInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySymbolicLinkObject( +IN HANDLE LinkHandle, +IN OUT PUNICODE_STRING LinkTarget, +OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +OUT PVOID VariableValue, +IN ULONG ValueLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +OUT PVOID Value OPTIONAL, +IN OUT PULONG ValueLength, +OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformationEx( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID InputBuffer, +IN ULONG InputBufferLength, +OUT PVOID SystemInformation OPTIONAL, +IN ULONG SystemInformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryTimerResolution( +OUT PULONG MaximumTime, +OUT PULONG MinimumTime, +OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +OUT PWNF_CHANGE_STAMP ChangeStamp, +OUT PVOID Buffer OPTIONAL, +IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateNameInformation( +IN PCWNF_STATE_NAME StateName, +IN PCWNF_TYPE_ID NameInfoClass, +IN PVOID ExplicitScope OPTIONAL, +OUT PVOID InfoBuffer, +IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS Sw3NtQueueApcThreadEx( +IN HANDLE ThreadHandle, +IN HANDLE UserApcReserveHandle OPTIONAL, +IN PKNORMAL_ROUTINE ApcRoutine, +IN PVOID ApcArgument1 OPTIONAL, +IN PVOID ApcArgument2 OPTIONAL, +IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRaiseException( +IN PEXCEPTION_RECORD ExceptionRecord, +IN PCONTEXT ContextRecord, +IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS Sw3NtRaiseHardError( +IN NTSTATUS ErrorStatus, +IN ULONG NumberOfParameters, +IN ULONG UnicodeStringParameterMask, +IN PULONG_PTR Parameters, +IN ULONG ValidResponseOptions, +OUT PULONG Response); + +EXTERN_C NTSTATUS Sw3NtReadOnlyEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverEnlistment( +IN HANDLE EnlistmentHandle, +IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverResourceManager( +IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRecoverTransactionManager( +IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRegisterProtocolAddressInformation( +IN HANDLE ResourceManager, +IN LPGUID ProtocolId, +IN ULONG ProtocolInformationSize, +IN PVOID ProtocolInformation, +IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRegisterThreadTerminatePort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtReleaseKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID KeyValue, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseWorkerFactoryWorker( +IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletionEx( +IN HANDLE IoCompletionHandle, +OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, +IN ULONG Count, +OUT PULONG NumEntriesRemoved, +IN PLARGE_INTEGER Timeout OPTIONAL, +IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS Sw3NtRemoveProcessDebug( +IN HANDLE ProcessHandle, +IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtRenameKey( +IN HANDLE KeyHandle, +IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS Sw3NtRenameTransactionManager( +IN PUNICODE_STRING LogFileName, +IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS Sw3NtReplaceKey( +IN POBJECT_ATTRIBUTES NewFile, +IN HANDLE TargetHandle, +IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS Sw3NtReplacePartitionUnit( +IN PUNICODE_STRING TargetInstancePath, +IN PUNICODE_STRING SpareInstancePath, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReplyPort( +IN HANDLE PortHandle, +IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtRequestPort( +IN HANDLE PortHandle, +IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS Sw3NtResetEvent( +IN HANDLE EventHandle, +OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResetWriteWatch( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress, +IN ULONG RegionSize); + +EXTERN_C NTSTATUS Sw3NtRestoreKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtResumeProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS Sw3NtRollbackComplete( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackEnlistment( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackRegistryTransaction( +IN HANDLE RegistryHandle, +IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtRollbackTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtRollforwardTransactionManager( +IN HANDLE TransactionManagerHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSaveKey( +IN HANDLE KeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSaveKeyEx( +IN HANDLE KeyHandle, +IN HANDLE FileHandle, +IN ULONG Format); + +EXTERN_C NTSTATUS Sw3NtSaveMergedKeys( +IN HANDLE HighPrecedenceKeyHandle, +IN HANDLE LowPrecedenceKeyHandle, +IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSecureConnectPort( +OUT PHANDLE PortHandle, +IN PUNICODE_STRING PortName, +IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, +IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, +IN PSID RequiredServerSid OPTIONAL, +IN OUT PPORT_SECTION_READ ServerView OPTIONAL, +OUT PULONG MaxMessageLength OPTIONAL, +IN OUT PVOID ConnectionInformation OPTIONAL, +IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSerializeBoot(); + +EXTERN_C NTSTATUS Sw3NtSetBootEntryOrder( +IN PULONG Ids, +IN ULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetBootOptions( +IN PBOOT_OPTIONS BootOptions, +IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel( +IN ULONG Flags, +IN SE_SIGNING_LEVEL InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel2( +IN ULONG Flags, +IN ULONG InputSigningLevel, +IN PHANDLE SourceFiles, +IN ULONG SourceFileCount, +IN HANDLE TargetFile OPTIONAL, +IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetContextThread( +IN HANDLE ThreadHandle, +IN PCONTEXT Context); + +EXTERN_C NTSTATUS Sw3NtSetDebugFilterState( +IN ULONG ComponentId, +IN ULONG Level, +IN BOOLEAN State); + +EXTERN_C NTSTATUS Sw3NtSetDefaultHardErrorPort( +IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtSetDefaultLocale( +IN BOOLEAN UserProfile, +IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtSetDefaultUILanguage( +IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtSetDriverEntryOrder( +IN PULONG Ids, +IN PULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetEaFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_FULL_EA_INFORMATION EaBuffer, +IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS Sw3NtSetHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetHighWaitLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetIRTimer( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationDebugObject( +IN HANDLE DebugObject, +IN DEBUGOBJECTINFOCLASS InformationClass, +IN PVOID Information, +IN ULONG InformationLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationEnlistment( +IN HANDLE EnlistmentHandle, +IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, +IN PVOID EnlistmentInformation, +IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationJobObject( +IN HANDLE JobHandle, +IN JOBOBJECTINFOCLASS JobObjectInformationClass, +IN PVOID JobObjectInformation, +IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationKey( +IN HANDLE KeyHandle, +IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, +IN PVOID KeySetInformation, +IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationResourceManager( +IN HANDLE ResourceManagerHandle, +IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, +IN PVOID ResourceManagerInformation, +IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationSymbolicLink( +IN HANDLE Handle, +IN ULONG Class, +IN PVOID Buffer, +IN ULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationToken( +IN HANDLE TokenHandle, +IN TOKEN_INFORMATION_CLASS TokenInformationClass, +IN PVOID TokenInformation, +IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransaction( +IN HANDLE TransactionHandle, +IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransactionManager( +IN HANDLE TransactionHandle, +IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, +IN PVOID TransactionInformation, +IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationVirtualMemory( +IN HANDLE ProcessHandle, +IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, +IN ULONG_PTR NumberOfEntries, +IN PMEMORY_RANGE_ENTRY VirtualAddresses, +IN PVOID VmInformation, +IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, +IN PVOID WorkerFactoryInformation, +IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetIntervalProfile( +IN ULONG Interval, +IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletion( +IN HANDLE IoCompletionHandle, +IN ULONG CompletionKey, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN NTSTATUS CompletionStatus, +IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletionEx( +IN HANDLE IoCompletionHandle, +IN HANDLE IoCompletionPacketHandle, +IN PVOID KeyContext OPTIONAL, +IN PVOID ApcContext OPTIONAL, +IN NTSTATUS IoStatus, +IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS Sw3NtSetLdtEntries( +IN ULONG Selector0, +IN ULONG Entry0Low, +IN ULONG Entry0Hi, +IN ULONG Selector1, +IN ULONG Entry1Low, +IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS Sw3NtSetLowEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetLowWaitHighEventPair( +IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetQuotaInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PFILE_USER_QUOTA_INFORMATION Buffer, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtSetSecurityObject( +IN HANDLE ObjectHandle, +IN SECURITY_INFORMATION SecurityInformationClass, +IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValue( +IN PUNICODE_STRING VariableName, +IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValueEx( +IN PUNICODE_STRING VariableName, +IN LPGUID VendorGuid, +IN PVOID Value OPTIONAL, +IN ULONG ValueLength, +IN ULONG Attributes); + +EXTERN_C NTSTATUS Sw3NtSetSystemInformation( +IN SYSTEM_INFORMATION_CLASS SystemInformationClass, +IN PVOID SystemInformation, +IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetSystemPowerState( +IN POWER_ACTION SystemAction, +IN SYSTEM_POWER_STATE MinSystemState, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtSetSystemTime( +IN PLARGE_INTEGER SystemTime, +OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetThreadExecutionState( +IN EXECUTION_STATE ExecutionState, +OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS Sw3NtSetTimer2( +IN HANDLE TimerHandle, +IN PLARGE_INTEGER DueTime, +IN PLARGE_INTEGER Period OPTIONAL, +IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtSetTimerEx( +IN HANDLE TimerHandle, +IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, +IN OUT PVOID TimerSetInformation OPTIONAL, +IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetTimerResolution( +IN ULONG DesiredResolution, +IN BOOLEAN SetResolution, +OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS Sw3NtSetUuidSeed( +IN PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtSetVolumeInformationFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PVOID FileSystemInformation, +IN ULONG Length, +IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS Sw3NtSetWnfProcessNotificationEvent( +IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS Sw3NtShutdownSystem( +IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS Sw3NtShutdownWorkerFactory( +IN HANDLE WorkerFactoryHandle, +IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS Sw3NtSignalAndWaitForSingleObject( +IN HANDLE hObjectToSignal, +IN HANDLE hObjectToWaitOn, +IN BOOLEAN bAlertable, +IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSinglePhaseReject( +IN HANDLE EnlistmentHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtStartProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtStopProfile( +IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtSubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName, +IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, +IN ULONG EventMask, +OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSuspendProcess( +IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtSuspendThread( +IN HANDLE ThreadHandle, +OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS Sw3NtSystemDebugControl( +IN DEBUG_CONTROL_CODE Command, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateEnclave( +IN PVOID BaseAddress, +IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS Sw3NtTerminateJobObject( +IN HANDLE JobHandle, +IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtTestAlert(); + +EXTERN_C NTSTATUS Sw3NtThawRegistry(); + +EXTERN_C NTSTATUS Sw3NtThawTransactions(); + +EXTERN_C NTSTATUS Sw3NtTraceControl( +IN ULONG FunctionCode, +IN PVOID InputBuffer OPTIONAL, +IN ULONG InputBufferLength, +OUT PVOID OutputBuffer OPTIONAL, +IN ULONG OutputBufferLength, +OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtTranslateFilePath( +IN PFILE_PATH InputFilePath, +IN ULONG OutputType, +OUT PFILE_PATH OutputFilePath OPTIONAL, +IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUmsThreadYield( +IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS Sw3NtUnloadDriver( +IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey( +IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey2( +IN POBJECT_ATTRIBUTES TargetKey, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnloadKeyEx( +IN POBJECT_ATTRIBUTES TargetKey, +IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUnlockFile( +IN HANDLE FileHandle, +OUT PIO_STATUS_BLOCK IoStatusBlock, +IN PULARGE_INTEGER ByteOffset, +IN PULARGE_INTEGER Length, +IN ULONG Key); + +EXTERN_C NTSTATUS Sw3NtUnlockVirtualMemory( +IN HANDLE ProcessHandle, +IN PVOID * BaseAddress, +IN PSIZE_T NumberOfBytesToUnlock, +IN ULONG LockType); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSectionEx( +IN HANDLE ProcessHandle, +IN PVOID BaseAddress OPTIONAL, +IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnsubscribeWnfStateChange( +IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtUpdateWnfStateData( +IN PCWNF_STATE_NAME StateName, +IN PVOID Buffer OPTIONAL, +IN ULONG Length OPTIONAL, +IN PCWNF_TYPE_ID TypeId OPTIONAL, +IN PVOID ExplicitScope OPTIONAL, +IN WNF_CHANGE_STAMP MatchingChangeStamp, +IN ULONG CheckStamp); + +EXTERN_C NTSTATUS Sw3NtVdmControl( +IN VDMSERVICECLASS Service, +IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtWaitForAlertByThreadId( +IN HANDLE Handle, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForDebugEvent( +IN HANDLE DebugObjectHandle, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL, +OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS Sw3NtWaitForKeyedEvent( +IN HANDLE KeyedEventHandle, +IN PVOID Key, +IN BOOLEAN Alertable, +IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForWorkViaWorkerFactory( +IN HANDLE WorkerFactoryHandle, +OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS Sw3NtWaitHighEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtWaitLowEventPair( +IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtAcquireCMFViewOwnership( +OUT BOOLEAN TimeStamp, +OUT BOOLEAN TokenTaken, +IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS Sw3NtCancelDeviceWakeupRequest( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtClearAllSavepointsTransaction( +IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtClearSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtRollbackSavepointTransaction( +IN HANDLE TransactionHandle, +IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointTransaction( +IN HANDLE TransactionHandle, +IN BOOLEAN Flag, +OUT ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointComplete( +IN HANDLE TransactionHandle, +IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSectionEx( +OUT PHANDLE SectionHandle, +IN ACCESS_MASK DesiredAccess, +IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, +IN PLARGE_INTEGER MaximumSize OPTIONAL, +IN ULONG SectionPageProtection, +IN ULONG AllocationAttributes, +IN HANDLE FileHandle OPTIONAL, +IN PMEM_EXTENDED_PARAMETER ExtendedParameters, +IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS Sw3NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS Sw3NtGetPlugPlayEvent( +IN HANDLE EventHandle, +IN PVOID Context OPTIONAL, +OUT PPLUGPLAY_EVENT_BLOCK EventBlock, +IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS Sw3NtListTransactions(); + +EXTERN_C NTSTATUS Sw3NtMarshallTransaction(); + +EXTERN_C NTSTATUS Sw3NtPullTransaction(); + +EXTERN_C NTSTATUS Sw3NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS Sw3NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS Sw3NtStartTm(); + +EXTERN_C NTSTATUS Sw3NtSetInformationProcess( +IN HANDLE DeviceHandle, +IN PROCESSINFOCLASS ProcessInformationClass, +IN PVOID ProcessInformation, +IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtRequestDeviceWakeup( +IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtRequestWakeupLatency( +IN ULONG LatencyTime); + +EXTERN_C NTSTATUS Sw3NtQuerySystemTime( +OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS Sw3NtManageHotPatch( +IN ULONG UnknownParameter1, +IN ULONG UnknownParameter2, +IN ULONG UnknownParameter3, +IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtContinueEx( +IN PCONTEXT ContextRecord, +IN PKCONTINUE_ARGUMENT ContinueArgument); + +#endif + + + +//#define DEBUG + +#define JUMPER + +#ifdef _M_IX86 + +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) { + return (PVOID)__readfsdword(0xC0); +} + +__declspec(naked) BOOL local_is_wow64(void) +{ + __asm { + mov eax, fs:[0xc0] + test eax, eax + jne wow64 + mov eax, 0 + ret + wow64: + mov eax, 1 + ret + } +} + + +#endif + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +SW3_SYSCALL_LIST SW3_SyscallList; + +// SEARCH_AND_REPLACE +#ifdef SEARCH_AND_REPLACE +// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release +EXTERN void SearchAndReplace(unsigned char[], unsigned char[]); +#endif + +DWORD SW3_HashSyscall(PCSTR FunctionName) +{ + DWORD i = 0; + DWORD Hash = SW3_SEED; + + while (FunctionName[i]) + { + WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++); + Hash ^= PartialName + SW3_ROR8(Hash); + } + + return Hash; +} + +#ifndef JUMPER +PVOID SC_Address(PVOID NtApiAddress) +{ + return NULL; +} +#else +PVOID SC_Address(PVOID NtApiAddress) +{ + DWORD searchLimit = 512; + PVOID SyscallAddress; + + #ifdef _WIN64 + // If the process is 64-bit on a 64-bit OS, we need to search for syscall + BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 }; + ULONG distance_to_syscall = 0x12; + #else + // If the process is 32-bit on a 32-bit OS, we need to search for sysenter + BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 }; + ULONG distance_to_syscall = 0x0f; + #endif + + #ifdef _M_IX86 + // If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved + if (local_is_wow64()) + { + #ifdef DEBUG + // printf("[+] Running 32-bit app on x64 (WOW64)\n"); + #endif + return NULL; + } + #endif + + // we don't really care if there is a 'jmp' between + // NtApiAddress and the 'syscall; ret' instructions + SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall); + + int match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // the 'syscall; ret' intructions have not been found, + // we will try to use one near it, similarly to HalosGate + + for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++) + { + // let's try with an Nt* API below our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall + num_jumps * 0x20); + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // let's try with an Nt* API above our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall - num_jumps * 0x20); + + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + } + +#ifdef DEBUG + // printf("Syscall Opcodes not found!\n"); +#endif + + return NULL; +} +#endif + + +BOOL SW3_PopulateSyscallList() +{ + // Return early if the list is already populated. + if (SW3_SyscallList.Count) return TRUE; + + #ifdef _WIN64 + PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60); + #else + PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30); + #endif + PSW3_PEB_LDR_DATA Ldr = Peb->Ldr; + PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; + PVOID DllBase = NULL; + + // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second + // in the list, so it's safer to loop through the full list and find it. + PSW3_LDR_DATA_TABLE_ENTRY LdrEntry; + for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0]) + { + DllBase = LdrEntry->DllBase; + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase; + PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew); + PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory; + DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if (VirtualAddress == 0) continue; + + ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress); + + // If this is NTDLL.dll, exit loop. + PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name); + + if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue; + if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break; + } + + if (!ExportDirectory) return FALSE; + + DWORD NumberOfNames = ExportDirectory->NumberOfNames; + PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions); + PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames); + PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals); + + // Populate SW3_SyscallList with unsorted Zw* entries. + DWORD i = 0; + PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries; + do + { + PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]); + + // Is this a system call? + if (*(USHORT*)FunctionName == 0x775a) + { + Entries[i].Hash = SW3_HashSyscall(FunctionName); + Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]]; + Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address)); + + i++; + if (i == SW3_MAX_ENTRIES) break; + } + } while (--NumberOfNames); + + // Save total number of system calls found. + SW3_SyscallList.Count = i; + + // Sort the list by address in ascending order. + for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++) + { + for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++) + { + if (Entries[j].Address > Entries[j + 1].Address) + { + // Swap entries. + SW3_SYSCALL_ENTRY TempEntry; + + TempEntry.Hash = Entries[j].Hash; + TempEntry.Address = Entries[j].Address; + TempEntry.SyscallAddress = Entries[j].SyscallAddress; + + Entries[j].Hash = Entries[j + 1].Hash; + Entries[j].Address = Entries[j + 1].Address; + Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress; + + Entries[j + 1].Hash = TempEntry.Hash; + Entries[j + 1].Address = TempEntry.Address; + Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress; + } + } + } + + return TRUE; +} + +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return -1; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return i; + } + } + + return -1; +} + +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return SW3_SyscallList.Entries[i].SyscallAddress; + } + } + + return NULL; +} + +DWORD LCG() { + static DWORD seed = 123987654; + return (seed >> 16) & 0x7FFF; // return a pseudo-random number +} + +EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + DWORD index = LCG() % SW3_SyscallList.Count; + + while (FunctionHash == SW3_SyscallList.Entries[index].Hash){ + // Spoofing the syscall return address + index = LCG() % SW3_SyscallList.Count; + } + return SW3_SyscallList.Entries[index].SyscallAddress; +} + + + + +#if _WIN64 + + + + + +#define Sw3ZwAccessCheck Sw3NtAccessCheck +__asm__("Sw3NtAccessCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BDE162 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWorkerFactoryWorkerReady Sw3NtWorkerFactoryWorkerReady +__asm__("Sw3NtWorkerFactoryWorkerReady: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B198C761 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcceptConnectPort Sw3NtAcceptConnectPort +__asm__("Sw3NtAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02ABE2B30 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPagesScatter Sw3NtMapUserPhysicalPagesScatter +__asm__("Sw3NtMapUserPhysicalPagesScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A82701 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForSingleObject Sw3NtWaitForSingleObject +__asm__("Sw3NtWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA974ACB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallbackReturn Sw3NtCallbackReturn +__asm__("Sw3NtCallbackReturn: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CA9EEB09 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFile Sw3NtReadFile +__asm__("Sw3NtReadFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D55A76 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeviceIoControlFile Sw3NtDeviceIoControlFile +__asm__("Sw3NtDeviceIoControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD55862 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFile Sw3NtWriteFile +__asm__("Sw3NtWriteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05AED2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletion Sw3NtRemoveIoCompletion +__asm__("Sw3NtRemoveIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002986257 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseSemaphore Sw3NtReleaseSemaphore +__asm__("Sw3NtReleaseSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F7649DAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePort Sw3NtReplyWaitReceivePort +__asm__("Sw3NtReplyWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07AF2887C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyPort Sw3NtReplyPort +__asm__("Sw3NtReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022B42B28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationThread Sw3NtSetInformationThread +__asm__("Sw3NtSetInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014469558 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEvent Sw3NtSetEvent +__asm__("Sw3NtSetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CB6BEADD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClose Sw3NtClose +__asm__("Sw3NtClose: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0028DF4DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryObject Sw3NtQueryObject +__asm__("Sw3NtQueryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA6CBDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationFile Sw3NtQueryInformationFile +__asm__("Sw3NtQueryInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0583D26E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKey Sw3NtOpenKey +__asm__("Sw3NtOpenKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02522D15D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateValueKey Sw3NtEnumerateValueKey +__asm__("Sw3NtEnumerateValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011958D8E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFindAtom Sw3NtFindAtom +__asm__("Sw3NtFindAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048DE6F0C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultLocale Sw3NtQueryDefaultLocale +__asm__("Sw3NtQueryDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A6AAFC1D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryKey Sw3NtQueryKey +__asm__("Sw3NtQueryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x095157F77 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryValueKey Sw3NtQueryValueKey +__asm__("Sw3NtQueryValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FDA326C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemory Sw3NtAllocateVirtualMemory +__asm__("Sw3NtAllocateVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041D23933 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationProcess Sw3NtQueryInformationProcess +__asm__("Sw3NtQueryInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08F3D6E50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects32 Sw3NtWaitForMultipleObjects32 +__asm__("Sw3NtWaitForMultipleObjects32: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0102CEE619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteFileGather Sw3NtWriteFileGather +__asm__("Sw3NtWriteFileGather: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD8D79AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKey Sw3NtCreateKey +__asm__("Sw3NtCreateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AAED834C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeVirtualMemory Sw3NtFreeVirtualMemory +__asm__("Sw3NtFreeVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CF4F2620 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateClientOfPort Sw3NtImpersonateClientOfPort +__asm__("Sw3NtImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF76164 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseMutant Sw3NtReleaseMutant +__asm__("Sw3NtReleaseMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03ED41482 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationToken Sw3NtQueryInformationToken +__asm__("Sw3NtQueryInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B92515E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWaitReplyPort Sw3NtRequestWaitReplyPort +__asm__("Sw3NtRequestWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB04F60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVirtualMemory Sw3NtQueryVirtualMemory +__asm__("Sw3NtQueryVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C455F4EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadToken Sw3NtOpenThreadToken +__asm__("Sw3NtOpenThreadToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FCA9D433 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationThread Sw3NtQueryInformationThread +__asm__("Sw3NtQueryInformationThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB45A1F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcess Sw3NtOpenProcess +__asm__("Sw3NtOpenProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00FA30E32 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationFile Sw3NtSetInformationFile +__asm__("Sw3NtSetInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3D831EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSection Sw3NtMapViewOfSection +__asm__("Sw3NtMapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034AD1A31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckAndAuditAlarm Sw3NtAccessCheckAndAuditAlarm +__asm__("Sw3NtAccessCheckAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0923C6C70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSection Sw3NtUnmapViewOfSection +__asm__("Sw3NtUnmapViewOfSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C343EA5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReceivePortEx Sw3NtReplyWaitReceivePortEx +__asm__("Sw3NtReplyWaitReceivePortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0608F3450 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateProcess Sw3NtTerminateProcess +__asm__("Sw3NtTerminateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDA3163F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEventBoostPriority Sw3NtSetEventBoostPriority +__asm__("Sw3NtSetEventBoostPriority: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02C9C407A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadFileScatter Sw3NtReadFileScatter +__asm__("Sw3NtReadFileScatter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C3B0CE2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThreadTokenEx Sw3NtOpenThreadTokenEx +__asm__("Sw3NtOpenThreadTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A9BE5CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessTokenEx Sw3NtOpenProcessTokenEx +__asm__("Sw3NtOpenProcessTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0091E59C7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPerformanceCounter Sw3NtQueryPerformanceCounter +__asm__("Sw3NtQueryPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB0FC18B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateKey Sw3NtEnumerateKey +__asm__("Sw3NtEnumerateKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01F997A62 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenFile Sw3NtOpenFile +__asm__("Sw3NtOpenFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C29D70 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDelayExecution Sw3NtDelayExecution +__asm__("Sw3NtDelayExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C950239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFile Sw3NtQueryDirectoryFile +__asm__("Sw3NtQueryDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023B4CD31 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformation Sw3NtQuerySystemInformation +__asm__("Sw3NtQuerySystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E6A1681 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSection Sw3NtOpenSection +__asm__("Sw3NtOpenSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D30CD39E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimer Sw3NtQueryTimer +__asm__("Sw3NtQueryTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E44735E4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFsControlFile Sw3NtFsControlFile +__asm__("Sw3NtFsControlFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x050DFC2E8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteVirtualMemory Sw3NtWriteVirtualMemory +__asm__("Sw3NtWriteVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00992F8FD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCloseObjectAuditAlarm Sw3NtCloseObjectAuditAlarm +__asm__("Sw3NtCloseObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FE3CF8A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateObject Sw3NtDuplicateObject +__asm__("Sw3NtDuplicateObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A155AD8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAttributesFile Sw3NtQueryAttributesFile +__asm__("Sw3NtQueryAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6FC32EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearEvent Sw3NtClearEvent +__asm__("Sw3NtClearEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CA6232C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadVirtualMemory Sw3NtReadVirtualMemory +__asm__("Sw3NtReadVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003971B07 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEvent Sw3NtOpenEvent +__asm__("Sw3NtOpenEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973F90AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustPrivilegesToken Sw3NtAdjustPrivilegesToken +__asm__("Sw3NtAdjustPrivilegesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F3D6C176 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDuplicateToken Sw3NtDuplicateToken +__asm__("Sw3NtDuplicateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B5918530 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinue Sw3NtContinue +__asm__("Sw3NtContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2B521F9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDefaultUILanguage Sw3NtQueryDefaultUILanguage +__asm__("Sw3NtQueryDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0358BF32A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThread Sw3NtQueueApcThread +__asm__("Sw3NtQueueApcThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C897152E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwYieldExecution Sw3NtYieldExecution +__asm__("Sw3NtYieldExecution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C8A3CA33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtom Sw3NtAddAtom +__asm__("Sw3NtAddAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054C15D50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEvent Sw3NtCreateEvent +__asm__("Sw3NtCreateEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0014C04C4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryVolumeInformationFile Sw3NtQueryVolumeInformationFile +__asm__("Sw3NtQueryVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D949BA4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSection Sw3NtCreateSection +__asm__("Sw3NtCreateSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0128C3419 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFile Sw3NtFlushBuffersFile +__asm__("Sw3NtFlushBuffersFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x038B8FF1A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwApphelpCacheControl Sw3NtApphelpCacheControl +__asm__("Sw3NtApphelpCacheControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E38CFC0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcessEx Sw3NtCreateProcessEx +__asm__("Sw3NtCreateProcessEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x015EB5512 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThread Sw3NtCreateThread +__asm__("Sw3NtCreateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4EDFFE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsProcessInJob Sw3NtIsProcessInJob +__asm__("Sw3NtIsProcessInJob: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02FD7D983 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwProtectVirtualMemory Sw3NtProtectVirtualMemory +__asm__("Sw3NtProtectVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03DA9534F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySection Sw3NtQuerySection +__asm__("Sw3NtQuerySection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8602873 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeThread Sw3NtResumeThread +__asm__("Sw3NtResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C85E6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateThread Sw3NtTerminateThread +__asm__("Sw3NtTerminateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x078DC366D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadRequestData Sw3NtReadRequestData +__asm__("Sw3NtReadRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x023830CCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateFile Sw3NtCreateFile +__asm__("Sw3NtCreateFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F95E1C05 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEvent Sw3NtQueryEvent +__asm__("Sw3NtQueryEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016830504 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWriteRequestData Sw3NtWriteRequestData +__asm__("Sw3NtWriteRequestData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0765FA36D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenDirectoryObject Sw3NtOpenDirectoryObject +__asm__("Sw3NtOpenDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0203E2EA3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeAndAuditAlarm Sw3NtAccessCheckByTypeAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052D57480 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForMultipleObjects Sw3NtWaitForMultipleObjects +__asm__("Sw3NtWaitForMultipleObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01BE5DFD93 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationObject Sw3NtSetInformationObject +__asm__("Sw3NtSetInformationObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03A150AA9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFile Sw3NtCancelIoFile +__asm__("Sw3NtCancelIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B7194803 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceEvent Sw3NtTraceEvent +__asm__("Sw3NtTraceEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010843514 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPowerInformation Sw3NtPowerInformation +__asm__("Sw3NtPowerInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84EE6D5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetValueKey Sw3NtSetValueKey +__asm__("Sw3NtSetValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05BE22000 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer Sw3NtCancelTimer +__asm__("Sw3NtCancelTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x099A2E129 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer Sw3NtSetTimer +__asm__("Sw3NtSetTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E044CCFD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByType Sw3NtAccessCheckByType +__asm__("Sw3NtAccessCheckByType: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DF07D26F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultList Sw3NtAccessCheckByTypeResultList +__asm__("Sw3NtAccessCheckByTypeResultList: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02EB0C9A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarm Sw3NtAccessCheckByTypeResultListAndAuditAlarm +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F339E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAccessCheckByTypeResultListAndAuditAlarmByHandle Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle +__asm__("Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0973CB876 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireProcessActivityReference Sw3NtAcquireProcessActivityReference +__asm__("Sw3NtAcquireProcessActivityReference: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0569AADFA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddAtomEx Sw3NtAddAtomEx +__asm__("Sw3NtAddAtomEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00990B594 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddBootEntry Sw3NtAddBootEntry +__asm__("Sw3NtAddBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x049853376 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAddDriverEntry Sw3NtAddDriverEntry +__asm__("Sw3NtAddDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047EB7D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustGroupsToken Sw3NtAdjustGroupsToken +__asm__("Sw3NtAdjustGroupsToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01390DDCC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAdjustTokenClaimsAndDeviceGroups Sw3NtAdjustTokenClaimsAndDeviceGroups +__asm__("Sw3NtAdjustTokenClaimsAndDeviceGroups: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08DC0A159 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertResumeThread Sw3NtAlertResumeThread +__asm__("Sw3NtAlertResumeThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E86542F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThread Sw3NtAlertThread +__asm__("Sw3NtAlertThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x040E00A35 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlertThreadByThreadId Sw3NtAlertThreadByThreadId +__asm__("Sw3NtAlertThreadByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x022D6DD4D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateLocallyUniqueId Sw3NtAllocateLocallyUniqueId +__asm__("Sw3NtAllocateLocallyUniqueId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F8B431A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateReserveObject Sw3NtAllocateReserveObject +__asm__("Sw3NtAllocateReserveObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E0BF00E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUserPhysicalPages Sw3NtAllocateUserPhysicalPages +__asm__("Sw3NtAllocateUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A9B6BE16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateUuids Sw3NtAllocateUuids +__asm__("Sw3NtAllocateUuids: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AD9CDB79 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAllocateVirtualMemoryEx Sw3NtAllocateVirtualMemoryEx +__asm__("Sw3NtAllocateVirtualMemoryEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066E23835 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcAcceptConnectPort Sw3NtAlpcAcceptConnectPort +__asm__("Sw3NtAlpcAcceptConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E54CDEE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCancelMessage Sw3NtAlpcCancelMessage +__asm__("Sw3NtAlpcCancelMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B111222C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPort Sw3NtAlpcConnectPort +__asm__("Sw3NtAlpcConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x030B61AE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcConnectPortEx Sw3NtAlpcConnectPortEx +__asm__("Sw3NtAlpcConnectPortEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A65FF889 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePort Sw3NtAlpcCreatePort +__asm__("Sw3NtAlpcCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E870C1EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreatePortSection Sw3NtAlpcCreatePortSection +__asm__("Sw3NtAlpcCreatePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09255EA9F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateResourceReserve Sw3NtAlpcCreateResourceReserve +__asm__("Sw3NtAlpcCreateResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0289B3A33 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSectionView Sw3NtAlpcCreateSectionView +__asm__("Sw3NtAlpcCreateSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x092C4A77E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcCreateSecurityContext Sw3NtAlpcCreateSecurityContext +__asm__("Sw3NtAlpcCreateSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F66FF3E6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeletePortSection Sw3NtAlpcDeletePortSection +__asm__("Sw3NtAlpcDeletePortSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A81CAD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteResourceReserve Sw3NtAlpcDeleteResourceReserve +__asm__("Sw3NtAlpcDeleteResourceReserve: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x006D95411 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSectionView Sw3NtAlpcDeleteSectionView +__asm__("Sw3NtAlpcDeleteSectionView: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EE48D7EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDeleteSecurityContext Sw3NtAlpcDeleteSecurityContext +__asm__("Sw3NtAlpcDeleteSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094CC5A8D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcDisconnectPort Sw3NtAlpcDisconnectPort +__asm__("Sw3NtAlpcDisconnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E037E7BC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientContainerOfPort Sw3NtAlpcImpersonateClientContainerOfPort +__asm__("Sw3NtAlpcImpersonateClientContainerOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E477EFE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcImpersonateClientOfPort Sw3NtAlpcImpersonateClientOfPort +__asm__("Sw3NtAlpcImpersonateClientOfPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CB4552A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderProcess Sw3NtAlpcOpenSenderProcess +__asm__("Sw3NtAlpcOpenSenderProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0693F9773 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcOpenSenderThread Sw3NtAlpcOpenSenderThread +__asm__("Sw3NtAlpcOpenSenderThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014884C37 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformation Sw3NtAlpcQueryInformation +__asm__("Sw3NtAlpcQueryInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05CC45E55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcQueryInformationMessage Sw3NtAlpcQueryInformationMessage +__asm__("Sw3NtAlpcQueryInformationMessage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027123CAB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcRevokeSecurityContext Sw3NtAlpcRevokeSecurityContext +__asm__("Sw3NtAlpcRevokeSecurityContext: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x016B20D3A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSendWaitReceivePort Sw3NtAlpcSendWaitReceivePort +__asm__("Sw3NtAlpcSendWaitReceivePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ED760C6B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAlpcSetInformation Sw3NtAlpcSetInformation +__asm__("Sw3NtAlpcSetInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178A1718 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAreMappedFilesTheSame Sw3NtAreMappedFilesTheSame +__asm__("Sw3NtAreMappedFilesTheSame: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1909816 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssignProcessToJobObject Sw3NtAssignProcessToJobObject +__asm__("Sw3NtAssignProcessToJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008946A49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAssociateWaitCompletionPacket Sw3NtAssociateWaitCompletionPacket +__asm__("Sw3NtAssociateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B5C01B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCallEnclave Sw3NtCallEnclave +__asm__("Sw3NtCallEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03AAA5638 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelIoFileEx Sw3NtCancelIoFileEx +__asm__("Sw3NtCancelIoFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E51A3345 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelSynchronousIoFile Sw3NtCancelSynchronousIoFile +__asm__("Sw3NtCancelSynchronousIoFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055DC6B49 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelTimer2 Sw3NtCancelTimer2 +__asm__("Sw3NtCancelTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B03B31EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelWaitCompletionPacket Sw3NtCancelWaitCompletionPacket +__asm__("Sw3NtCancelWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029AC4F7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitComplete Sw3NtCommitComplete +__asm__("Sw3NtCommitComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04EB13672 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitEnlistment Sw3NtCommitEnlistment +__asm__("Sw3NtCommitEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x033BB262D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitRegistryTransaction Sw3NtCommitRegistryTransaction +__asm__("Sw3NtCommitRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E58D104 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCommitTransaction Sw3NtCommitTransaction +__asm__("Sw3NtCommitTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8822BC6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompactKeys Sw3NtCompactKeys +__asm__("Sw3NtCompactKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x059B04422 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareObjects Sw3NtCompareObjects +__asm__("Sw3NtCompareObjects: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x081ADB90F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareSigningLevels Sw3NtCompareSigningLevels +__asm__("Sw3NtCompareSigningLevels: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A21BE2CE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompareTokens Sw3NtCompareTokens +__asm__("Sw3NtCompareTokens: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077D6695B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompleteConnectPort Sw3NtCompleteConnectPort +__asm__("Sw3NtCompleteConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x064F16F6E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCompressKey Sw3NtCompressKey +__asm__("Sw3NtCompressKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x088CD5F92 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConnectPort Sw3NtConnectPort +__asm__("Sw3NtConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x058F15B7E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter +__asm__("Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E7D6389A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDebugObject Sw3NtCreateDebugObject +__asm__("Sw3NtCreateDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00E33E64F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObject Sw3NtCreateDirectoryObject +__asm__("Sw3NtCreateDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018A42619 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateDirectoryObjectEx Sw3NtCreateDirectoryObjectEx +__asm__("Sw3NtCreateDirectoryObjectEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0BCC246 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnclave Sw3NtCreateEnclave +__asm__("Sw3NtCreateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0135CE116 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEnlistment Sw3NtCreateEnlistment +__asm__("Sw3NtCreateEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x079E37869 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateEventPair Sw3NtCreateEventPair +__asm__("Sw3NtCreateEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01235DE6F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIRTimer Sw3NtCreateIRTimer +__asm__("Sw3NtCreateIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005963FDE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateIoCompletion Sw3NtCreateIoCompletion +__asm__("Sw3NtCreateIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F296DB8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobObject Sw3NtCreateJobObject +__asm__("Sw3NtCreateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09655BEE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateJobSet Sw3NtCreateJobSet +__asm__("Sw3NtCreateJobSet: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00716F85D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyTransacted Sw3NtCreateKeyTransacted +__asm__("Sw3NtCreateKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x060BC2262 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateKeyedEvent Sw3NtCreateKeyedEvent +__asm__("Sw3NtCreateKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04F0D5284 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateLowBoxToken Sw3NtCreateLowBoxToken +__asm__("Sw3NtCreateLowBoxToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A5200DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMailslotFile Sw3NtCreateMailslotFile +__asm__("Sw3NtCreateMailslotFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0393CB028 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateMutant Sw3NtCreateMutant +__asm__("Sw3NtCreateMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D10CD69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateNamedPipeFile Sw3NtCreateNamedPipeFile +__asm__("Sw3NtCreateNamedPipeFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01E5CE906 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePagingFile Sw3NtCreatePagingFile +__asm__("Sw3NtCreatePagingFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E5659673 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePartition Sw3NtCreatePartition +__asm__("Sw3NtCreatePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B4E678C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePort Sw3NtCreatePort +__asm__("Sw3NtCreatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E570FAE3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreatePrivateNamespace Sw3NtCreatePrivateNamespace +__asm__("Sw3NtCreatePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017332B6A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProcess Sw3NtCreateProcess +__asm__("Sw3NtCreateProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x019A80240 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfile Sw3NtCreateProfile +__asm__("Sw3NtCreateProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074B7122C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateProfileEx Sw3NtCreateProfileEx +__asm__("Sw3NtCreateProfileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0409A1C4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateRegistryTransaction Sw3NtCreateRegistryTransaction +__asm__("Sw3NtCreateRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9E2602 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateResourceManager Sw3NtCreateResourceManager +__asm__("Sw3NtCreateResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x035E66124 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSemaphore Sw3NtCreateSemaphore +__asm__("Sw3NtCreateSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0742656EA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSymbolicLinkObject Sw3NtCreateSymbolicLinkObject +__asm__("Sw3NtCreateSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010BD4667 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateThreadEx Sw3NtCreateThreadEx +__asm__("Sw3NtCreateThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x052B396EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer Sw3NtCreateTimer +__asm__("Sw3NtCreateTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07DC783AF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTimer2 Sw3NtCreateTimer2 +__asm__("Sw3NtCreateTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2BA19AC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateToken Sw3NtCreateToken +__asm__("Sw3NtCreateToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071D583B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTokenEx Sw3NtCreateTokenEx +__asm__("Sw3NtCreateTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0786322BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransaction Sw3NtCreateTransaction +__asm__("Sw3NtCreateTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01774D223 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateTransactionManager Sw3NtCreateTransactionManager +__asm__("Sw3NtCreateTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011B13D28 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateUserProcess Sw3NtCreateUserProcess +__asm__("Sw3NtCreateUserProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E34A7BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitCompletionPacket Sw3NtCreateWaitCompletionPacket +__asm__("Sw3NtCreateWaitCompletionPacket: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B96399DE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWaitablePort Sw3NtCreateWaitablePort +__asm__("Sw3NtCreateWaitablePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A4B64F29 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWnfStateName Sw3NtCreateWnfStateName +__asm__("Sw3NtCreateWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074924D47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateWorkerFactory Sw3NtCreateWorkerFactory +__asm__("Sw3NtCreateWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001151588 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugActiveProcess Sw3NtDebugActiveProcess +__asm__("Sw3NtDebugActiveProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x025952408 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDebugContinue Sw3NtDebugContinue +__asm__("Sw3NtDebugContinue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D670918C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteAtom Sw3NtDeleteAtom +__asm__("Sw3NtDeleteAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034A2D02B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteBootEntry Sw3NtDeleteBootEntry +__asm__("Sw3NtDeleteBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009841114 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteDriverEntry Sw3NtDeleteDriverEntry +__asm__("Sw3NtDeleteDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x003920900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteFile Sw3NtDeleteFile +__asm__("Sw3NtDeleteFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004B5CCE7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteKey Sw3NtDeleteKey +__asm__("Sw3NtDeleteKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01A4EC31C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteObjectAuditAlarm Sw3NtDeleteObjectAuditAlarm +__asm__("Sw3NtDeleteObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC93EE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeletePrivateNamespace Sw3NtDeletePrivateNamespace +__asm__("Sw3NtDeletePrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x011BDE62F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteValueKey Sw3NtDeleteValueKey +__asm__("Sw3NtDeleteValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02E9B310C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateData Sw3NtDeleteWnfStateData +__asm__("Sw3NtDeleteWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062DD908C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDeleteWnfStateName Sw3NtDeleteWnfStateName +__asm__("Sw3NtDeleteWnfStateName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004CB81D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisableLastKnownGood Sw3NtDisableLastKnownGood +__asm__("Sw3NtDisableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007B88DAE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDisplayString Sw3NtDisplayString +__asm__("Sw3NtDisplayString: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FACDACF0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwDrawText Sw3NtDrawText +__asm__("Sw3NtDrawText: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A2DD8D4F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnableLastKnownGood Sw3NtEnableLastKnownGood +__asm__("Sw3NtEnableLastKnownGood: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BA1D12 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateBootEntries Sw3NtEnumerateBootEntries +__asm__("Sw3NtEnumerateBootEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F965FEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateDriverEntries Sw3NtEnumerateDriverEntries +__asm__("Sw3NtEnumerateDriverEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00126F94D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateSystemEnvironmentValuesEx Sw3NtEnumerateSystemEnvironmentValuesEx +__asm__("Sw3NtEnumerateSystemEnvironmentValuesEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F160323B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwEnumerateTransactionObject Sw3NtEnumerateTransactionObject +__asm__("Sw3NtEnumerateTransactionObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084B9B415 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwExtendSection Sw3NtExtendSection +__asm__("Sw3NtExtendSection: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F76CD7F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterBootOption Sw3NtFilterBootOption +__asm__("Sw3NtFilterBootOption: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0048823DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterToken Sw3NtFilterToken +__asm__("Sw3NtFilterToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D950306 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFilterTokenEx Sw3NtFilterTokenEx +__asm__("Sw3NtFilterTokenEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00691504E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushBuffersFileEx Sw3NtFlushBuffersFileEx +__asm__("Sw3NtFlushBuffersFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04DA38117 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstallUILanguage Sw3NtFlushInstallUILanguage +__asm__("Sw3NtFlushInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C415F3C9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushInstructionCache Sw3NtFlushInstructionCache +__asm__("Sw3NtFlushInstructionCache: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069BE1567 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushKey Sw3NtFlushKey +__asm__("Sw3NtFlushKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08491A72B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushProcessWriteBuffers Sw3NtFlushProcessWriteBuffers +__asm__("Sw3NtFlushProcessWriteBuffers: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0405C4CC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushVirtualMemory Sw3NtFlushVirtualMemory +__asm__("Sw3NtFlushVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D964559 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFlushWriteBuffer Sw3NtFlushWriteBuffer +__asm__("Sw3NtFlushWriteBuffer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01282CC22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreeUserPhysicalPages Sw3NtFreeUserPhysicalPages +__asm__("Sw3NtFreeUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF61E8E2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeRegistry Sw3NtFreezeRegistry +__asm__("Sw3NtFreezeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x002DA7A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwFreezeTransactions Sw3NtFreezeTransactions +__asm__("Sw3NtFreezeTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04BDBA8CD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCachedSigningLevel Sw3NtGetCachedSigningLevel +__asm__("Sw3NtGetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0989B1BA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCompleteWnfStateSubscription Sw3NtGetCompleteWnfStateSubscription +__asm__("Sw3NtGetCompleteWnfStateSubscription: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A922E03 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetContextThread Sw3NtGetContextThread +__asm__("Sw3NtGetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E84FA6ED \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumber Sw3NtGetCurrentProcessorNumber +__asm__("Sw3NtGetCurrentProcessorNumber: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007AAEEF2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetCurrentProcessorNumberEx Sw3NtGetCurrentProcessorNumberEx +__asm__("Sw3NtGetCurrentProcessorNumberEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07F57B303 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetDevicePowerState Sw3NtGetDevicePowerState +__asm__("Sw3NtGetDevicePowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08D9DED10 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetMUIRegistryInfo Sw3NtGetMUIRegistryInfo +__asm__("Sw3NtGetMUIRegistryInfo: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x084BFA417 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextProcess Sw3NtGetNextProcess +__asm__("Sw3NtGetNextProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005AB0E34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNextThread Sw3NtGetNextThread +__asm__("Sw3NtGetNextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C304109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNlsSectionPtr Sw3NtGetNlsSectionPtr +__asm__("Sw3NtGetNlsSectionPtr: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B512DB0E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetNotificationResourceManager Sw3NtGetNotificationResourceManager +__asm__("Sw3NtGetNotificationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029BEF3F6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetWriteWatch Sw3NtGetWriteWatch +__asm__("Sw3NtGetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E749E9DF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateAnonymousToken Sw3NtImpersonateAnonymousToken +__asm__("Sw3NtImpersonateAnonymousToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06FD97754 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwImpersonateThread Sw3NtImpersonateThread +__asm__("Sw3NtImpersonateThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x089284184 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeEnclave Sw3NtInitializeEnclave +__asm__("Sw3NtInitializeEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AB60A7C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeNlsFiles Sw3NtInitializeNlsFiles +__asm__("Sw3NtInitializeNlsFiles: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x096B3A70C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitializeRegistry Sw3NtInitializeRegistry +__asm__("Sw3NtInitializeRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012990011 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwInitiatePowerAction Sw3NtInitiatePowerAction +__asm__("Sw3NtInitiatePowerAction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C178E87 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsSystemResumeAutomatic Sw3NtIsSystemResumeAutomatic +__asm__("Sw3NtIsSystemResumeAutomatic: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB92B2E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwIsUILanguageComitted Sw3NtIsUILanguageComitted +__asm__("Sw3NtIsUILanguageComitted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0161A2485 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListenPort Sw3NtListenPort +__asm__("Sw3NtListenPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A23199FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadDriver Sw3NtLoadDriver +__asm__("Sw3NtLoadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E447D09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadEnclaveData Sw3NtLoadEnclaveData +__asm__("Sw3NtLoadEnclaveData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BD034913 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadHotPatch Sw3NtLoadHotPatch +__asm__("Sw3NtLoadHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E4BF28EC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey Sw3NtLoadKey +__asm__("Sw3NtLoadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C13CC0A4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKey2 Sw3NtLoadKey2 +__asm__("Sw3NtLoadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x065FDAE60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLoadKeyEx Sw3NtLoadKeyEx +__asm__("Sw3NtLoadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B98CCC7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockFile Sw3NtLockFile +__asm__("Sw3NtLockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AD9107E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockProductActivationKeys Sw3NtLockProductActivationKeys +__asm__("Sw3NtLockProductActivationKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04AD7A349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockRegistryKey Sw3NtLockRegistryKey +__asm__("Sw3NtLockRegistryKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0172102BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwLockVirtualMemory Sw3NtLockVirtualMemory +__asm__("Sw3NtLockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B1ADA932 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakePermanentObject Sw3NtMakePermanentObject +__asm__("Sw3NtMakePermanentObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012BC4C11 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMakeTemporaryObject Sw3NtMakeTemporaryObject +__asm__("Sw3NtMakeTemporaryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074591ABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManagePartition Sw3NtManagePartition +__asm__("Sw3NtManagePartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C9C6847 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapCMFModule Sw3NtMapCMFModule +__asm__("Sw3NtMapCMFModule: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x054DC6E5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapUserPhysicalPages Sw3NtMapUserPhysicalPages +__asm__("Sw3NtMapUserPhysicalPages: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09EA0B300 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMapViewOfSectionEx Sw3NtMapViewOfSectionEx +__asm__("Sw3NtMapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0169D6260 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyBootEntry Sw3NtModifyBootEntry +__asm__("Sw3NtModifyBootEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099D1D02 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwModifyDriverEntry Sw3NtModifyDriverEntry +__asm__("Sw3NtModifyDriverEntry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031E02178 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFile Sw3NtNotifyChangeDirectoryFile +__asm__("Sw3NtNotifyChangeDirectoryFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B4D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeDirectoryFileEx Sw3NtNotifyChangeDirectoryFileEx +__asm__("Sw3NtNotifyChangeDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C05A2120 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeKey Sw3NtNotifyChangeKey +__asm__("Sw3NtNotifyChangeKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA9AA900 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeMultipleKeys Sw3NtNotifyChangeMultipleKeys +__asm__("Sw3NtNotifyChangeMultipleKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B433BF47 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwNotifyChangeSession Sw3NtNotifyChangeSession +__asm__("Sw3NtNotifyChangeSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0178CD9D0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEnlistment Sw3NtOpenEnlistment +__asm__("Sw3NtOpenEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C9E33DA4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenEventPair Sw3NtOpenEventPair +__asm__("Sw3NtOpenEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE36E41 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenIoCompletion Sw3NtOpenIoCompletion +__asm__("Sw3NtOpenIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C2EDE2B3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenJobObject Sw3NtOpenJobObject +__asm__("Sw3NtOpenJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00738FD36 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyEx Sw3NtOpenKeyEx +__asm__("Sw3NtOpenKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FC7F0902 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransacted Sw3NtOpenKeyTransacted +__asm__("Sw3NtOpenKeyTransacted: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D09DB644 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyTransactedEx Sw3NtOpenKeyTransactedEx +__asm__("Sw3NtOpenKeyTransactedEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E8D8A821 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenKeyedEvent Sw3NtOpenKeyedEvent +__asm__("Sw3NtOpenKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048CA4B5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenMutant Sw3NtOpenMutant +__asm__("Sw3NtOpenMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CD8FA06E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenObjectAuditAlarm Sw3NtOpenObjectAuditAlarm +__asm__("Sw3NtOpenObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E30605C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPartition Sw3NtOpenPartition +__asm__("Sw3NtOpenPartition: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB441A16 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenPrivateNamespace Sw3NtOpenPrivateNamespace +__asm__("Sw3NtOpenPrivateNamespace: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CACEFD5D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenProcessToken Sw3NtOpenProcessToken +__asm__("Sw3NtOpenProcessToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00396888F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenRegistryTransaction Sw3NtOpenRegistryTransaction +__asm__("Sw3NtOpenRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A1D34B5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenResourceManager Sw3NtOpenResourceManager +__asm__("Sw3NtOpenResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A929FB0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSemaphore Sw3NtOpenSemaphore +__asm__("Sw3NtOpenSemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D8880239 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSession Sw3NtOpenSession +__asm__("Sw3NtOpenSession: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E05BC99 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenSymbolicLinkObject Sw3NtOpenSymbolicLinkObject +__asm__("Sw3NtOpenSymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00406029B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenThread Sw3NtOpenThread +__asm__("Sw3NtOpenThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020050BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTimer Sw3NtOpenTimer +__asm__("Sw3NtOpenTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x004130C89 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransaction Sw3NtOpenTransaction +__asm__("Sw3NtOpenTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D20DF2D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwOpenTransactionManager Sw3NtOpenTransactionManager +__asm__("Sw3NtOpenTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0192279D1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPlugPlayControl Sw3NtPlugPlayControl +__asm__("Sw3NtPlugPlayControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00791E1C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareComplete Sw3NtPrePrepareComplete +__asm__("Sw3NtPrePrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CD0DB5C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrePrepareEnlistment Sw3NtPrePrepareEnlistment +__asm__("Sw3NtPrePrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00CB6CCC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareComplete Sw3NtPrepareComplete +__asm__("Sw3NtPrepareComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x048D1B28E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrepareEnlistment Sw3NtPrepareEnlistment +__asm__("Sw3NtPrepareEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0098CC9DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeCheck Sw3NtPrivilegeCheck +__asm__("Sw3NtPrivilegeCheck: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01AB5D195 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegeObjectAuditAlarm Sw3NtPrivilegeObjectAuditAlarm +__asm__("Sw3NtPrivilegeObjectAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D2D5D440 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPrivilegedServiceAuditAlarm Sw3NtPrivilegedServiceAuditAlarm +__asm__("Sw3NtPrivilegedServiceAuditAlarm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D6B931EE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationComplete Sw3NtPropagationComplete +__asm__("Sw3NtPropagationComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB0C7BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPropagationFailed Sw3NtPropagationFailed +__asm__("Sw3NtPropagationFailed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02196A18A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPulseEvent Sw3NtPulseEvent +__asm__("Sw3NtPulseEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0020513EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryAuxiliaryCounterFrequency Sw3NtQueryAuxiliaryCounterFrequency +__asm__("Sw3NtQueryAuxiliaryCounterFrequency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x077470AC1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootEntryOrder Sw3NtQueryBootEntryOrder +__asm__("Sw3NtQueryBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08B9E7C9A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryBootOptions Sw3NtQueryBootOptions +__asm__("Sw3NtQueryBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9BE4C6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDebugFilterState Sw3NtQueryDebugFilterState +__asm__("Sw3NtQueryDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x032903C34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryFileEx Sw3NtQueryDirectoryFileEx +__asm__("Sw3NtQueryDirectoryFileEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07682ACD0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDirectoryObject Sw3NtQueryDirectoryObject +__asm__("Sw3NtQueryDirectoryObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04B637DD9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryDriverEntryOrder Sw3NtQueryDriverEntryOrder +__asm__("Sw3NtQueryDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09B396272 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryEaFile Sw3NtQueryEaFile +__asm__("Sw3NtQueryEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FDDC2DE8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryFullAttributesFile Sw3NtQueryFullAttributesFile +__asm__("Sw3NtQueryFullAttributesFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x008B96472 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationAtom Sw3NtQueryInformationAtom +__asm__("Sw3NtQueryInformationAtom: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D13DB435 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationByName Sw3NtQueryInformationByName +__asm__("Sw3NtQueryInformationByName: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B8D9C539 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationEnlistment Sw3NtQueryInformationEnlistment +__asm__("Sw3NtQueryInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651E9F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationJobObject Sw3NtQueryInformationJobObject +__asm__("Sw3NtQueryInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB44F9DA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationPort Sw3NtQueryInformationPort +__asm__("Sw3NtQueryInformationPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A538AABB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationResourceManager Sw3NtQueryInformationResourceManager +__asm__("Sw3NtQueryInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01EB789B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransaction Sw3NtQueryInformationTransaction +__asm__("Sw3NtQueryInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x076EC1431 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationTransactionManager Sw3NtQueryInformationTransactionManager +__asm__("Sw3NtQueryInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x029B0E7E0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInformationWorkerFactory Sw3NtQueryInformationWorkerFactory +__asm__("Sw3NtQueryInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00C5218CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryInstallUILanguage Sw3NtQueryInstallUILanguage +__asm__("Sw3NtQueryInstallUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A8365A2B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIntervalProfile Sw3NtQueryIntervalProfile +__asm__("Sw3NtQueryIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09E3C579E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryIoCompletion Sw3NtQueryIoCompletion +__asm__("Sw3NtQueryIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C96EA06 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryLicenseValue Sw3NtQueryLicenseValue +__asm__("Sw3NtQueryLicenseValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07A91453E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMultipleValueKey Sw3NtQueryMultipleValueKey +__asm__("Sw3NtQueryMultipleValueKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00AFB1769 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryMutant Sw3NtQueryMutant +__asm__("Sw3NtQueryMutant: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0963399A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeys Sw3NtQueryOpenSubKeys +__asm__("Sw3NtQueryOpenSubKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0EEBBE53D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryOpenSubKeysEx Sw3NtQueryOpenSubKeysEx +__asm__("Sw3NtQueryOpenSubKeysEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00B87C6D3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryPortInformationProcess Sw3NtQueryPortInformationProcess +__asm__("Sw3NtQueryPortInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0772C96B0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryQuotaInformationFile Sw3NtQueryQuotaInformationFile +__asm__("Sw3NtQueryQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010947812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityAttributesToken Sw3NtQuerySecurityAttributesToken +__asm__("Sw3NtQuerySecurityAttributesToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C95FC9FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityObject Sw3NtQuerySecurityObject +__asm__("Sw3NtQuerySecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08BB5B9FB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySecurityPolicy Sw3NtQuerySecurityPolicy +__asm__("Sw3NtQuerySecurityPolicy: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x091ABB6F7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySemaphore Sw3NtQuerySemaphore +__asm__("Sw3NtQuerySemaphore: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08716AD59 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySymbolicLinkObject Sw3NtQuerySymbolicLinkObject +__asm__("Sw3NtQuerySymbolicLinkObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086B9BEF5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValue Sw3NtQuerySystemEnvironmentValue +__asm__("Sw3NtQuerySystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0069D86B6 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemEnvironmentValueEx Sw3NtQuerySystemEnvironmentValueEx +__asm__("Sw3NtQuerySystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0002A4CFF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemInformationEx Sw3NtQuerySystemInformationEx +__asm__("Sw3NtQuerySystemInformationEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010EA582A \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryTimerResolution Sw3NtQueryTimerResolution +__asm__("Sw3NtQueryTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x012081297 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateData Sw3NtQueryWnfStateData +__asm__("Sw3NtQueryWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C685D537 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueryWnfStateNameInformation Sw3NtQueryWnfStateNameInformation +__asm__("Sw3NtQueryWnfStateNameInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018037A0F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQueueApcThreadEx Sw3NtQueueApcThreadEx +__asm__("Sw3NtQueueApcThreadEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x055B8097C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseException Sw3NtRaiseException +__asm__("Sw3NtRaiseException: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00892543F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRaiseHardError Sw3NtRaiseHardError +__asm__("Sw3NtRaiseHardError: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D651D7C2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReadOnlyEnlistment Sw3NtReadOnlyEnlistment +__asm__("Sw3NtReadOnlyEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069D16043 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverEnlistment Sw3NtRecoverEnlistment +__asm__("Sw3NtRecoverEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x071EE9685 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverResourceManager Sw3NtRecoverResourceManager +__asm__("Sw3NtRecoverResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x069B70354 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRecoverTransactionManager Sw3NtRecoverTransactionManager +__asm__("Sw3NtRecoverTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06BB46528 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterProtocolAddressInformation Sw3NtRegisterProtocolAddressInformation +__asm__("Sw3NtRegisterProtocolAddressInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01FB52134 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRegisterThreadTerminatePort Sw3NtRegisterThreadTerminatePort +__asm__("Sw3NtRegisterThreadTerminatePort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AA3EA3A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseKeyedEvent Sw3NtReleaseKeyedEvent +__asm__("Sw3NtReleaseKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EE15774 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseWorkerFactoryWorker Sw3NtReleaseWorkerFactoryWorker +__asm__("Sw3NtReleaseWorkerFactoryWorker: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x094A3F471 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveIoCompletionEx Sw3NtRemoveIoCompletionEx +__asm__("Sw3NtRemoveIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06CCEA288 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRemoveProcessDebug Sw3NtRemoveProcessDebug +__asm__("Sw3NtRemoveProcessDebug: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04024538C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameKey Sw3NtRenameKey +__asm__("Sw3NtRenameKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06AFA85AD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRenameTransactionManager Sw3NtRenameTransactionManager +__asm__("Sw3NtRenameTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0633CAD60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplaceKey Sw3NtReplaceKey +__asm__("Sw3NtReplaceKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EE37B7F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplacePartitionUnit Sw3NtReplacePartitionUnit +__asm__("Sw3NtReplacePartitionUnit: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F778C9F1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReplyWaitReplyPort Sw3NtReplyWaitReplyPort +__asm__("Sw3NtReplyWaitReplyPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x062F05F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestPort Sw3NtRequestPort +__asm__("Sw3NtRequestPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06EF0676E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetEvent Sw3NtResetEvent +__asm__("Sw3NtResetEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08A2195B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResetWriteWatch Sw3NtResetWriteWatch +__asm__("Sw3NtResetWriteWatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01C429076 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRestoreKey Sw3NtRestoreKey +__asm__("Sw3NtRestoreKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EAA1F50 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwResumeProcess Sw3NtResumeProcess +__asm__("Sw3NtResumeProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D12F37BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRevertContainerImpersonation Sw3NtRevertContainerImpersonation +__asm__("Sw3NtRevertContainerImpersonation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EC85E5F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackComplete Sw3NtRollbackComplete +__asm__("Sw3NtRollbackComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0964B681E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackEnlistment Sw3NtRollbackEnlistment +__asm__("Sw3NtRollbackEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F96E984 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackRegistryTransaction Sw3NtRollbackRegistryTransaction +__asm__("Sw3NtRollbackRegistryTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02CA8701B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackTransaction Sw3NtRollbackTransaction +__asm__("Sw3NtRollbackTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00D450DD4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollforwardTransactionManager Sw3NtRollforwardTransactionManager +__asm__("Sw3NtRollforwardTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x005C180D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKey Sw3NtSaveKey +__asm__("Sw3NtSaveKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066FE5744 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveKeyEx Sw3NtSaveKeyEx +__asm__("Sw3NtSaveKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x031BBFDCF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSaveMergedKeys Sw3NtSaveMergedKeys +__asm__("Sw3NtSaveMergedKeys: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02AB6171D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSecureConnectPort Sw3NtSecureConnectPort +__asm__("Sw3NtSecureConnectPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE4DC7A0 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSerializeBoot Sw3NtSerializeBoot +__asm__("Sw3NtSerializeBoot: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0329C2233 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootEntryOrder Sw3NtSetBootEntryOrder +__asm__("Sw3NtSetBootEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x073CD5B57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetBootOptions Sw3NtSetBootOptions +__asm__("Sw3NtSetBootOptions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x017953D01 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel Sw3NtSetCachedSigningLevel +__asm__("Sw3NtSetCachedSigningLevel: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0207226C3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetCachedSigningLevel2 Sw3NtSetCachedSigningLevel2 +__asm__("Sw3NtSetCachedSigningLevel2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E3526281 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetContextThread Sw3NtSetContextThread +__asm__("Sw3NtSetContextThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x034963C39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDebugFilterState Sw3NtSetDebugFilterState +__asm__("Sw3NtSetDebugFilterState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0229809D4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultHardErrorPort Sw3NtSetDefaultHardErrorPort +__asm__("Sw3NtSetDefaultHardErrorPort: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024B75F38 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultLocale Sw3NtSetDefaultLocale +__asm__("Sw3NtSetDefaultLocale: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x043DE7109 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDefaultUILanguage Sw3NtSetDefaultUILanguage +__asm__("Sw3NtSetDefaultUILanguage: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A91B6FBA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetDriverEntryOrder Sw3NtSetDriverEntryOrder +__asm__("Sw3NtSetDriverEntryOrder: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0218D1735 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetEaFile Sw3NtSetEaFile +__asm__("Sw3NtSetEaFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E6540BD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighEventPair Sw3NtSetHighEventPair +__asm__("Sw3NtSetHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074CC93A2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetHighWaitLowEventPair Sw3NtSetHighWaitLowEventPair +__asm__("Sw3NtSetHighWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EB0323D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIRTimer Sw3NtSetIRTimer +__asm__("Sw3NtSetIRTimer: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x027973716 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationDebugObject Sw3NtSetInformationDebugObject +__asm__("Sw3NtSetInformationDebugObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x068559059 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationEnlistment Sw3NtSetInformationEnlistment +__asm__("Sw3NtSetInformationEnlistment: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0099B2C2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationJobObject Sw3NtSetInformationJobObject +__asm__("Sw3NtSetInformationJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FF54C7D8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationKey Sw3NtSetInformationKey +__asm__("Sw3NtSetInformationKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0AE9B3988 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationResourceManager Sw3NtSetInformationResourceManager +__asm__("Sw3NtSetInformationResourceManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00531159C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationSymbolicLink Sw3NtSetInformationSymbolicLink +__asm__("Sw3NtSetInformationSymbolicLink: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F357F3C1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationToken Sw3NtSetInformationToken +__asm__("Sw3NtSetInformationToken: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07355266E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransaction Sw3NtSetInformationTransaction +__asm__("Sw3NtSetInformationTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04886065F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationTransactionManager Sw3NtSetInformationTransactionManager +__asm__("Sw3NtSetInformationTransactionManager: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BB65C7A8 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationVirtualMemory Sw3NtSetInformationVirtualMemory +__asm__("Sw3NtSetInformationVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FB90F506 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationWorkerFactory Sw3NtSetInformationWorkerFactory +__asm__("Sw3NtSetInformationWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DB4AD3C5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIntervalProfile Sw3NtSetIntervalProfile +__asm__("Sw3NtSetIntervalProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4BF6DBB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletion Sw3NtSetIoCompletion +__asm__("Sw3NtSetIoCompletion: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03EA41FF3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetIoCompletionEx Sw3NtSetIoCompletionEx +__asm__("Sw3NtSetIoCompletionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A156DDD2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLdtEntries Sw3NtSetLdtEntries +__asm__("Sw3NtSetLdtEntries: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02A81C395 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowEventPair Sw3NtSetLowEventPair +__asm__("Sw3NtSetLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05EB2462B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetLowWaitHighEventPair Sw3NtSetLowWaitHighEventPair +__asm__("Sw3NtSetLowWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x02232329B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetQuotaInformationFile Sw3NtSetQuotaInformationFile +__asm__("Sw3NtSetQuotaInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0DE5F0418 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSecurityObject Sw3NtSetSecurityObject +__asm__("Sw3NtSetSecurityObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0FA40C2CC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValue Sw3NtSetSystemEnvironmentValue +__asm__("Sw3NtSetSystemEnvironmentValue: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03C972B1C \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemEnvironmentValueEx Sw3NtSetSystemEnvironmentValueEx +__asm__("Sw3NtSetSystemEnvironmentValueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0978AC356 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemInformation Sw3NtSetSystemInformation +__asm__("Sw3NtSetSystemInformation: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0349A4F8F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemPowerState Sw3NtSetSystemPowerState +__asm__("Sw3NtSetSystemPowerState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01CA3F6D2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetSystemTime Sw3NtSetSystemTime +__asm__("Sw3NtSetSystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x086A2D69F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetThreadExecutionState Sw3NtSetThreadExecutionState +__asm__("Sw3NtSetThreadExecutionState: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09D966489 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimer2 Sw3NtSetTimer2 +__asm__("Sw3NtSetTimer2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01DA4DA2D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerEx Sw3NtSetTimerEx +__asm__("Sw3NtSetTimerEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x026B9998E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetTimerResolution Sw3NtSetTimerResolution +__asm__("Sw3NtSetTimerResolution: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03CAB3C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetUuidSeed Sw3NtSetUuidSeed +__asm__("Sw3NtSetUuidSeed: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F1CF72F3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetVolumeInformationFile Sw3NtSetVolumeInformationFile +__asm__("Sw3NtSetVolumeInformationFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A9CC2BA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetWnfProcessNotificationEvent Sw3NtSetWnfProcessNotificationEvent +__asm__("Sw3NtSetWnfProcessNotificationEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03924D47D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownSystem Sw3NtShutdownSystem +__asm__("Sw3NtShutdownSystem: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x090BC8003 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwShutdownWorkerFactory Sw3NtShutdownWorkerFactory +__asm__("Sw3NtShutdownWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08C02BABA \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSignalAndWaitForSingleObject Sw3NtSignalAndWaitForSingleObject +__asm__("Sw3NtSignalAndWaitForSingleObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07CA8145F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSinglePhaseReject Sw3NtSinglePhaseReject +__asm__("Sw3NtSinglePhaseReject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x03E850E39 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartProfile Sw3NtStartProfile +__asm__("Sw3NtStartProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC9D0F3B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStopProfile Sw3NtStopProfile +__asm__("Sw3NtStopProfile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x010B49B84 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSubscribeWnfStateChange Sw3NtSubscribeWnfStateChange +__asm__("Sw3NtSubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC5EFDC4 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendProcess Sw3NtSuspendProcess +__asm__("Sw3NtSuspendProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C6BBDF57 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSuspendThread Sw3NtSuspendThread +__asm__("Sw3NtSuspendThread: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x014B83629 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSystemDebugControl Sw3NtSystemDebugControl +__asm__("Sw3NtSystemDebugControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x047D16953 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateEnclave Sw3NtTerminateEnclave +__asm__("Sw3NtTerminateEnclave: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00EC2F49E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTerminateJobObject Sw3NtTerminateJobObject +__asm__("Sw3NtTerminateJobObject: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07EA07C3D \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTestAlert Sw3NtTestAlert +__asm__("Sw3NtTestAlert: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F2C58F34 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawRegistry Sw3NtThawRegistry +__asm__("Sw3NtThawRegistry: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x024AE2623 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwThawTransactions Sw3NtThawTransactions +__asm__("Sw3NtThawTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0CC1ED09E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTraceControl Sw3NtTraceControl +__asm__("Sw3NtTraceControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0BF914486 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwTranslateFilePath Sw3NtTranslateFilePath +__asm__("Sw3NtTranslateFilePath: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0721347BE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUmsThreadYield Sw3NtUmsThreadYield +__asm__("Sw3NtUmsThreadYield: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x007BB766F \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadDriver Sw3NtUnloadDriver +__asm__("Sw3NtUnloadDriver: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x018AB3010 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey Sw3NtUnloadKey +__asm__("Sw3NtUnloadKey: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0082969B1 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKey2 Sw3NtUnloadKey2 +__asm__("Sw3NtUnloadKey2: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B92132FC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnloadKeyEx Sw3NtUnloadKeyEx +__asm__("Sw3NtUnloadKeyEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x07B98ADC5 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockFile Sw3NtUnlockFile +__asm__("Sw3NtUnlockFile: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x009990733 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnlockVirtualMemory Sw3NtUnlockVirtualMemory +__asm__("Sw3NtUnlockVirtualMemory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00A5B00DB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnmapViewOfSectionEx Sw3NtUnmapViewOfSectionEx +__asm__("Sw3NtUnmapViewOfSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09A91C446 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUnsubscribeWnfStateChange Sw3NtUnsubscribeWnfStateChange +__asm__("Sw3NtUnsubscribeWnfStateChange: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0D344D0DD \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwUpdateWnfStateData Sw3NtUpdateWnfStateData +__asm__("Sw3NtUpdateWnfStateData: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x066C9F2FE \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwVdmControl Sw3NtVdmControl +__asm__("Sw3NtVdmControl: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x09F93E505 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForAlertByThreadId Sw3NtWaitForAlertByThreadId +__asm__("Sw3NtWaitForAlertByThreadId: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0ACB3E812 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForDebugEvent Sw3NtWaitForDebugEvent +__asm__("Sw3NtWaitForDebugEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x01085371E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForKeyedEvent Sw3NtWaitForKeyedEvent +__asm__("Sw3NtWaitForKeyedEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B73DA6BB \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWorkViaWorkerFactory Sw3NtWaitForWorkViaWorkerFactory +__asm__("Sw3NtWaitForWorkViaWorkerFactory: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x044954E00 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitHighEventPair Sw3NtWaitHighEventPair +__asm__("Sw3NtWaitHighEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08315B9B2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitLowEventPair Sw3NtWaitLowEventPair +__asm__("Sw3NtWaitLowEventPair: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F4B1D4EF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwAcquireCMFViewOwnership Sw3NtAcquireCMFViewOwnership +__asm__("Sw3NtAcquireCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x04E131538 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCancelDeviceWakeupRequest Sw3NtCancelDeviceWakeupRequest +__asm__("Sw3NtCancelDeviceWakeupRequest: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x041CF4952 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearAllSavepointsTransaction Sw3NtClearAllSavepointsTransaction +__asm__("Sw3NtClearAllSavepointsTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x05D0961A3 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwClearSavepointTransaction Sw3NtClearSavepointTransaction +__asm__("Sw3NtClearSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0A206BCAF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRollbackSavepointTransaction Sw3NtRollbackSavepointTransaction +__asm__("Sw3NtRollbackSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08099DE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointTransaction Sw3NtSavepointTransaction +__asm__("Sw3NtSavepointTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0174CD316 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSavepointComplete Sw3NtSavepointComplete +__asm__("Sw3NtSavepointComplete: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E9569349 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateSectionEx Sw3NtCreateSectionEx +__asm__("Sw3NtCreateSectionEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x08694D44E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwCreateCrossVmEvent Sw3NtCreateCrossVmEvent +__asm__("Sw3NtCreateCrossVmEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C60CCF98 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwGetPlugPlayEvent Sw3NtGetPlugPlayEvent +__asm__("Sw3NtGetPlugPlayEvent: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0124DF03B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwListTransactions Sw3NtListTransactions +__asm__("Sw3NtListTransactions: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x00F5D17D7 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwMarshallTransaction Sw3NtMarshallTransaction +__asm__("Sw3NtMarshallTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x074AA567B \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwPullTransaction Sw3NtPullTransaction +__asm__("Sw3NtPullTransaction: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C881EE55 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwReleaseCMFViewOwnership Sw3NtReleaseCMFViewOwnership +__asm__("Sw3NtReleaseCMFViewOwnership: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0808559CF \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwWaitForWnfNotifications Sw3NtWaitForWnfNotifications +__asm__("Sw3NtWaitForWnfNotifications: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0C5893EE2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwStartTm Sw3NtStartTm +__asm__("Sw3NtStartTm: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0539E1B22 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwSetInformationProcess Sw3NtSetInformationProcess +__asm__("Sw3NtSetInformationProcess: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x06739AA60 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestDeviceWakeup Sw3NtRequestDeviceWakeup +__asm__("Sw3NtRequestDeviceWakeup: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x045A10570 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwRequestWakeupLatency Sw3NtRequestWakeupLatency +__asm__("Sw3NtRequestWakeupLatency: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x001095ECC \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwQuerySystemTime Sw3NtQuerySystemTime +__asm__("Sw3NtQuerySystemTime: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0E96EBE5E \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwManageHotPatch Sw3NtManageHotPatch +__asm__("Sw3NtManageHotPatch: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0B0AD6FE9 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#define Sw3ZwContinueEx Sw3NtContinueEx +__asm__("Sw3NtContinueEx: \n\ +mov [rsp +8], rcx \n\ +mov [rsp+16], rdx \n\ +mov [rsp+24], r8 \n\ +mov [rsp+32], r9 \n\ +sub rsp, 0x28 \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallAddress \n\ +mov r11, rax \n\ +mov ecx, 0x0F34DB5F2 \n\ +call SW3_GetSyscallNumber \n\ +add rsp, 0x28 \n\ +mov rcx, [rsp+8] \n\ +mov rdx, [rsp+16] \n\ +mov r8, [rsp+24] \n\ +mov r9, [rsp+32] \n\ +mov r10, rcx \n\ +jmp r11 \n\ +"); + +#endif diff --git a/syscalls.c.template b/syscalls.c.template new file mode 100644 index 0000000..0e21d2e --- /dev/null +++ b/syscalls.c.template @@ -0,0 +1,306 @@ +#include "syscalls.h" + +//#define DEBUG + +#define JUMPER + +#ifdef _M_IX86 + +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID) { + return (PVOID)__readfsdword(0xC0); +} + +__declspec(naked) BOOL local_is_wow64(void) +{ + __asm { + mov eax, fs:[0xc0] + test eax, eax + jne wow64 + mov eax, 0 + ret + wow64: + mov eax, 1 + ret + } +} + + +#endif + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +SW3_SYSCALL_LIST SW3_SyscallList; + +// SEARCH_AND_REPLACE +#ifdef SEARCH_AND_REPLACE +// THIS IS NOT DEFINED HERE; don't know if I'll add it in a future release +EXTERN void SearchAndReplace(unsigned char[], unsigned char[]); +#endif + +DWORD SW3_HashSyscall(PCSTR FunctionName) +{ + DWORD i = 0; + DWORD Hash = SW3_SEED; + + while (FunctionName[i]) + { + WORD PartialName = *(WORD*)((ULONG_PTR)FunctionName + i++); + Hash ^= PartialName + SW3_ROR8(Hash); + } + + return Hash; +} + +#ifndef JUMPER +PVOID SC_Address(PVOID NtApiAddress) +{ + return NULL; +} +#else +PVOID SC_Address(PVOID NtApiAddress) +{ + DWORD searchLimit = 512; + PVOID SyscallAddress; + + #ifdef _WIN64 + // If the process is 64-bit on a 64-bit OS, we need to search for syscall + BYTE syscall_code[] = { 0x0f, 0x05, 0xc3 }; + ULONG distance_to_syscall = 0x12; + #else + // If the process is 32-bit on a 32-bit OS, we need to search for sysenter + BYTE syscall_code[] = { 0x0f, 0x34, 0xc3 }; + ULONG distance_to_syscall = 0x0f; + #endif + + #ifdef _M_IX86 + // If the process is 32-bit on a 64-bit OS, we need to jump to WOW32Reserved + if (local_is_wow64()) + { + #ifdef DEBUG + // printf("[+] Running 32-bit app on x64 (WOW64)\n"); + #endif + return NULL; + } + #endif + + // we don't really care if there is a 'jmp' between + // NtApiAddress and the 'syscall; ret' instructions + SyscallAddress = SW3_RVA2VA(PVOID, NtApiAddress, distance_to_syscall); + + int match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // the 'syscall; ret' intructions have not been found, + // we will try to use one near it, similarly to HalosGate + + for (ULONG32 num_jumps = 1; num_jumps < searchLimit; num_jumps++) + { + // let's try with an Nt* API below our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall + num_jumps * 0x20); + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + + // let's try with an Nt* API above our syscall + SyscallAddress = SW3_RVA2VA( + PVOID, + NtApiAddress, + distance_to_syscall - num_jumps * 0x20); + + match = 1; // Assume a match initially + for (size_t i = 0; i < sizeof(syscall_code); i++) { + if (((BYTE*)syscall_code)[i] != ((BYTE*)SyscallAddress)[i]) { + match = 0; // Set match to 0 if any byte doesn't match + break; + } + } + + if (match) { + // we can use the original code for this system call :) + #if defined(DEBUG) + // printf("Found Syscall Opcodes at address 0x%p\n", SyscallAddress); + #endif + return SyscallAddress; + } + } + +#ifdef DEBUG + // printf("Syscall Opcodes not found!\n"); +#endif + + return NULL; +} +#endif + + +BOOL SW3_PopulateSyscallList() +{ + // Return early if the list is already populated. + if (SW3_SyscallList.Count) return TRUE; + + #ifdef _WIN64 + PSW3_PEB Peb = (PSW3_PEB)__readgsqword(0x60); + #else + PSW3_PEB Peb = (PSW3_PEB)__readfsdword(0x30); + #endif + PSW3_PEB_LDR_DATA Ldr = Peb->Ldr; + PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL; + PVOID DllBase = NULL; + + // Get the DllBase address of NTDLL.dll. NTDLL is not guaranteed to be the second + // in the list, so it's safer to loop through the full list and find it. + PSW3_LDR_DATA_TABLE_ENTRY LdrEntry; + for (LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)Ldr->Reserved2[1]; LdrEntry->DllBase != NULL; LdrEntry = (PSW3_LDR_DATA_TABLE_ENTRY)LdrEntry->Reserved1[0]) + { + DllBase = LdrEntry->DllBase; + PIMAGE_DOS_HEADER DosHeader = (PIMAGE_DOS_HEADER)DllBase; + PIMAGE_NT_HEADERS NtHeaders = SW3_RVA2VA(PIMAGE_NT_HEADERS, DllBase, DosHeader->e_lfanew); + PIMAGE_DATA_DIRECTORY DataDirectory = (PIMAGE_DATA_DIRECTORY)NtHeaders->OptionalHeader.DataDirectory; + DWORD VirtualAddress = DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress; + if (VirtualAddress == 0) continue; + + ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)SW3_RVA2VA(ULONG_PTR, DllBase, VirtualAddress); + + // If this is NTDLL.dll, exit loop. + PCHAR DllName = SW3_RVA2VA(PCHAR, DllBase, ExportDirectory->Name); + + if ((*(ULONG*)DllName | 0x20202020) != 0x6c64746e) continue; + if ((*(ULONG*)(DllName + 4) | 0x20202020) == 0x6c642e6c) break; + } + + if (!ExportDirectory) return FALSE; + + DWORD NumberOfNames = ExportDirectory->NumberOfNames; + PDWORD Functions = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfFunctions); + PDWORD Names = SW3_RVA2VA(PDWORD, DllBase, ExportDirectory->AddressOfNames); + PWORD Ordinals = SW3_RVA2VA(PWORD, DllBase, ExportDirectory->AddressOfNameOrdinals); + + // Populate SW3_SyscallList with unsorted Zw* entries. + DWORD i = 0; + PSW3_SYSCALL_ENTRY Entries = SW3_SyscallList.Entries; + do + { + PCHAR FunctionName = SW3_RVA2VA(PCHAR, DllBase, Names[NumberOfNames - 1]); + + // Is this a system call? + if (*(USHORT*)FunctionName == 0x775a) + { + Entries[i].Hash = SW3_HashSyscall(FunctionName); + Entries[i].Address = Functions[Ordinals[NumberOfNames - 1]]; + Entries[i].SyscallAddress = SC_Address(SW3_RVA2VA(PVOID, DllBase, Entries[i].Address)); + + i++; + if (i == SW3_MAX_ENTRIES) break; + } + } while (--NumberOfNames); + + // Save total number of system calls found. + SW3_SyscallList.Count = i; + + // Sort the list by address in ascending order. + for (DWORD i = 0; i < SW3_SyscallList.Count - 1; i++) + { + for (DWORD j = 0; j < SW3_SyscallList.Count - i - 1; j++) + { + if (Entries[j].Address > Entries[j + 1].Address) + { + // Swap entries. + SW3_SYSCALL_ENTRY TempEntry; + + TempEntry.Hash = Entries[j].Hash; + TempEntry.Address = Entries[j].Address; + TempEntry.SyscallAddress = Entries[j].SyscallAddress; + + Entries[j].Hash = Entries[j + 1].Hash; + Entries[j].Address = Entries[j + 1].Address; + Entries[j].SyscallAddress = Entries[j + 1].SyscallAddress; + + Entries[j + 1].Hash = TempEntry.Hash; + Entries[j + 1].Address = TempEntry.Address; + Entries[j + 1].SyscallAddress = TempEntry.SyscallAddress; + } + } + } + + return TRUE; +} + +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return -1; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return i; + } + } + + return -1; +} + +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + for (DWORD i = 0; i < SW3_SyscallList.Count; i++) + { + if (FunctionHash == SW3_SyscallList.Entries[i].Hash) + { + return SW3_SyscallList.Entries[i].SyscallAddress; + } + } + + return NULL; +} + +DWORD LCG() { + static DWORD seed = 123987654; + return (seed >> 16) & 0x7FFF; // return a pseudo-random number +} + +EXTERN_C PVOID SW3_GetRandomSyscallAddress(DWORD FunctionHash) +{ + // Ensure SW3_SyscallList is populated. + if (!SW3_PopulateSyscallList()) return NULL; + + DWORD index = LCG() % SW3_SyscallList.Count; + + while (FunctionHash == SW3_SyscallList.Entries[index].Hash){ + // Spoofing the syscall return address + index = LCG() % SW3_SyscallList.Count; + } + return SW3_SyscallList.Entries[index].SyscallAddress; +} diff --git a/syscalls.h.template b/syscalls.h.template new file mode 100644 index 0000000..6b34646 --- /dev/null +++ b/syscalls.h.template @@ -0,0 +1,4056 @@ +#pragma once + +// Code below is adapted from @modexpblog. Read linked article for more details. +// https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams + +#ifndef SW3_HEADER_H_ +#define SW3_HEADER_H_ + +#include + +#ifndef _NTDEF_ +typedef _Return_type_success_(return >= 0) LONG NTSTATUS; +typedef NTSTATUS* PNTSTATUS; +#endif + +#define SW3_SEED 0xCC6A5286 +#define SW3_ROL8(v) (v << 8 | v >> 24) +#define SW3_ROR8(v) (v >> 8 | v << 24) +#define SW3_ROX8(v) ((SW3_SEED % 2) ? SW3_ROL8(v) : SW3_ROR8(v)) +#define SW3_MAX_ENTRIES 600 +#define SW3_RVA2VA(Type, DllBase, Rva) (Type)((ULONG_PTR) DllBase + Rva) + +// Typedefs are prefixed to avoid pollution. + +typedef struct _SW3_SYSCALL_ENTRY +{ + DWORD Hash; + DWORD Address; + PVOID SyscallAddress; +} SW3_SYSCALL_ENTRY, *PSW3_SYSCALL_ENTRY; + +typedef struct _SW3_SYSCALL_LIST +{ + DWORD Count; + SW3_SYSCALL_ENTRY Entries[SW3_MAX_ENTRIES]; +} SW3_SYSCALL_LIST, *PSW3_SYSCALL_LIST; + +typedef struct _SW3_PEB_LDR_DATA { + BYTE Reserved1[8]; + PVOID Reserved2[3]; + LIST_ENTRY InMemoryOrderModuleList; +} SW3_PEB_LDR_DATA, *PSW3_PEB_LDR_DATA; + +typedef struct _SW3_LDR_DATA_TABLE_ENTRY { + PVOID Reserved1[2]; + LIST_ENTRY InMemoryOrderLinks; + PVOID Reserved2[2]; + PVOID DllBase; +} SW3_LDR_DATA_TABLE_ENTRY, *PSW3_LDR_DATA_TABLE_ENTRY; + +typedef struct _SW3_PEB { + BYTE Reserved1[2]; + BYTE BeingDebugged; + BYTE Reserved2[1]; + PVOID Reserved3[2]; + PSW3_PEB_LDR_DATA Ldr; +} SW3_PEB, *PSW3_PEB; + +DWORD SW3_HashSyscall(PCSTR FunctionName); +BOOL SW3_PopulateSyscallList(); +EXTERN_C DWORD SW3_GetSyscallNumber(DWORD FunctionHash); +EXTERN_C PVOID SW3_GetSyscallAddress(DWORD FunctionHash); +EXTERN_C PVOID internal_cleancall_wow64_gate(VOID); +typedef struct _UNICODE_STRING +{ + USHORT Length; + USHORT MaximumLength; + PWSTR Buffer; +} UNICODE_STRING, *PUNICODE_STRING; + +typedef struct _SYSTEM_HANDLE +{ + ULONG ProcessId; + BYTE ObjectTypeNumber; + BYTE Flags; + USHORT Handle; + PVOID Object; + ACCESS_MASK GrantedAccess; +} SYSTEM_HANDLE, *PSYSTEM_HANDLE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE +{ + PVOID pValue; + ULONG ValueLength; +} TOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE +{ + ULONG64 Version; + UNICODE_STRING Name; +} TOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE, *PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE; + +typedef struct _WNF_TYPE_ID +{ + GUID TypeId; +} WNF_TYPE_ID, *PWNF_TYPE_ID; + +typedef enum _KCONTINUE_TYPE +{ + KCONTINUE_UNWIND, + KCONTINUE_RESUME, + KCONTINUE_LONGJUMP, + KCONTINUE_SET, + KCONTINUE_LAST +} KCONTINUE_TYPE; + +typedef struct _IO_STATUS_BLOCK +{ + union + { + NTSTATUS Status; + VOID* Pointer; + }; + ULONG_PTR Information; +} IO_STATUS_BLOCK, *PIO_STATUS_BLOCK; + +typedef enum _PS_CREATE_STATE +{ + PsCreateInitialState, + PsCreateFailOnFileOpen, + PsCreateFailOnSectionCreate, + PsCreateFailExeFormat, + PsCreateFailMachineMismatch, + PsCreateFailExeName, + PsCreateSuccess, + PsCreateMaximumStates +} PS_CREATE_STATE, *PPS_CREATE_STATE; + +typedef struct _SYSTEM_HANDLE_INFORMATION +{ + ULONG HandleCount; + SYSTEM_HANDLE Handles[1]; +} SYSTEM_HANDLE_INFORMATION, *PSYSTEM_HANDLE_INFORMATION; + +typedef struct _CLIENT_ID +{ + HANDLE UniqueProcess; + HANDLE UniqueThread; +} CLIENT_ID, *PCLIENT_ID; + +typedef enum _PLUGPLAY_EVENT_CATEGORY +{ + HardwareProfileChangeEvent, + TargetDeviceChangeEvent, + DeviceClassChangeEvent, + CustomDeviceEvent, + DeviceInstallEvent, + DeviceArrivalEvent, + PowerEvent, + VetoEvent, + BlockedDriverEvent, + InvalidIDEvent, + MaxPlugEventCategory +} PLUGPLAY_EVENT_CATEGORY, *PPLUGPLAY_EVENT_CATEGORY; + +typedef enum _PNP_VETO_TYPE +{ + PNP_VetoTypeUnknown, // unspecified + PNP_VetoLegacyDevice, // instance path + PNP_VetoPendingClose, // instance path + PNP_VetoWindowsApp, // module + PNP_VetoWindowsService, // service + PNP_VetoOutstandingOpen, // instance path + PNP_VetoDevice, // instance path + PNP_VetoDriver, // driver service name + PNP_VetoIllegalDeviceRequest, // instance path + PNP_VetoInsufficientPower, // unspecified + PNP_VetoNonDisableable, // instance path + PNP_VetoLegacyDriver, // service + PNP_VetoInsufficientRights // unspecified +} PNP_VETO_TYPE, *PPNP_VETO_TYPE; + +typedef struct _TOKEN_SECURITY_ATTRIBUTE_V1 +{ + UNICODE_STRING Name; + USHORT ValueType; + USHORT Reserved; + ULONG Flags; + ULONG ValueCount; + union + { + PLONG64 pInt64; + PULONG64 pUint64; + PUNICODE_STRING pString; + PTOKEN_SECURITY_ATTRIBUTE_FQBN_VALUE pFqbn; + PTOKEN_SECURITY_ATTRIBUTE_OCTET_STRING_VALUE pOctetString; + } Values; +} TOKEN_SECURITY_ATTRIBUTE_V1, *PTOKEN_SECURITY_ATTRIBUTE_V1; + +typedef VOID(KNORMAL_ROUTINE) ( + IN PVOID NormalContext, + IN PVOID SystemArgument1, + IN PVOID SystemArgument2); + +typedef struct _PS_ATTRIBUTE +{ + ULONG Attribute; + SIZE_T Size; + union + { + ULONG Value; + PVOID ValuePtr; + } u1; + PSIZE_T ReturnLength; +} PS_ATTRIBUTE, *PPS_ATTRIBUTE; + +typedef struct _WNF_STATE_NAME +{ + ULONG Data[2]; +} WNF_STATE_NAME, *PWNF_STATE_NAME; + +#ifndef InitializeObjectAttributes +#define InitializeObjectAttributes( p, n, a, r, s ) { \ + (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ + (p)->RootDirectory = r; \ + (p)->Attributes = a; \ + (p)->ObjectName = n; \ + (p)->SecurityDescriptor = s; \ + (p)->SecurityQualityOfService = NULL; \ +} +#endif + +typedef struct _KEY_VALUE_ENTRY +{ + PUNICODE_STRING ValueName; + ULONG DataLength; + ULONG DataOffset; + ULONG Type; +} KEY_VALUE_ENTRY, *PKEY_VALUE_ENTRY; + +typedef enum _KEY_SET_INFORMATION_CLASS +{ + KeyWriteTimeInformation, + KeyWow64FlagsInformation, + KeyControlFlagsInformation, + KeySetVirtualizationInformation, + KeySetDebugInformation, + KeySetHandleTagsInformation, + MaxKeySetInfoClass // MaxKeySetInfoClass should always be the last enum. +} KEY_SET_INFORMATION_CLASS, *PKEY_SET_INFORMATION_CLASS; + +typedef enum _SYSTEM_INFORMATION_CLASS +{ + SystemBasicInformation = 0, + SystemPerformanceInformation = 2, + SystemTimeOfDayInformation = 3, + SystemProcessInformation = 5, + SystemProcessorPerformanceInformation = 8, + SystemHandleInformation = 16, + SystemInterruptInformation = 23, + SystemExceptionInformation = 33, + SystemRegistryQuotaInformation = 37, + SystemLookasideInformation = 45, + SystemCodeIntegrityInformation = 103, + SystemPolicyInformation = 134, +} SYSTEM_INFORMATION_CLASS, *PSYSTEM_INFORMATION_CLASS; + +typedef enum _PROCESSINFOCLASS +{ + ProcessBasicInformation = 0, + ProcessDebugPort = 7, + ProcessWow64Information = 26, + ProcessImageFileName = 27, + ProcessBreakOnTermination = 29 +} PROCESSINFOCLASS, *PPROCESSINFOCLASS; + +typedef struct _MEMORY_RANGE_ENTRY +{ + PVOID VirtualAddress; + SIZE_T NumberOfBytes; +} MEMORY_RANGE_ENTRY, *PMEMORY_RANGE_ENTRY; + +typedef struct _T2_SET_PARAMETERS_V0 +{ + ULONG Version; + ULONG Reserved; + LONGLONG NoWakeTolerance; +} T2_SET_PARAMETERS, *PT2_SET_PARAMETERS; + +typedef struct _FILE_PATH +{ + ULONG Version; + ULONG Length; + ULONG Type; + CHAR FilePath[1]; +} FILE_PATH, *PFILE_PATH; + +typedef struct _FILE_USER_QUOTA_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER QuotaUsed; + LARGE_INTEGER QuotaThreshold; + LARGE_INTEGER QuotaLimit; + SID Sid[1]; +} FILE_USER_QUOTA_INFORMATION, *PFILE_USER_QUOTA_INFORMATION; + +typedef struct _FILE_QUOTA_LIST_INFORMATION +{ + ULONG NextEntryOffset; + ULONG SidLength; + SID Sid[1]; +} FILE_QUOTA_LIST_INFORMATION, *PFILE_QUOTA_LIST_INFORMATION; + +typedef struct _FILE_NETWORK_OPEN_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + LARGE_INTEGER AllocationSize; + LARGE_INTEGER EndOfFile; + ULONG FileAttributes; + ULONG Unknown; +} FILE_NETWORK_OPEN_INFORMATION, *PFILE_NETWORK_OPEN_INFORMATION; + +typedef enum _FILTER_BOOT_OPTION_OPERATION +{ + FilterBootOptionOperationOpenSystemStore, + FilterBootOptionOperationSetElement, + FilterBootOptionOperationDeleteElement, + FilterBootOptionOperationMax +} FILTER_BOOT_OPTION_OPERATION, *PFILTER_BOOT_OPTION_OPERATION; + +typedef enum _EVENT_TYPE +{ + NotificationEvent = 0, + SynchronizationEvent = 1, +} EVENT_TYPE, *PEVENT_TYPE; + +typedef struct _FILE_FULL_EA_INFORMATION +{ + ULONG NextEntryOffset; + UCHAR Flags; + UCHAR EaNameLength; + USHORT EaValueLength; + CHAR EaName[1]; +} FILE_FULL_EA_INFORMATION, *PFILE_FULL_EA_INFORMATION; + +typedef struct _FILE_GET_EA_INFORMATION +{ + ULONG NextEntryOffset; + BYTE EaNameLength; + CHAR EaName[1]; +} FILE_GET_EA_INFORMATION, *PFILE_GET_EA_INFORMATION; + +typedef struct _BOOT_OPTIONS +{ + ULONG Version; + ULONG Length; + ULONG Timeout; + ULONG CurrentBootEntryId; + ULONG NextBootEntryId; + WCHAR HeadlessRedirection[1]; +} BOOT_OPTIONS, *PBOOT_OPTIONS; + +typedef ULONG WNF_CHANGE_STAMP, *PWNF_CHANGE_STAMP; + +typedef enum _WNF_DATA_SCOPE +{ + WnfDataScopeSystem = 0, + WnfDataScopeSession = 1, + WnfDataScopeUser = 2, + WnfDataScopeProcess = 3, + WnfDataScopeMachine = 4 +} WNF_DATA_SCOPE, *PWNF_DATA_SCOPE; + +typedef enum _WNF_STATE_NAME_LIFETIME +{ + WnfWellKnownStateName = 0, + WnfPermanentStateName = 1, + WnfPersistentStateName = 2, + WnfTemporaryStateName = 3 +} WNF_STATE_NAME_LIFETIME, *PWNF_STATE_NAME_LIFETIME; + +typedef enum _VIRTUAL_MEMORY_INFORMATION_CLASS +{ + VmPrefetchInformation, + VmPagePriorityInformation, + VmCfgCallTargetInformation +} VIRTUAL_MEMORY_INFORMATION_CLASS, *PVIRTUAL_MEMORY_INFORMATION_CLASS; + +typedef enum _IO_SESSION_EVENT +{ + IoSessionEventIgnore, + IoSessionEventCreated, + IoSessionEventTerminated, + IoSessionEventConnected, + IoSessionEventDisconnected, + IoSessionEventLogon, + IoSessionEventLogoff, + IoSessionEventMax +} IO_SESSION_EVENT, *PIO_SESSION_EVENT; + +typedef enum _PORT_INFORMATION_CLASS +{ + PortBasicInformation, +#if DEVL + PortDumpInformation +#endif +} PORT_INFORMATION_CLASS, *PPORT_INFORMATION_CLASS; + +typedef enum _PLUGPLAY_CONTROL_CLASS +{ + PlugPlayControlEnumerateDevice, + PlugPlayControlRegisterNewDevice, + PlugPlayControlDeregisterDevice, + PlugPlayControlInitializeDevice, + PlugPlayControlStartDevice, + PlugPlayControlUnlockDevice, + PlugPlayControlQueryAndRemoveDevice, + PlugPlayControlUserResponse, + PlugPlayControlGenerateLegacyDevice, + PlugPlayControlGetInterfaceDeviceList, + PlugPlayControlProperty, + PlugPlayControlDeviceClassAssociation, + PlugPlayControlGetRelatedDevice, + PlugPlayControlGetInterfaceDeviceAlias, + PlugPlayControlDeviceStatus, + PlugPlayControlGetDeviceDepth, + PlugPlayControlQueryDeviceRelations, + PlugPlayControlTargetDeviceRelation, + PlugPlayControlQueryConflictList, + PlugPlayControlRetrieveDock, + PlugPlayControlResetDevice, + PlugPlayControlHaltDevice, + PlugPlayControlGetBlockedDriverList, + MaxPlugPlayControl +} PLUGPLAY_CONTROL_CLASS, *PPLUGPLAY_CONTROL_CLASS; + +typedef enum _IO_COMPLETION_INFORMATION_CLASS +{ + IoCompletionBasicInformation +} IO_COMPLETION_INFORMATION_CLASS, *PIO_COMPLETION_INFORMATION_CLASS; + +typedef enum _SECTION_INHERIT +{ + ViewShare = 1, + ViewUnmap = 2 +} SECTION_INHERIT, *PSECTION_INHERIT; + +typedef enum _DEBUGOBJECTINFOCLASS +{ + DebugObjectFlags = 1, + MaxDebugObjectInfoClass +} DEBUGOBJECTINFOCLASS, *PDEBUGOBJECTINFOCLASS; + +typedef enum _SEMAPHORE_INFORMATION_CLASS +{ + SemaphoreBasicInformation +} SEMAPHORE_INFORMATION_CLASS, *PSEMAPHORE_INFORMATION_CLASS; + +typedef struct _PS_ATTRIBUTE_LIST +{ + SIZE_T TotalLength; + PS_ATTRIBUTE Attributes[1]; +} PS_ATTRIBUTE_LIST, *PPS_ATTRIBUTE_LIST; + +typedef enum _VDMSERVICECLASS +{ + VdmStartExecution, + VdmQueueInterrupt, + VdmDelayInterrupt, + VdmInitialize, + VdmFeatures, + VdmSetInt21Handler, + VdmQueryDir, + VdmPrinterDirectIoOpen, + VdmPrinterDirectIoClose, + VdmPrinterInitialize, + VdmSetLdtEntries, + VdmSetProcessLdtInfo, + VdmAdlibEmulation, + VdmPMCliControl, + VdmQueryVdmProcess +} VDMSERVICECLASS, *PVDMSERVICECLASS; + +typedef struct _PS_CREATE_INFO +{ + SIZE_T Size; + PS_CREATE_STATE State; + union + { + // PsCreateInitialState + struct { + union { + ULONG InitFlags; + struct { + UCHAR WriteOutputOnExit : 1; + UCHAR DetectManifest : 1; + UCHAR IFEOSkipDebugger : 1; + UCHAR IFEODoNotPropagateKeyState : 1; + UCHAR SpareBits1 : 4; + UCHAR SpareBits2 : 8; + USHORT ProhibitedImageCharacteristics : 16; + }; + }; + ACCESS_MASK AdditionalFileAccess; + } InitState; + // PsCreateFailOnSectionCreate + struct { + HANDLE FileHandle; + } FailSection; + // PsCreateFailExeFormat + struct { + USHORT DllCharacteristics; + } ExeFormat; + // PsCreateFailExeName + struct { + HANDLE IFEOKey; + } ExeName; + // PsCreateSuccess + struct { + union { + ULONG OutputFlags; + struct { + UCHAR ProtectedProcess : 1; + UCHAR AddressSpaceOverride : 1; + UCHAR DevOverrideEnabled : 1; // from Image File Execution Options + UCHAR ManifestDetected : 1; + UCHAR ProtectedProcessLight : 1; + UCHAR SpareBits1 : 3; + UCHAR SpareBits2 : 8; + USHORT SpareBits3 : 16; + }; + }; + HANDLE FileHandle; + HANDLE SectionHandle; + ULONGLONG UserProcessParametersNative; + ULONG UserProcessParametersWow64; + ULONG CurrentParameterFlags; + ULONGLONG PebAddressNative; + ULONG PebAddressWow64; + ULONGLONG ManifestAddress; + ULONG ManifestSize; + } SuccessState; + }; +} PS_CREATE_INFO, *PPS_CREATE_INFO; + +typedef enum _MEMORY_INFORMATION_CLASS +{ + MemoryBasicInformation, + MemoryWorkingSetInformation, + MemoryMappedFilenameInformation, + MemoryRegionInformation, + MemoryWorkingSetExInformation, + MemorySharedCommitInformation, + MemoryImageInformation, + MemoryRegionInformationEx, + MemoryPrivilegedBasicInformation, + MemoryEnclaveImageInformation, + MemoryBasicInformationCapped +} MEMORY_INFORMATION_CLASS, *PMEMORY_INFORMATION_CLASS; + +typedef enum _MEMORY_RESERVE_TYPE +{ + MemoryReserveUserApc, + MemoryReserveIoCompletion, + MemoryReserveTypeMax +} MEMORY_RESERVE_TYPE, *PMEMORY_RESERVE_TYPE; + +typedef enum _ALPC_PORT_INFORMATION_CLASS +{ + AlpcBasicInformation, + AlpcPortInformation, + AlpcAssociateCompletionPortInformation, + AlpcConnectedSIDInformation, + AlpcServerInformation, + AlpcMessageZoneInformation, + AlpcRegisterCompletionListInformation, + AlpcUnregisterCompletionListInformation, + AlpcAdjustCompletionListConcurrencyCountInformation, + AlpcRegisterCallbackInformation, + AlpcCompletionListRundownInformation +} ALPC_PORT_INFORMATION_CLASS, *PALPC_PORT_INFORMATION_CLASS; + +typedef struct _ALPC_CONTEXT_ATTR +{ + PVOID PortContext; + PVOID MessageContext; + ULONG SequenceNumber; + ULONG MessageID; + ULONG CallbackID; +} ALPC_CONTEXT_ATTR, *PALPC_CONTEXT_ATTR; + +typedef struct _ALPC_DATA_VIEW_ATTR +{ + ULONG Flags; + HANDLE SectionHandle; + PVOID ViewBase; + SIZE_T ViewSize; +} ALPC_DATA_VIEW_ATTR, *PALPC_DATA_VIEW_ATTR; + +typedef struct _ALPC_SECURITY_ATTR +{ + ULONG Flags; + PSECURITY_QUALITY_OF_SERVICE SecurityQos; + HANDLE ContextHandle; + ULONG Reserved1; + ULONG Reserved2; +} ALPC_SECURITY_ATTR, *PALPC_SECURITY_ATTR; + +typedef PVOID* PPVOID; + +typedef enum _KPROFILE_SOURCE +{ + ProfileTime = 0, + ProfileAlignmentFixup = 1, + ProfileTotalIssues = 2, + ProfilePipelineDry = 3, + ProfileLoadInstructions = 4, + ProfilePipelineFrozen = 5, + ProfileBranchInstructions = 6, + ProfileTotalNonissues = 7, + ProfileDcacheMisses = 8, + ProfileIcacheMisses = 9, + ProfileCacheMisses = 10, + ProfileBranchMispredictions = 11, + ProfileStoreInstructions = 12, + ProfileFpInstructions = 13, + ProfileIntegerInstructions = 14, + Profile2Issue = 15, + Profile3Issue = 16, + Profile4Issue = 17, + ProfileSpecialInstructions = 18, + ProfileTotalCycles = 19, + ProfileIcacheIssues = 20, + ProfileDcacheAccesses = 21, + ProfileMemoryBarrierCycles = 22, + ProfileLoadLinkedIssues = 23, + ProfileMaximum = 24, +} KPROFILE_SOURCE, *PKPROFILE_SOURCE; + +typedef enum _ALPC_MESSAGE_INFORMATION_CLASS +{ + AlpcMessageSidInformation, + AlpcMessageTokenModifiedIdInformation +} ALPC_MESSAGE_INFORMATION_CLASS, *PALPC_MESSAGE_INFORMATION_CLASS; + +typedef enum _WORKERFACTORYINFOCLASS +{ + WorkerFactoryTimeout, + WorkerFactoryRetryTimeout, + WorkerFactoryIdleTimeout, + WorkerFactoryBindingCount, + WorkerFactoryThreadMinimum, + WorkerFactoryThreadMaximum, + WorkerFactoryPaused, + WorkerFactoryBasicInformation, + WorkerFactoryAdjustThreadGoal, + WorkerFactoryCallbackType, + WorkerFactoryStackInformation, + MaxWorkerFactoryInfoClass +} WORKERFACTORYINFOCLASS, *PWORKERFACTORYINFOCLASS; + +typedef enum _MEMORY_PARTITION_INFORMATION_CLASS +{ + SystemMemoryPartitionInformation, + SystemMemoryPartitionMoveMemory, + SystemMemoryPartitionAddPagefile, + SystemMemoryPartitionCombineMemory, + SystemMemoryPartitionInitialAddMemory, + SystemMemoryPartitionGetMemoryEvents, + SystemMemoryPartitionMax +} MEMORY_PARTITION_INFORMATION_CLASS, *PMEMORY_PARTITION_INFORMATION_CLASS; + +typedef enum _MUTANT_INFORMATION_CLASS +{ + MutantBasicInformation, + MutantOwnerInformation +} MUTANT_INFORMATION_CLASS, *PMUTANT_INFORMATION_CLASS; + +typedef enum _ATOM_INFORMATION_CLASS +{ + AtomBasicInformation, + AtomTableInformation +} ATOM_INFORMATION_CLASS, *PATOM_INFORMATION_CLASS; + +typedef enum _SHUTDOWN_ACTION { + ShutdownNoReboot, + ShutdownReboot, + ShutdownPowerOff +} SHUTDOWN_ACTION; + +typedef VOID(CALLBACK* PTIMER_APC_ROUTINE)( + IN PVOID TimerContext, + IN ULONG TimerLowValue, + IN LONG TimerHighValue); + +typedef enum _KEY_VALUE_INFORMATION_CLASS { + KeyValueBasicInformation = 0, + KeyValueFullInformation, + KeyValuePartialInformation, + KeyValueFullInformationAlign64, + KeyValuePartialInformationAlign64, + MaxKeyValueInfoClass +} KEY_VALUE_INFORMATION_CLASS; + +typedef LANGID* PLANGID; + +typedef struct _PLUGPLAY_EVENT_BLOCK +{ + GUID EventGuid; + PLUGPLAY_EVENT_CATEGORY EventCategory; + PULONG Result; + ULONG Flags; + ULONG TotalSize; + PVOID DeviceObject; + + union + { + struct + { + GUID ClassGuid; + WCHAR SymbolicLinkName[1]; + } DeviceClass; + struct + { + WCHAR DeviceIds[1]; + } TargetDevice; + struct + { + WCHAR DeviceId[1]; + } InstallDevice; + struct + { + PVOID NotificationStructure; + WCHAR DeviceIds[1]; + } CustomNotification; + struct + { + PVOID Notification; + } ProfileNotification; + struct + { + ULONG NotificationCode; + ULONG NotificationData; + } PowerNotification; + struct + { + PNP_VETO_TYPE VetoType; + WCHAR DeviceIdVetoNameBuffer[1]; // DeviceIdVetoName + } VetoNotification; + struct + { + GUID BlockedDriverGuid; + } BlockedDriverNotification; + struct + { + WCHAR ParentId[1]; + } InvalidIDNotification; + } u; +} PLUGPLAY_EVENT_BLOCK, *PPLUGPLAY_EVENT_BLOCK; + +typedef VOID(NTAPI* PIO_APC_ROUTINE) ( + IN PVOID ApcContext, + IN PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG Reserved); + +typedef KNORMAL_ROUTINE* PKNORMAL_ROUTINE; + +typedef enum _DIRECTORY_NOTIFY_INFORMATION_CLASS +{ + DirectoryNotifyInformation = 1, + DirectoryNotifyExtendedInformation = 2, +} DIRECTORY_NOTIFY_INFORMATION_CLASS, *PDIRECTORY_NOTIFY_INFORMATION_CLASS; + +typedef enum _EVENT_INFORMATION_CLASS +{ + EventBasicInformation +} EVENT_INFORMATION_CLASS, *PEVENT_INFORMATION_CLASS; + +typedef struct _ALPC_MESSAGE_ATTRIBUTES +{ + unsigned long AllocatedAttributes; + unsigned long ValidAttributes; +} ALPC_MESSAGE_ATTRIBUTES, *PALPC_MESSAGE_ATTRIBUTES; + +typedef struct _ALPC_PORT_ATTRIBUTES +{ + ULONG Flags; + SECURITY_QUALITY_OF_SERVICE SecurityQos; + SIZE_T MaxMessageLength; + SIZE_T MemoryBandwidth; + SIZE_T MaxPoolUsage; + SIZE_T MaxSectionSize; + SIZE_T MaxViewSize; + SIZE_T MaxTotalSectionSize; + ULONG DupObjectTypes; +#ifdef _WIN64 + ULONG Reserved; +#endif +} ALPC_PORT_ATTRIBUTES, *PALPC_PORT_ATTRIBUTES; + +typedef enum _IO_SESSION_STATE +{ + IoSessionStateCreated = 1, + IoSessionStateInitialized = 2, + IoSessionStateConnected = 3, + IoSessionStateDisconnected = 4, + IoSessionStateDisconnectedLoggedOn = 5, + IoSessionStateLoggedOn = 6, + IoSessionStateLoggedOff = 7, + IoSessionStateTerminated = 8, + IoSessionStateMax = 9, +} IO_SESSION_STATE, *PIO_SESSION_STATE; + +typedef const WNF_STATE_NAME *PCWNF_STATE_NAME; + +typedef const WNF_TYPE_ID *PCWNF_TYPE_ID; + +typedef struct _WNF_DELIVERY_DESCRIPTOR +{ + unsigned __int64 SubscriptionId; + WNF_STATE_NAME StateName; + unsigned long ChangeStamp; + unsigned long StateDataSize; + unsigned long EventMask; + WNF_TYPE_ID TypeId; + unsigned long StateDataOffset; +} WNF_DELIVERY_DESCRIPTOR, *PWNF_DELIVERY_DESCRIPTOR; + +typedef enum _DEBUG_CONTROL_CODE +{ + SysDbgQueryModuleInformation = 0, + SysDbgQueryTraceInformation = 1, + SysDbgSetTracePoint = 2, + SysDbgSetSpecialCall = 3, + SysDbgClearSpecialCalls = 4, + SysDbgQuerySpecialCalls = 5, + SysDbgBreakPoint = 6, + SysDbgQueryVersion = 7, + SysDbgReadVirtual = 8, + SysDbgWriteVirtual = 9, + SysDbgReadPhysical = 10, + SysDbgWritePhysical = 11, + SysDbgReadControlSpace = 12, + SysDbgWriteControlSpace = 13, + SysDbgReadIoSpace = 14, + SysDbgWriteIoSpace = 15, + SysDbgReadMsr = 16, + SysDbgWriteMsr = 17, + SysDbgReadBusData = 18, + SysDbgWriteBusData = 19, + SysDbgCheckLowMemory = 20, + SysDbgEnableKernelDebugger = 21, + SysDbgDisableKernelDebugger = 22, + SysDbgGetAutoKdEnable = 23, + SysDbgSetAutoKdEnable = 24, + SysDbgGetPrintBufferSize = 25, + SysDbgSetPrintBufferSize = 26, + SysDbgGetKdUmExceptionEnable = 27, + SysDbgSetKdUmExceptionEnable = 28, + SysDbgGetTriageDump = 29, + SysDbgGetKdBlockEnable = 30, + SysDbgSetKdBlockEnable = 31 +} DEBUG_CONTROL_CODE, *PDEBUG_CONTROL_CODE; + +typedef struct _PORT_MESSAGE +{ + union + { + union + { + struct + { + short DataLength; + short TotalLength; + } s1; + unsigned long Length; + }; + } u1; + union + { + union + { + struct + { + short Type; + short DataInfoOffset; + } s2; + unsigned long ZeroInit; + }; + } u2; + union + { + CLIENT_ID ClientId; + double DoNotUseThisField; + }; + unsigned long MessageId; + union + { + unsigned __int64 ClientViewSize; + struct + { + unsigned long CallbackId; + long __PADDING__[1]; + }; + }; +} PORT_MESSAGE, *PPORT_MESSAGE; + +typedef struct _FILE_BASIC_INFORMATION +{ + LARGE_INTEGER CreationTime; + LARGE_INTEGER LastAccessTime; + LARGE_INTEGER LastWriteTime; + LARGE_INTEGER ChangeTime; + ULONG FileAttributes; +} FILE_BASIC_INFORMATION, *PFILE_BASIC_INFORMATION; + +typedef struct _PORT_SECTION_READ +{ + ULONG Length; + ULONG ViewSize; + ULONG ViewBase; +} PORT_SECTION_READ, *PPORT_SECTION_READ; + +typedef struct _PORT_SECTION_WRITE +{ + ULONG Length; + HANDLE SectionHandle; + ULONG SectionOffset; + ULONG ViewSize; + PVOID ViewBase; + PVOID TargetViewBase; +} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE; + +typedef enum _TIMER_TYPE +{ + NotificationTimer, + SynchronizationTimer +} TIMER_TYPE, *PTIMER_TYPE; + +typedef struct _BOOT_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG BootFilePathOffset; + ULONG OsOptionsLength; + UCHAR OsOptions[ANYSIZE_ARRAY]; +} BOOT_ENTRY, *PBOOT_ENTRY; + +typedef struct _EFI_DRIVER_ENTRY +{ + ULONG Version; + ULONG Length; + ULONG Id; + ULONG Attributes; + ULONG FriendlyNameOffset; + ULONG DriverFilePathOffset; +} EFI_DRIVER_ENTRY, *PEFI_DRIVER_ENTRY; + +typedef USHORT RTL_ATOM, *PRTL_ATOM; + +typedef enum _TIMER_SET_INFORMATION_CLASS +{ + TimerSetCoalescableTimer, + MaxTimerInfoClass +} TIMER_SET_INFORMATION_CLASS, *PTIMER_SET_INFORMATION_CLASS; + +typedef enum _FSINFOCLASS +{ + FileFsVolumeInformation = 1, + FileFsLabelInformation = 2, + FileFsSizeInformation = 3, + FileFsDeviceInformation = 4, + FileFsAttributeInformation = 5, + FileFsControlInformation = 6, + FileFsFullSizeInformation = 7, + FileFsObjectIdInformation = 8, + FileFsDriverPathInformation = 9, + FileFsVolumeFlagsInformation = 10, + FileFsSectorSizeInformation = 11, + FileFsDataCopyInformation = 12, + FileFsMetadataSizeInformation = 13, + FileFsFullSizeInformationEx = 14, + FileFsMaximumInformation = 15, +} FSINFOCLASS, *PFSINFOCLASS; + +typedef enum _WAIT_TYPE +{ + WaitAll = 0, + WaitAny = 1 +} WAIT_TYPE, *PWAIT_TYPE; + +typedef struct _USER_STACK +{ + PVOID FixedStackBase; + PVOID FixedStackLimit; + PVOID ExpandableStackBase; + PVOID ExpandableStackLimit; + PVOID ExpandableStackBottom; +} USER_STACK, *PUSER_STACK; + +typedef enum _SECTION_INFORMATION_CLASS +{ + SectionBasicInformation, + SectionImageInformation, +} SECTION_INFORMATION_CLASS, *PSECTION_INFORMATION_CLASS; + +typedef enum _APPHELPCACHESERVICECLASS +{ + ApphelpCacheServiceLookup = 0, + ApphelpCacheServiceRemove = 1, + ApphelpCacheServiceUpdate = 2, + ApphelpCacheServiceFlush = 3, + ApphelpCacheServiceDump = 4, + ApphelpDBGReadRegistry = 0x100, + ApphelpDBGWriteRegistry = 0x101, +} APPHELPCACHESERVICECLASS, *PAPPHELPCACHESERVICECLASS; + +typedef struct _TOKEN_SECURITY_ATTRIBUTES_INFORMATION +{ + USHORT Version; + USHORT Reserved; + ULONG AttributeCount; + union + { + PTOKEN_SECURITY_ATTRIBUTE_V1 pAttributeV1; + } Attribute; +} TOKEN_SECURITY_ATTRIBUTES_INFORMATION, *PTOKEN_SECURITY_ATTRIBUTES_INFORMATION; + +typedef struct _FILE_IO_COMPLETION_INFORMATION +{ + PVOID KeyContext; + PVOID ApcContext; + IO_STATUS_BLOCK IoStatusBlock; +} FILE_IO_COMPLETION_INFORMATION, *PFILE_IO_COMPLETION_INFORMATION; + +typedef PVOID PT2_CANCEL_PARAMETERS; + +typedef enum _THREADINFOCLASS +{ + ThreadBasicInformation, + ThreadTimes, + ThreadPriority, + ThreadBasePriority, + ThreadAffinityMask, + ThreadImpersonationToken, + ThreadDescriptorTableEntry, + ThreadEnableAlignmentFaultFixup, + ThreadEventPair_Reusable, + ThreadQuerySetWin32StartAddress, + ThreadZeroTlsCell, + ThreadPerformanceCount, + ThreadAmILastThread, + ThreadIdealProcessor, + ThreadPriorityBoost, + ThreadSetTlsArrayAddress, + ThreadIsIoPending, + ThreadHideFromDebugger, + ThreadBreakOnTermination, + MaxThreadInfoClass +} THREADINFOCLASS, *PTHREADINFOCLASS; + +typedef enum _OBJECT_INFORMATION_CLASS +{ + ObjectBasicInformation, + ObjectNameInformation, + ObjectTypeInformation, + ObjectAllTypesInformation, + ObjectHandleInformation +} OBJECT_INFORMATION_CLASS, *POBJECT_INFORMATION_CLASS; + +typedef enum _FILE_INFORMATION_CLASS +{ + FileDirectoryInformation = 1, + FileFullDirectoryInformation = 2, + FileBothDirectoryInformation = 3, + FileBasicInformation = 4, + FileStandardInformation = 5, + FileInternalInformation = 6, + FileEaInformation = 7, + FileAccessInformation = 8, + FileNameInformation = 9, + FileRenameInformation = 10, + FileLinkInformation = 11, + FileNamesInformation = 12, + FileDispositionInformation = 13, + FilePositionInformation = 14, + FileFullEaInformation = 15, + FileModeInformation = 16, + FileAlignmentInformation = 17, + FileAllInformation = 18, + FileAllocationInformation = 19, + FileEndOfFileInformation = 20, + FileAlternateNameInformation = 21, + FileStreamInformation = 22, + FilePipeInformation = 23, + FilePipeLocalInformation = 24, + FilePipeRemoteInformation = 25, + FileMailslotQueryInformation = 26, + FileMailslotSetInformation = 27, + FileCompressionInformation = 28, + FileObjectIdInformation = 29, + FileCompletionInformation = 30, + FileMoveClusterInformation = 31, + FileQuotaInformation = 32, + FileReparsePointInformation = 33, + FileNetworkOpenInformation = 34, + FileAttributeTagInformation = 35, + FileTrackingInformation = 36, + FileIdBothDirectoryInformation = 37, + FileIdFullDirectoryInformation = 38, + FileValidDataLengthInformation = 39, + FileShortNameInformation = 40, + FileIoCompletionNotificationInformation = 41, + FileIoStatusBlockRangeInformation = 42, + FileIoPriorityHintInformation = 43, + FileSfioReserveInformation = 44, + FileSfioVolumeInformation = 45, + FileHardLinkInformation = 46, + FileProcessIdsUsingFileInformation = 47, + FileNormalizedNameInformation = 48, + FileNetworkPhysicalNameInformation = 49, + FileIdGlobalTxDirectoryInformation = 50, + FileIsRemoteDeviceInformation = 51, + FileUnusedInformation = 52, + FileNumaNodeInformation = 53, + FileStandardLinkInformation = 54, + FileRemoteProtocolInformation = 55, + FileRenameInformationBypassAccessCheck = 56, + FileLinkInformationBypassAccessCheck = 57, + FileVolumeNameInformation = 58, + FileIdInformation = 59, + FileIdExtdDirectoryInformation = 60, + FileReplaceCompletionInformation = 61, + FileHardLinkFullIdInformation = 62, + FileIdExtdBothDirectoryInformation = 63, + FileDispositionInformationEx = 64, + FileRenameInformationEx = 65, + FileRenameInformationExBypassAccessCheck = 66, + FileMaximumInformation = 67, +} FILE_INFORMATION_CLASS, *PFILE_INFORMATION_CLASS; + +typedef enum _KEY_INFORMATION_CLASS +{ + KeyBasicInformation = 0, + KeyNodeInformation = 1, + KeyFullInformation = 2, + KeyNameInformation = 3, + KeyCachedInformation = 4, + KeyFlagsInformation = 5, + KeyVirtualizationInformation = 6, + KeyHandleTagsInformation = 7, + MaxKeyInfoClass = 8 +} KEY_INFORMATION_CLASS, *PKEY_INFORMATION_CLASS; + +typedef struct _OBJECT_ATTRIBUTES +{ + ULONG Length; + HANDLE RootDirectory; + PUNICODE_STRING ObjectName; + ULONG Attributes; + PVOID SecurityDescriptor; + PVOID SecurityQualityOfService; +} OBJECT_ATTRIBUTES, *POBJECT_ATTRIBUTES; + +typedef enum _TIMER_INFORMATION_CLASS +{ + TimerBasicInformation +} TIMER_INFORMATION_CLASS, *PTIMER_INFORMATION_CLASS; + +typedef struct _KCONTINUE_ARGUMENT +{ + KCONTINUE_TYPE ContinueType; + ULONG ContinueFlags; + ULONGLONG Reserved[2]; +} KCONTINUE_ARGUMENT, *PKCONTINUE_ARGUMENT; + +EXTERN_C NTSTATUS Sw3NtAccessCheck( + IN PSECURITY_DESCRIPTOR pSecurityDescriptor, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiaredAccess, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet OPTIONAL, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus); + +EXTERN_C NTSTATUS Sw3NtWorkerFactoryWorkerReady( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtAcceptConnectPort( + OUT PHANDLE ServerPortHandle, + IN ULONG AlternativeReceivePortHandle OPTIONAL, + IN PPORT_MESSAGE ConnectionReply, + IN BOOLEAN AcceptConnection, + IN OUT PPORT_SECTION_WRITE ServerSharedMemory OPTIONAL, + OUT PPORT_SECTION_READ ClientSharedMemory OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPagesScatter( + IN PVOID VirtualAddresses, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForSingleObject( + IN HANDLE ObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER TimeOut OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallbackReturn( + IN PVOID OutputBuffer OPTIONAL, + IN ULONG OutputLength, + IN NTSTATUS Status); + +EXTERN_C NTSTATUS Sw3NtReadFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + OUT PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeviceIoControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG IoControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID Buffer, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletion( + IN HANDLE IoCompletionHandle, + OUT PULONG KeyContext, + OUT PULONG ApcContext, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseSemaphore( + IN HANDLE SemaphoreHandle, + IN LONG ReleaseCount, + OUT PLONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePort( + IN HANDLE PortHandle, + OUT PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage); + +EXTERN_C NTSTATUS Sw3NtReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtSetInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + IN PVOID ThreadInformation, + IN ULONG ThreadInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtClose( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtQueryObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + OUT PVOID ObjectInformation OPTIONAL, + IN ULONG ObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtOpenKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtEnumerateValueKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtFindAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultLocale( + IN BOOLEAN UserProfile, + OUT PLCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtQueryKey( + IN HANDLE KeyHandle, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtQueryValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN KEY_VALUE_INFORMATION_CLASS KeyValueInformationClass, + OUT PVOID KeyValueInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN ULONG ZeroBits, + IN OUT PSIZE_T RegionSize, + IN ULONG AllocationType, + IN ULONG Protect); + +EXTERN_C NTSTATUS Sw3NtQueryInformationProcess( + IN HANDLE ProcessHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + OUT PVOID ProcessInformation, + IN ULONG ProcessInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects32( + IN ULONG ObjectCount, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteFileGather( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKey( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFreeVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG FreeType); + +EXTERN_C NTSTATUS Sw3NtImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message); + +EXTERN_C NTSTATUS Sw3NtReleaseMutant( + IN HANDLE MutantHandle, + OUT PULONG PreviousCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + OUT PVOID TokenInformation, + IN ULONG TokenInformationLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtRequestWaitReplyPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage, + OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtQueryVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN MEMORY_INFORMATION_CLASS MemoryInformationClass, + OUT PVOID MemoryInformation, + IN SIZE_T MemoryInformationLength, + OUT PSIZE_T ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadToken( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryInformationThread( + IN HANDLE ThreadHandle, + IN THREADINFOCLASS ThreadInformationClass, + OUT PVOID ThreadInformation, + IN ULONG ThreadInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSection( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG ZeroBits, + IN SIZE_T CommitSize, + IN OUT PLARGE_INTEGER SectionOffset OPTIONAL, + IN OUT PSIZE_T ViewSize, + IN SECTION_INHERIT InheritDisposition, + IN ULONG AllocationType, + IN ULONG Win32Protect); + +EXTERN_C NTSTATUS Sw3NtAccessCheckAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN ACCESS_MASK DesiredAccess, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PBOOLEAN AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSection( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReceivePortEx( + IN HANDLE PortHandle, + OUT PULONG PortContext OPTIONAL, + IN PPORT_MESSAGE ReplyMessage OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateProcess( + IN HANDLE ProcessHandle OPTIONAL, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtSetEventBoostPriority( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadFileScatter( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_SEGMENT_ELEMENT SegmentArray, + IN ULONG Length, + IN PLARGE_INTEGER ByteOffset OPTIONAL, + IN PULONG Key OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenThreadTokenEx( + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN BOOLEAN OpenAsSelf, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenProcessTokenEx( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtQueryPerformanceCounter( + OUT PLARGE_INTEGER PerformanceCounter, + OUT PLARGE_INTEGER PerformanceFrequency OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtEnumerateKey( + IN HANDLE KeyHandle, + IN ULONG Index, + IN KEY_INFORMATION_CLASS KeyInformationClass, + OUT PVOID KeyInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ResultLength); + +EXTERN_C NTSTATUS Sw3NtOpenFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtDelayExecution( + IN BOOLEAN Alertable, + IN PLARGE_INTEGER DelayInterval); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN BOOLEAN ReturnSingleEntry, + IN PUNICODE_STRING FileName OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN OUT PVOID SystemInformation, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtQueryTimer( + IN HANDLE TimerHandle, + IN TIMER_INFORMATION_CLASS TimerInformationClass, + OUT PVOID TimerInformation, + IN ULONG TimerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFsControlFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG FsControlCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtWriteVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN SIZE_T NumberOfBytesToWrite, + OUT PSIZE_T NumberOfBytesWritten OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCloseObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDuplicateObject( + IN HANDLE SourceProcessHandle, + IN HANDLE SourceHandle, + IN HANDLE TargetProcessHandle OPTIONAL, + OUT PHANDLE TargetHandle OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Options); + +EXTERN_C NTSTATUS Sw3NtQueryAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_BASIC_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtClearEvent( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtReadVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + OUT PVOID Buffer, + IN SIZE_T BufferSize, + OUT PSIZE_T NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAdjustPrivilegesToken( + IN HANDLE TokenHandle, + IN BOOLEAN DisableAllPrivileges, + IN PTOKEN_PRIVILEGES NewState OPTIONAL, + IN ULONG BufferLength, + OUT PTOKEN_PRIVILEGES PreviousState OPTIONAL, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDuplicateToken( + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN BOOLEAN EffectiveOnly, + IN TOKEN_TYPE TokenType, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtContinue( + IN PCONTEXT ContextRecord, + IN BOOLEAN TestAlert); + +EXTERN_C NTSTATUS Sw3NtQueryDefaultUILanguage( + OUT PLANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueueApcThread( + IN HANDLE ThreadHandle, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtYieldExecution(); + +EXTERN_C NTSTATUS Sw3NtAddAtom( + IN PWSTR AtomName OPTIONAL, + IN ULONG Length, + OUT PUSHORT Atom OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEvent( + OUT PHANDLE EventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN EVENT_TYPE EventType, + IN BOOLEAN InitialState); + +EXTERN_C NTSTATUS Sw3NtQueryVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FsInformation, + IN ULONG Length, + IN FSINFOCLASS FsInformationClass); + +EXTERN_C NTSTATUS Sw3NtCreateSection( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtApphelpCacheControl( + IN APPHELPCACHESERVICECLASS Service, + IN PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtCreateProcessEx( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL, + IN ULONG JobMemberLevel); + +EXTERN_C NTSTATUS Sw3NtCreateThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + OUT PCLIENT_ID ClientId, + IN PCONTEXT ThreadContext, + IN PUSER_STACK InitialTeb, + IN BOOLEAN CreateSuspended); + +EXTERN_C NTSTATUS Sw3NtIsProcessInJob( + IN HANDLE ProcessHandle, + IN HANDLE JobHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtProtectVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID * BaseAddress, + IN OUT PSIZE_T RegionSize, + IN ULONG NewProtect, + OUT PULONG OldProtect); + +EXTERN_C NTSTATUS Sw3NtQuerySection( + IN HANDLE SectionHandle, + IN SECTION_INFORMATION_CLASS SectionInformationClass, + OUT PVOID SectionInformation, + IN ULONG SectionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResumeThread( + IN HANDLE ThreadHandle, + IN OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateThread( + IN HANDLE ThreadHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtReadRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG DataEntryIndex, + OUT PVOID Buffer, + IN ULONG BufferSize, + OUT PULONG NumberOfBytesRead OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PLARGE_INTEGER AllocationSize OPTIONAL, + IN ULONG FileAttributes, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN PVOID EaBuffer OPTIONAL, + IN ULONG EaLength); + +EXTERN_C NTSTATUS Sw3NtQueryEvent( + IN HANDLE EventHandle, + IN EVENT_INFORMATION_CLASS EventInformationClass, + OUT PVOID EventInformation, + IN ULONG EventInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWriteRequestData( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Request, + IN ULONG DataIndex, + IN PVOID Buffer, + IN ULONG Length, + OUT PULONG ResultLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtWaitForMultipleObjects( + IN ULONG Count, + IN PHANDLE Handles, + IN WAIT_TYPE WaitType, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationObject( + IN HANDLE Handle, + IN OBJECT_INFORMATION_CLASS ObjectInformationClass, + IN PVOID ObjectInformation, + IN ULONG ObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtCancelIoFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtTraceEvent( + IN HANDLE TraceHandle, + IN ULONG Flags, + IN ULONG FieldSize, + IN PVOID Fields); + +EXTERN_C NTSTATUS Sw3NtPowerInformation( + IN POWER_INFORMATION_LEVEL InformationLevel, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength); + +EXTERN_C NTSTATUS Sw3NtSetValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName, + IN ULONG TitleIndex OPTIONAL, + IN ULONG Type, + IN PVOID SystemData, + IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtCancelTimer( + IN HANDLE TimerHandle, + OUT PBOOLEAN CurrentState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PTIMER_APC_ROUTINE TimerApcRoutine OPTIONAL, + IN PVOID TimerContext OPTIONAL, + IN BOOLEAN ResumeTimer, + IN LONG Period OPTIONAL, + OUT PBOOLEAN PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByType( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ULONG DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultList( + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_TYPE_LIST ObjectTypeList, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + OUT PPRIVILEGE_SET PrivilegeSet, + IN OUT PULONG PrivilegeSetLength, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAccessCheckByTypeResultListAndAuditAlarmByHandle( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor, + IN PSID PrincipalSelfSid OPTIONAL, + IN ACCESS_MASK DesiredAccess, + IN AUDIT_EVENT_TYPE AuditType, + IN ULONG Flags, + IN POBJECT_TYPE_LIST ObjectTypeList OPTIONAL, + IN ULONG ObjectTypeListLength, + IN PGENERIC_MAPPING GenericMapping, + IN BOOLEAN ObjectCreation, + OUT PACCESS_MASK GrantedAccess, + OUT PULONG AccessStatus, + OUT PULONG GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtAcquireProcessActivityReference(); + +EXTERN_C NTSTATUS Sw3NtAddAtomEx( + IN PWSTR AtomName, + IN ULONG Length, + IN PRTL_ATOM Atom, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAddBootEntry( + IN PBOOT_ENTRY BootEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAddDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry, + OUT PULONG Id OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAdjustGroupsToken( + IN HANDLE TokenHandle, + IN BOOLEAN ResetToDefault, + IN PTOKEN_GROUPS NewState OPTIONAL, + IN ULONG BufferLength OPTIONAL, + OUT PTOKEN_GROUPS PreviousState OPTIONAL, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtAdjustTokenClaimsAndDeviceGroups( + IN HANDLE TokenHandle, + IN BOOLEAN UserResetToDefault, + IN BOOLEAN DeviceResetToDefault, + IN BOOLEAN DeviceGroupsResetToDefault, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewUserState OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION NewDeviceState OPTIONAL, + IN PTOKEN_GROUPS NewDeviceGroupsState OPTIONAL, + IN ULONG UserBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousUserState OPTIONAL, + IN ULONG DeviceBufferLength, + OUT PTOKEN_SECURITY_ATTRIBUTES_INFORMATION PreviousDeviceState OPTIONAL, + IN ULONG DeviceGroupsBufferLength, + OUT PTOKEN_GROUPS PreviousDeviceGroups OPTIONAL, + OUT PULONG UserReturnLength OPTIONAL, + OUT PULONG DeviceReturnLength OPTIONAL, + OUT PULONG DeviceGroupsReturnBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertResumeThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlertThread( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtAlertThreadByThreadId( + IN ULONG ThreadId); + +EXTERN_C NTSTATUS Sw3NtAllocateLocallyUniqueId( + OUT PLUID Luid); + +EXTERN_C NTSTATUS Sw3NtAllocateReserveObject( + OUT PHANDLE MemoryReserveHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN MEMORY_RESERVE_TYPE Type); + +EXTERN_C NTSTATUS Sw3NtAllocateUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + OUT PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtAllocateUuids( + OUT PLARGE_INTEGER Time, + OUT PULONG Range, + OUT PULONG Sequence, + OUT PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtAllocateVirtualMemoryEx( + IN HANDLE ProcessHandle, + IN OUT PPVOID lpAddress, + IN ULONG_PTR ZeroBits, + IN OUT PSIZE_T pSize, + IN ULONG flAllocationType, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtAlpcAcceptConnectPort( + OUT PHANDLE PortHandle, + IN HANDLE ConnectionPortHandle, + IN ULONG Flags, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN PVOID PortContext OPTIONAL, + IN PPORT_MESSAGE ConnectionRequest, + IN OUT PALPC_MESSAGE_ATTRIBUTES ConnectionMessageAttributes OPTIONAL, + IN BOOLEAN AcceptConnection); + +EXTERN_C NTSTATUS Sw3NtAlpcCancelMessage( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PALPC_CONTEXT_ATTR MessageContext); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PULONG BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcConnectPortEx( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ConnectionPortObjectAttributes, + IN POBJECT_ATTRIBUTES ClientPortObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL, + IN ULONG Flags, + IN PSECURITY_DESCRIPTOR ServerSecurityRequirements OPTIONAL, + IN OUT PPORT_MESSAGE ConnectionMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES OutMessageAttributes OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES InMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PALPC_PORT_ATTRIBUTES PortAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcCreatePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle OPTIONAL, + IN SIZE_T SectionSize, + OUT PHANDLE AlpcSectionHandle, + OUT PSIZE_T ActualSectionSize); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN SIZE_T MessageSize, + OUT PHANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_DATA_VIEW_ATTR ViewAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcCreateSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN OUT PALPC_SECURITY_ATTR SecurityAttribute); + +EXTERN_C NTSTATUS Sw3NtAlpcDeletePortSection( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE SectionHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteResourceReserve( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ResourceId); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSectionView( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PVOID ViewBase); + +EXTERN_C NTSTATUS Sw3NtAlpcDeleteSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcDisconnectPort( + IN HANDLE PortHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientContainerOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcImpersonateClientOfPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE Message, + IN PVOID Flags); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderProcess( + OUT PHANDLE ProcessHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcOpenSenderThread( + OUT PHANDLE ThreadHandle, + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ULONG Flags, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformation( + IN HANDLE PortHandle OPTIONAL, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcQueryInformationMessage( + IN HANDLE PortHandle, + IN PPORT_MESSAGE PortMessage, + IN ALPC_MESSAGE_INFORMATION_CLASS MessageInformationClass, + OUT PVOID MessageInformation OPTIONAL, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcRevokeSecurityContext( + IN HANDLE PortHandle, + IN ULONG Flags, + IN HANDLE ContextHandle); + +EXTERN_C NTSTATUS Sw3NtAlpcSendWaitReceivePort( + IN HANDLE PortHandle, + IN ULONG Flags, + IN PPORT_MESSAGE SendMessage OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES SendMessageAttributes OPTIONAL, + OUT PPORT_MESSAGE ReceiveMessage OPTIONAL, + IN OUT PSIZE_T BufferLength OPTIONAL, + IN OUT PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtAlpcSetInformation( + IN HANDLE PortHandle, + IN ALPC_PORT_INFORMATION_CLASS PortInformationClass, + IN PVOID PortInformation OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtAreMappedFilesTheSame( + IN PVOID File1MappedAsAnImage, + IN PVOID File2MappedAsFile); + +EXTERN_C NTSTATUS Sw3NtAssignProcessToJobObject( + IN HANDLE JobHandle, + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtAssociateWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN HANDLE IoCompletionHandle, + IN HANDLE TargetObjectHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation, + OUT PBOOLEAN AlreadySignaled OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCallEnclave( + IN PENCLAVE_ROUTINE Routine, + IN PVOID Parameter, + IN BOOLEAN WaitForThread, + IN OUT PVOID ReturnValue OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCancelIoFileEx( + IN HANDLE FileHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelSynchronousIoFile( + IN HANDLE ThreadHandle, + IN PIO_STATUS_BLOCK IoRequestToCancel OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtCancelTimer2( + IN HANDLE TimerHandle, + IN PT2_CANCEL_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtCancelWaitCompletionPacket( + IN HANDLE WaitCompletionPacketHandle, + IN BOOLEAN RemoveSignaledPacket); + +EXTERN_C NTSTATUS Sw3NtCommitComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCommitRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtCommitTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtCompactKeys( + IN ULONG Count, + IN HANDLE KeyArray); + +EXTERN_C NTSTATUS Sw3NtCompareObjects( + IN HANDLE FirstObjectHandle, + IN HANDLE SecondObjectHandle); + +EXTERN_C NTSTATUS Sw3NtCompareSigningLevels( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2); + +EXTERN_C NTSTATUS Sw3NtCompareTokens( + IN HANDLE FirstTokenHandle, + IN HANDLE SecondTokenHandle, + OUT PBOOLEAN Equal); + +EXTERN_C NTSTATUS Sw3NtCompleteConnectPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtCompressKey( + IN HANDLE Key); + +EXTERN_C NTSTATUS Sw3NtConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtConvertBetweenAuxiliaryCounterAndPerformanceCounter( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtCreateDebugObject( + OUT PHANDLE DebugObjectHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObject( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtCreateDirectoryObjectEx( + OUT PHANDLE DirectoryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE ShadowDirectoryHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateEnclave( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN ULONG_PTR ZeroBits, + IN SIZE_T Size, + IN SIZE_T InitialCommitment, + IN ULONG EnclaveType, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN HANDLE TransactionHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN NOTIFICATION_MASK NotificationMask, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateIRTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Count OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateJobSet( + IN ULONG NumJob, + IN PJOB_SET_ARRAY UserJobSet, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG TitleIndex, + IN PUNICODE_STRING Class OPTIONAL, + IN ULONG CreateOptions, + IN HANDLE TransactionHandle, + OUT PULONG Disposition OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtCreateLowBoxToken( + OUT PHANDLE TokenHandle, + IN HANDLE ExistingTokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PSID PackageSid, + IN ULONG CapabilityCount, + IN PSID_AND_ATTRIBUTES Capabilities OPTIONAL, + IN ULONG HandleCount, + IN HANDLE Handles OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateMailslotFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CreateOptions, + IN ULONG MailslotQuota, + IN ULONG MaximumMessageSize, + IN PLARGE_INTEGER ReadTimeout); + +EXTERN_C NTSTATUS Sw3NtCreateMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN BOOLEAN InitialOwner); + +EXTERN_C NTSTATUS Sw3NtCreateNamedPipeFile( + OUT PHANDLE FileHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG ShareAccess, + IN ULONG CreateDisposition, + IN ULONG CreateOptions, + IN BOOLEAN NamedPipeType, + IN BOOLEAN ReadMode, + IN BOOLEAN CompletionMode, + IN ULONG MaximumInstances, + IN ULONG InboundQuota, + IN ULONG OutboundQuota, + IN PLARGE_INTEGER DefaultTimeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePagingFile( + IN PUNICODE_STRING PageFileName, + IN PULARGE_INTEGER MinimumSize, + IN PULARGE_INTEGER MaximumSize, + IN ULONG Priority); + +EXTERN_C NTSTATUS Sw3NtCreatePartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG PreferredNode); + +EXTERN_C NTSTATUS Sw3NtCreatePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreatePrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateProcess( + OUT PHANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ParentProcess, + IN BOOLEAN InheritObjectTable, + IN HANDLE SectionHandle OPTIONAL, + IN HANDLE DebugPort OPTIONAL, + IN HANDLE ExceptionPort OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateProfile( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN ULONG ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN ULONG Affinity); + +EXTERN_C NTSTATUS Sw3NtCreateProfileEx( + OUT PHANDLE ProfileHandle, + IN HANDLE Process OPTIONAL, + IN PVOID ProfileBase, + IN SIZE_T ProfileSize, + IN ULONG BucketSize, + IN PULONG Buffer, + IN ULONG BufferSize, + IN KPROFILE_SOURCE ProfileSource, + IN USHORT GroupCount, + IN PGROUP_AFFINITY GroupAffinity); + +EXTERN_C NTSTATUS Sw3NtCreateRegistryTransaction( + OUT PHANDLE Handle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN DWORD Flags); + +EXTERN_C NTSTATUS Sw3NtCreateResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID RmGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LONG InitialCount, + IN LONG MaximumCount); + +EXTERN_C NTSTATUS Sw3NtCreateSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PUNICODE_STRING LinkTarget); + +EXTERN_C NTSTATUS Sw3NtCreateThreadEx( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE ProcessHandle, + IN PVOID StartRoutine, + IN PVOID Argument OPTIONAL, + IN ULONG CreateFlags, + IN SIZE_T ZeroBits, + IN SIZE_T StackSize, + IN SIZE_T MaximumStackSize, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TIMER_TYPE TimerType); + +EXTERN_C NTSTATUS Sw3NtCreateTimer2( + OUT PHANDLE TimerHandle, + IN PVOID Reserved1 OPTIONAL, + IN PVOID Reserved2 OPTIONAL, + IN ULONG Attributes, + IN ACCESS_MASK DesiredAccess); + +EXTERN_C NTSTATUS Sw3NtCreateToken( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTokenEx( + OUT PHANDLE TokenHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN TOKEN_TYPE TokenType, + IN PLUID AuthenticationId, + IN PLARGE_INTEGER ExpirationTime, + IN PTOKEN_USER User, + IN PTOKEN_GROUPS Groups, + IN PTOKEN_PRIVILEGES Privileges, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION UserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION DeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS DeviceGroups OPTIONAL, + IN PTOKEN_MANDATORY_POLICY TokenMandatoryPolicy OPTIONAL, + IN PTOKEN_OWNER Owner OPTIONAL, + IN PTOKEN_PRIMARY_GROUP PrimaryGroup, + IN PTOKEN_DEFAULT_DACL DefaultDacl OPTIONAL, + IN PTOKEN_SOURCE TokenSource); + +EXTERN_C NTSTATUS Sw3NtCreateTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN LPGUID Uow OPTIONAL, + IN HANDLE TmHandle OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG IsolationLevel OPTIONAL, + IN ULONG IsolationFlags OPTIONAL, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN PUNICODE_STRING Description OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN ULONG CreateOptions OPTIONAL, + IN ULONG CommitStrength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateUserProcess( + OUT PHANDLE ProcessHandle, + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK ProcessDesiredAccess, + IN ACCESS_MASK ThreadDesiredAccess, + IN POBJECT_ATTRIBUTES ProcessObjectAttributes OPTIONAL, + IN POBJECT_ATTRIBUTES ThreadObjectAttributes OPTIONAL, + IN ULONG ProcessFlags, + IN ULONG ThreadFlags, + IN PVOID ProcessParameters OPTIONAL, + IN OUT PPS_CREATE_INFO CreateInfo, + IN PPS_ATTRIBUTE_LIST AttributeList OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitCompletionPacket( + OUT PHANDLE WaitCompletionPacketHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWaitablePort( + OUT PHANDLE PortHandle, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN ULONG MaxConnectionInfoLength, + IN ULONG MaxMessageLength, + IN ULONG MaxPoolUsage OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateWnfStateName( + OUT PCWNF_STATE_NAME StateName, + IN WNF_STATE_NAME_LIFETIME NameLifetime, + IN WNF_DATA_SCOPE DataScope, + IN BOOLEAN PersistData, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN ULONG MaximumStateSize, + IN PSECURITY_DESCRIPTOR SecurityDescriptor); + +EXTERN_C NTSTATUS Sw3NtCreateWorkerFactory( + OUT PHANDLE WorkerFactoryHandleReturn, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN HANDLE CompletionPortHandle, + IN HANDLE WorkerProcessHandle, + IN PVOID StartRoutine, + IN PVOID StartParameter OPTIONAL, + IN ULONG MaxThreadCount OPTIONAL, + IN SIZE_T StackReserve OPTIONAL, + IN SIZE_T StackCommit OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDebugActiveProcess( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtDebugContinue( + IN HANDLE DebugObjectHandle, + IN PCLIENT_ID ClientId, + IN NTSTATUS ContinueStatus); + +EXTERN_C NTSTATUS Sw3NtDeleteAtom( + IN USHORT Atom); + +EXTERN_C NTSTATUS Sw3NtDeleteBootEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteDriverEntry( + IN ULONG Id); + +EXTERN_C NTSTATUS Sw3NtDeleteFile( + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtDeleteKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN BOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtDeletePrivateNamespace( + IN HANDLE NamespaceHandle); + +EXTERN_C NTSTATUS Sw3NtDeleteValueKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING ValueName); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID ExplicitScope OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtDeleteWnfStateName( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtDisableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtDisplayString( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtDrawText( + IN PUNICODE_STRING String); + +EXTERN_C NTSTATUS Sw3NtEnableLastKnownGood(); + +EXTERN_C NTSTATUS Sw3NtEnumerateBootEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateDriverEntries( + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateSystemEnvironmentValuesEx( + IN ULONG InformationClass, + OUT PVOID Buffer, + IN OUT PULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtEnumerateTransactionObject( + IN HANDLE RootObjectHandle OPTIONAL, + IN KTMOBJECT_TYPE QueryType, + IN OUT PKTMOBJECT_CURSOR ObjectCursor, + IN ULONG ObjectCursorLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtExtendSection( + IN HANDLE SectionHandle, + IN OUT PLARGE_INTEGER NewSectionSize); + +EXTERN_C NTSTATUS Sw3NtFilterBootOption( + IN FILTER_BOOT_OPTION_OPERATION FilterOperation, + IN ULONG ObjectType, + IN ULONG ElementType, + IN PVOID SystemData OPTIONAL, + IN ULONG DataSize); + +EXTERN_C NTSTATUS Sw3NtFilterToken( + IN HANDLE ExistingTokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFilterTokenEx( + IN HANDLE TokenHandle, + IN ULONG Flags, + IN PTOKEN_GROUPS SidsToDisable OPTIONAL, + IN PTOKEN_PRIVILEGES PrivilegesToDelete OPTIONAL, + IN PTOKEN_GROUPS RestrictedSids OPTIONAL, + IN ULONG DisableUserClaimsCount, + IN PUNICODE_STRING UserClaimsToDisable OPTIONAL, + IN ULONG DisableDeviceClaimsCount, + IN PUNICODE_STRING DeviceClaimsToDisable OPTIONAL, + IN PTOKEN_GROUPS DeviceGroupsToDisable OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedUserAttributes OPTIONAL, + IN PTOKEN_SECURITY_ATTRIBUTES_INFORMATION RestrictedDeviceAttributes OPTIONAL, + IN PTOKEN_GROUPS RestrictedDeviceGroups OPTIONAL, + OUT PHANDLE NewTokenHandle); + +EXTERN_C NTSTATUS Sw3NtFlushBuffersFileEx( + IN HANDLE FileHandle, + IN ULONG Flags, + IN PVOID Parameters, + IN ULONG ParametersSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushInstallUILanguage( + IN LANGID InstallUILanguage, + IN ULONG SetComittedFlag); + +EXTERN_C NTSTATUS Sw3NtFlushInstructionCache( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtFlushKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtFlushProcessWriteBuffers(); + +EXTERN_C NTSTATUS Sw3NtFlushVirtualMemory( + IN HANDLE ProcessHandle, + IN OUT PVOID BaseAddress, + IN OUT PULONG RegionSize, + OUT PIO_STATUS_BLOCK IoStatusBlock); + +EXTERN_C NTSTATUS Sw3NtFlushWriteBuffer(); + +EXTERN_C NTSTATUS Sw3NtFreeUserPhysicalPages( + IN HANDLE ProcessHandle, + IN OUT PULONG NumberOfPages, + IN PULONG UserPfnArray); + +EXTERN_C NTSTATUS Sw3NtFreezeRegistry( + IN ULONG TimeOutInSeconds); + +EXTERN_C NTSTATUS Sw3NtFreezeTransactions( + IN PLARGE_INTEGER FreezeTimeout, + IN PLARGE_INTEGER ThawTimeout); + +EXTERN_C NTSTATUS Sw3NtGetCachedSigningLevel( + IN HANDLE File, + OUT PULONG Flags, + OUT PSE_SIGNING_LEVEL SigningLevel, + OUT PUCHAR Thumbprint OPTIONAL, + IN OUT PULONG ThumbprintSize OPTIONAL, + OUT PULONG ThumbprintAlgorithm OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetCompleteWnfStateSubscription( + IN PCWNF_STATE_NAME OldDescriptorStateName OPTIONAL, + IN PLARGE_INTEGER OldSubscriptionId OPTIONAL, + IN ULONG OldDescriptorEventMask OPTIONAL, + IN ULONG OldDescriptorStatus OPTIONAL, + OUT PWNF_DELIVERY_DESCRIPTOR NewDeliveryDescriptor, + IN ULONG DescriptorSize); + +EXTERN_C NTSTATUS Sw3NtGetContextThread( + IN HANDLE ThreadHandle, + IN OUT PCONTEXT ThreadContext); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumber(); + +EXTERN_C NTSTATUS Sw3NtGetCurrentProcessorNumberEx( + OUT PULONG ProcNumber OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetDevicePowerState( + IN HANDLE Device, + OUT PDEVICE_POWER_STATE State); + +EXTERN_C NTSTATUS Sw3NtGetMUIRegistryInfo( + IN ULONG Flags, + IN OUT PULONG DataSize, + OUT PVOID SystemData); + +EXTERN_C NTSTATUS Sw3NtGetNextProcess( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewProcessHandle); + +EXTERN_C NTSTATUS Sw3NtGetNextThread( + IN HANDLE ProcessHandle, + IN HANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN ULONG HandleAttributes, + IN ULONG Flags, + OUT PHANDLE NewThreadHandle); + +EXTERN_C NTSTATUS Sw3NtGetNlsSectionPtr( + IN ULONG SectionType, + IN ULONG SectionData, + IN PVOID ContextData, + OUT PVOID SectionPointer, + OUT PULONG SectionSize); + +EXTERN_C NTSTATUS Sw3NtGetNotificationResourceManager( + IN HANDLE ResourceManagerHandle, + OUT PTRANSACTION_NOTIFICATION TransactionNotification, + IN ULONG NotificationLength, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PULONG ReturnLength OPTIONAL, + IN ULONG Asynchronous, + IN ULONG AsynchronousContext OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtGetWriteWatch( + IN HANDLE ProcessHandle, + IN ULONG Flags, + IN PVOID BaseAddress, + IN ULONG RegionSize, + OUT PULONG UserAddressArray, + IN OUT PULONG EntriesInUserAddressArray, + OUT PULONG Granularity); + +EXTERN_C NTSTATUS Sw3NtImpersonateAnonymousToken( + IN HANDLE ThreadHandle); + +EXTERN_C NTSTATUS Sw3NtImpersonateThread( + IN HANDLE ServerThreadHandle, + IN HANDLE ClientThreadHandle, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos); + +EXTERN_C NTSTATUS Sw3NtInitializeEnclave( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID EnclaveInformation, + IN ULONG EnclaveInformationLength, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtInitializeNlsFiles( + OUT PVOID BaseAddress, + OUT PLCID DefaultLocaleId, + OUT PLARGE_INTEGER DefaultCasingTableSize); + +EXTERN_C NTSTATUS Sw3NtInitializeRegistry( + IN USHORT BootCondition); + +EXTERN_C NTSTATUS Sw3NtInitiatePowerAction( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE LightestSystemState, + IN ULONG Flags, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtIsSystemResumeAutomatic(); + +EXTERN_C NTSTATUS Sw3NtIsUILanguageComitted(); + +EXTERN_C NTSTATUS Sw3NtListenPort( + IN HANDLE PortHandle, + OUT PPORT_MESSAGE ConnectionRequest); + +EXTERN_C NTSTATUS Sw3NtLoadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtLoadEnclaveData( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PVOID Buffer, + IN SIZE_T BufferSize, + IN ULONG Protect, + IN PVOID PageInformation, + IN ULONG PageInformationLength, + OUT PSIZE_T NumberOfBytesWritten OPTIONAL, + OUT PULONG EnclaveError OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLoadHotPatch( + IN PUNICODE_STRING HotPatchName, + IN ULONG LoadFlag); + +EXTERN_C NTSTATUS Sw3NtLoadKey( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile); + +EXTERN_C NTSTATUS Sw3NtLoadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtLoadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN POBJECT_ATTRIBUTES SourceFile, + IN ULONG Flags, + IN HANDLE TrustClassKey OPTIONAL, + IN HANDLE Event OPTIONAL, + IN ACCESS_MASK DesiredAccess OPTIONAL, + OUT PHANDLE RootHandle OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatus OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key, + IN BOOLEAN FailImmediately, + IN BOOLEAN ExclusiveLock); + +EXTERN_C NTSTATUS Sw3NtLockProductActivationKeys( + IN OUT PULONG pPrivateVer OPTIONAL, + OUT PULONG pSafeMode OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtLockRegistryKey( + IN HANDLE KeyHandle); + +EXTERN_C NTSTATUS Sw3NtLockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN PULONG RegionSize, + IN ULONG MapType); + +EXTERN_C NTSTATUS Sw3NtMakePermanentObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtMakeTemporaryObject( + IN HANDLE Handle); + +EXTERN_C NTSTATUS Sw3NtManagePartition( + IN HANDLE TargetHandle, + IN HANDLE SourceHandle, + IN MEMORY_PARTITION_INFORMATION_CLASS PartitionInformationClass, + IN OUT PVOID PartitionInformation, + IN ULONG PartitionInformationLength); + +EXTERN_C NTSTATUS Sw3NtMapCMFModule( + IN ULONG What, + IN ULONG Index, + OUT PULONG CacheIndexOut OPTIONAL, + OUT PULONG CacheFlagsOut OPTIONAL, + OUT PULONG ViewSizeOut OPTIONAL, + OUT PVOID BaseAddress OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapUserPhysicalPages( + IN PVOID VirtualAddress, + IN PULONG NumberOfPages, + IN PULONG UserPfnArray OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtMapViewOfSectionEx( + IN HANDLE SectionHandle, + IN HANDLE ProcessHandle, + IN OUT PLARGE_INTEGER SectionOffset, + IN OUT PPVOID BaseAddress, + IN OUT PSIZE_T ViewSize, + IN ULONG AllocationType, + IN ULONG Protect, + IN OUT PVOID DataBuffer OPTIONAL, + IN ULONG DataCount); + +EXTERN_C NTSTATUS Sw3NtModifyBootEntry( + IN PBOOT_ENTRY BootEntry); + +EXTERN_C NTSTATUS Sw3NtModifyDriverEntry( + IN PEFI_DRIVER_ENTRY DriverEntry); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFile( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_NOTIFY_INFORMATION Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID Buffer, + IN ULONG Length, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + IN DIRECTORY_NOTIFY_INFORMATION_CLASS DirectoryNotifyInformationClass OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeKey( + IN HANDLE KeyHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeMultipleKeys( + IN HANDLE MasterKeyHandle, + IN ULONG Count OPTIONAL, + IN POBJECT_ATTRIBUTES SubordinateObjects OPTIONAL, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN ULONG CompletionFilter, + IN BOOLEAN WatchTree, + OUT PVOID Buffer OPTIONAL, + IN ULONG BufferSize, + IN BOOLEAN Asynchronous); + +EXTERN_C NTSTATUS Sw3NtNotifyChangeSession( + IN HANDLE SessionHandle, + IN ULONG ChangeSequenceNumber, + IN PLARGE_INTEGER ChangeTimeStamp, + IN IO_SESSION_EVENT Event, + IN IO_SESSION_STATE NewState, + IN IO_SESSION_STATE PreviousState, + IN PVOID Payload OPTIONAL, + IN ULONG PayloadSize); + +EXTERN_C NTSTATUS Sw3NtOpenEnlistment( + OUT PHANDLE EnlistmentHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE ResourceManagerHandle, + IN LPGUID EnlistmentGuid, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenEventPair( + OUT PHANDLE EventPairHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenIoCompletion( + OUT PHANDLE IoCompletionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenJobObject( + OUT PHANDLE JobHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenKeyEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransacted( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyTransactedEx( + OUT PHANDLE KeyHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN ULONG OpenOptions, + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtOpenKeyedEvent( + OUT PHANDLE KeyedEventHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenMutant( + OUT PHANDLE MutantHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN PUNICODE_STRING ObjectTypeName, + IN PUNICODE_STRING ObjectName, + IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN ACCESS_MASK GrantedAccess, + IN PPRIVILEGE_SET Privileges OPTIONAL, + IN BOOLEAN ObjectCreation, + IN BOOLEAN AccessGranted, + OUT PBOOLEAN GenerateOnClose); + +EXTERN_C NTSTATUS Sw3NtOpenPartition( + OUT PHANDLE PartitionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenPrivateNamespace( + OUT PHANDLE NamespaceHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PVOID BoundaryDescriptor); + +EXTERN_C NTSTATUS Sw3NtOpenProcessToken( + IN HANDLE ProcessHandle, + IN ACCESS_MASK DesiredAccess, + OUT PHANDLE TokenHandle); + +EXTERN_C NTSTATUS Sw3NtOpenRegistryTransaction( + OUT PHANDLE RegistryHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenResourceManager( + OUT PHANDLE ResourceManagerHandle, + IN ACCESS_MASK DesiredAccess, + IN HANDLE TmHandle, + IN LPGUID ResourceManagerGuid OPTIONAL, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenSemaphore( + OUT PHANDLE SemaphoreHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSession( + OUT PHANDLE SessionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenSymbolicLinkObject( + OUT PHANDLE LinkHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenThread( + OUT PHANDLE ThreadHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN PCLIENT_ID ClientId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTimer( + OUT PHANDLE TimerHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes); + +EXTERN_C NTSTATUS Sw3NtOpenTransaction( + OUT PHANDLE TransactionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes, + IN LPGUID Uow, + IN HANDLE TmHandle OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtOpenTransactionManager( + OUT PHANDLE TmHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PUNICODE_STRING LogFileName OPTIONAL, + IN LPGUID TmIdentity OPTIONAL, + IN ULONG OpenOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPlugPlayControl( + IN PLUGPLAY_CONTROL_CLASS PnPControlClass, + IN OUT PVOID PnPControlData, + IN ULONG PnPControlDataLength); + +EXTERN_C NTSTATUS Sw3NtPrePrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrePrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrepareEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtPrivilegeCheck( + IN HANDLE ClientToken, + IN OUT PPRIVILEGE_SET RequiredPrivileges, + OUT PBOOLEAN Result); + +EXTERN_C NTSTATUS Sw3NtPrivilegeObjectAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PVOID HandleId OPTIONAL, + IN HANDLE ClientToken, + IN ACCESS_MASK DesiredAccess, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPrivilegedServiceAuditAlarm( + IN PUNICODE_STRING SubsystemName, + IN PUNICODE_STRING ServiceName, + IN HANDLE ClientToken, + IN PPRIVILEGE_SET Privileges, + IN BOOLEAN AccessGranted); + +EXTERN_C NTSTATUS Sw3NtPropagationComplete( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN ULONG BufferLength, + IN PVOID Buffer); + +EXTERN_C NTSTATUS Sw3NtPropagationFailed( + IN HANDLE ResourceManagerHandle, + IN ULONG RequestCookie, + IN NTSTATUS PropStatus); + +EXTERN_C NTSTATUS Sw3NtPulseEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryAuxiliaryCounterFrequency( + OUT PULONGLONG lpAuxiliaryCounterFrequency); + +EXTERN_C NTSTATUS Sw3NtQueryBootEntryOrder( + OUT PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryBootOptions( + OUT PBOOT_OPTIONS BootOptions OPTIONAL, + IN OUT PULONG BootOptionsLength); + +EXTERN_C NTSTATUS Sw3NtQueryDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryFileEx( + IN HANDLE FileHandle, + IN HANDLE Event OPTIONAL, + IN PIO_APC_ROUTINE ApcRoutine OPTIONAL, + IN PVOID ApcContext OPTIONAL, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass, + IN ULONG QueryFlags, + IN PUNICODE_STRING FileName OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDirectoryObject( + IN HANDLE DirectoryHandle, + OUT PVOID Buffer OPTIONAL, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN BOOLEAN RestartScan, + IN OUT PULONG Context, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryDriverEntryOrder( + IN PULONG Ids OPTIONAL, + IN OUT PULONG Count); + +EXTERN_C NTSTATUS Sw3NtQueryEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_FULL_EA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_GET_EA_INFORMATION EaList OPTIONAL, + IN ULONG EaListLength, + IN PULONG EaIndex OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQueryFullAttributesFile( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PFILE_NETWORK_OPEN_INFORMATION FileInformation); + +EXTERN_C NTSTATUS Sw3NtQueryInformationAtom( + IN USHORT Atom, + IN ATOM_INFORMATION_CLASS AtomInformationClass, + OUT PVOID AtomInformation, + IN ULONG AtomInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationByName( + IN POBJECT_ATTRIBUTES ObjectAttributes, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PVOID FileInformation, + IN ULONG Length, + IN FILE_INFORMATION_CLASS FileInformationClass); + +EXTERN_C NTSTATUS Sw3NtQueryInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + OUT PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + OUT PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationPort( + IN HANDLE PortHandle, + IN PORT_INFORMATION_CLASS PortInformationClass, + OUT PVOID PortInformation, + IN ULONG Length, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + OUT PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + OUT PVOID TransactionInformation, + IN ULONG TransactionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationTransactionManager( + IN HANDLE TransactionManagerHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionManagerInformationClass, + OUT PVOID TransactionManagerInformation, + IN ULONG TransactionManagerInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + OUT PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryInstallUILanguage( + OUT PLANGID InstallUILanguageId); + +EXTERN_C NTSTATUS Sw3NtQueryIntervalProfile( + IN KPROFILE_SOURCE ProfileSource, + OUT PULONG Interval); + +EXTERN_C NTSTATUS Sw3NtQueryIoCompletion( + IN HANDLE IoCompletionHandle, + IN IO_COMPLETION_INFORMATION_CLASS IoCompletionInformationClass, + OUT PVOID IoCompletionInformation, + IN ULONG IoCompletionInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryLicenseValue( + IN PUNICODE_STRING ValueName, + OUT PULONG Type OPTIONAL, + OUT PVOID SystemData OPTIONAL, + IN ULONG DataSize, + OUT PULONG ResultDataSize); + +EXTERN_C NTSTATUS Sw3NtQueryMultipleValueKey( + IN HANDLE KeyHandle, + IN OUT PKEY_VALUE_ENTRY ValueEntries, + IN ULONG EntryCount, + OUT PVOID ValueBuffer, + IN PULONG BufferLength, + OUT PULONG RequiredBufferLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryMutant( + IN HANDLE MutantHandle, + IN MUTANT_INFORMATION_CLASS MutantInformationClass, + OUT PVOID MutantInformation, + IN ULONG MutantInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeys( + IN POBJECT_ATTRIBUTES TargetKey, + OUT PULONG HandleCount); + +EXTERN_C NTSTATUS Sw3NtQueryOpenSubKeysEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG BufferLength, + OUT PVOID Buffer, + OUT PULONG RequiredSize); + +EXTERN_C NTSTATUS Sw3NtQueryPortInformationProcess(); + +EXTERN_C NTSTATUS Sw3NtQueryQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + OUT PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length, + IN BOOLEAN ReturnSingleEntry, + IN PFILE_QUOTA_LIST_INFORMATION SidList OPTIONAL, + IN ULONG SidListLength, + IN PSID StartSid OPTIONAL, + IN BOOLEAN RestartScan); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityAttributesToken( + IN HANDLE TokenHandle, + IN PUNICODE_STRING Attributes OPTIONAL, + IN ULONG NumberOfAttributes, + OUT PVOID Buffer, + IN ULONG Length, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityObject( + IN HANDLE Handle, + IN SECURITY_INFORMATION SecurityInformation, + OUT PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL, + IN ULONG Length, + OUT PULONG LengthNeeded); + +EXTERN_C NTSTATUS Sw3NtQuerySecurityPolicy( + IN ULONG_PTR UnknownParameter1, + IN ULONG_PTR UnknownParameter2, + IN ULONG_PTR UnknownParameter3, + IN ULONG_PTR UnknownParameter4, + IN ULONG_PTR UnknownParameter5, + IN ULONG_PTR UnknownParameter6); + +EXTERN_C NTSTATUS Sw3NtQuerySemaphore( + IN HANDLE SemaphoreHandle, + IN SEMAPHORE_INFORMATION_CLASS SemaphoreInformationClass, + OUT PVOID SemaphoreInformation, + IN ULONG SemaphoreInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySymbolicLinkObject( + IN HANDLE LinkHandle, + IN OUT PUNICODE_STRING LinkTarget, + OUT PULONG ReturnedLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + OUT PVOID VariableValue, + IN ULONG ValueLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + OUT PVOID Value OPTIONAL, + IN OUT PULONG ValueLength, + OUT PULONG Attributes OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQuerySystemInformationEx( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID InputBuffer, + IN ULONG InputBufferLength, + OUT PVOID SystemInformation OPTIONAL, + IN ULONG SystemInformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtQueryTimerResolution( + OUT PULONG MaximumTime, + OUT PULONG MinimumTime, + OUT PULONG CurrentTime); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + OUT PWNF_CHANGE_STAMP ChangeStamp, + OUT PVOID Buffer OPTIONAL, + IN OUT PULONG BufferSize); + +EXTERN_C NTSTATUS Sw3NtQueryWnfStateNameInformation( + IN PCWNF_STATE_NAME StateName, + IN PCWNF_TYPE_ID NameInfoClass, + IN PVOID ExplicitScope OPTIONAL, + OUT PVOID InfoBuffer, + IN ULONG InfoBufferSize); + +EXTERN_C NTSTATUS Sw3NtQueueApcThreadEx( + IN HANDLE ThreadHandle, + IN HANDLE UserApcReserveHandle OPTIONAL, + IN PKNORMAL_ROUTINE ApcRoutine, + IN PVOID ApcArgument1 OPTIONAL, + IN PVOID ApcArgument2 OPTIONAL, + IN PVOID ApcArgument3 OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRaiseException( + IN PEXCEPTION_RECORD ExceptionRecord, + IN PCONTEXT ContextRecord, + IN BOOLEAN FirstChance); + +EXTERN_C NTSTATUS Sw3NtRaiseHardError( + IN NTSTATUS ErrorStatus, + IN ULONG NumberOfParameters, + IN ULONG UnicodeStringParameterMask, + IN PULONG_PTR Parameters, + IN ULONG ValidResponseOptions, + OUT PULONG Response); + +EXTERN_C NTSTATUS Sw3NtReadOnlyEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverEnlistment( + IN HANDLE EnlistmentHandle, + IN PVOID EnlistmentKey OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRecoverResourceManager( + IN HANDLE ResourceManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRecoverTransactionManager( + IN HANDLE TransactionManagerHandle); + +EXTERN_C NTSTATUS Sw3NtRegisterProtocolAddressInformation( + IN HANDLE ResourceManager, + IN LPGUID ProtocolId, + IN ULONG ProtocolInformationSize, + IN PVOID ProtocolInformation, + IN ULONG CreateOptions OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRegisterThreadTerminatePort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtReleaseKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID KeyValue, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtReleaseWorkerFactoryWorker( + IN HANDLE WorkerFactoryHandle); + +EXTERN_C NTSTATUS Sw3NtRemoveIoCompletionEx( + IN HANDLE IoCompletionHandle, + OUT PFILE_IO_COMPLETION_INFORMATION IoCompletionInformation, + IN ULONG Count, + OUT PULONG NumEntriesRemoved, + IN PLARGE_INTEGER Timeout OPTIONAL, + IN BOOLEAN Alertable); + +EXTERN_C NTSTATUS Sw3NtRemoveProcessDebug( + IN HANDLE ProcessHandle, + IN HANDLE DebugObjectHandle); + +EXTERN_C NTSTATUS Sw3NtRenameKey( + IN HANDLE KeyHandle, + IN PUNICODE_STRING NewName); + +EXTERN_C NTSTATUS Sw3NtRenameTransactionManager( + IN PUNICODE_STRING LogFileName, + IN LPGUID ExistingTransactionManagerGuid); + +EXTERN_C NTSTATUS Sw3NtReplaceKey( + IN POBJECT_ATTRIBUTES NewFile, + IN HANDLE TargetHandle, + IN POBJECT_ATTRIBUTES OldFile); + +EXTERN_C NTSTATUS Sw3NtReplacePartitionUnit( + IN PUNICODE_STRING TargetInstancePath, + IN PUNICODE_STRING SpareInstancePath, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtReplyWaitReplyPort( + IN HANDLE PortHandle, + IN OUT PPORT_MESSAGE ReplyMessage); + +EXTERN_C NTSTATUS Sw3NtRequestPort( + IN HANDLE PortHandle, + IN PPORT_MESSAGE RequestMessage); + +EXTERN_C NTSTATUS Sw3NtResetEvent( + IN HANDLE EventHandle, + OUT PULONG PreviousState OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtResetWriteWatch( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress, + IN ULONG RegionSize); + +EXTERN_C NTSTATUS Sw3NtRestoreKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtResumeProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtRevertContainerImpersonation(); + +EXTERN_C NTSTATUS Sw3NtRollbackComplete( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackEnlistment( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtRollbackRegistryTransaction( + IN HANDLE RegistryHandle, + IN BOOL Wait); + +EXTERN_C NTSTATUS Sw3NtRollbackTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Wait); + +EXTERN_C NTSTATUS Sw3NtRollforwardTransactionManager( + IN HANDLE TransactionManagerHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSaveKey( + IN HANDLE KeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSaveKeyEx( + IN HANDLE KeyHandle, + IN HANDLE FileHandle, + IN ULONG Format); + +EXTERN_C NTSTATUS Sw3NtSaveMergedKeys( + IN HANDLE HighPrecedenceKeyHandle, + IN HANDLE LowPrecedenceKeyHandle, + IN HANDLE FileHandle); + +EXTERN_C NTSTATUS Sw3NtSecureConnectPort( + OUT PHANDLE PortHandle, + IN PUNICODE_STRING PortName, + IN PSECURITY_QUALITY_OF_SERVICE SecurityQos, + IN OUT PPORT_SECTION_WRITE ClientView OPTIONAL, + IN PSID RequiredServerSid OPTIONAL, + IN OUT PPORT_SECTION_READ ServerView OPTIONAL, + OUT PULONG MaxMessageLength OPTIONAL, + IN OUT PVOID ConnectionInformation OPTIONAL, + IN OUT PULONG ConnectionInformationLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSerializeBoot(); + +EXTERN_C NTSTATUS Sw3NtSetBootEntryOrder( + IN PULONG Ids, + IN ULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetBootOptions( + IN PBOOT_OPTIONS BootOptions, + IN ULONG FieldsToChange); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel( + IN ULONG Flags, + IN SE_SIGNING_LEVEL InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetCachedSigningLevel2( + IN ULONG Flags, + IN ULONG InputSigningLevel, + IN PHANDLE SourceFiles, + IN ULONG SourceFileCount, + IN HANDLE TargetFile OPTIONAL, + IN PVOID LevelInformation OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetContextThread( + IN HANDLE ThreadHandle, + IN PCONTEXT Context); + +EXTERN_C NTSTATUS Sw3NtSetDebugFilterState( + IN ULONG ComponentId, + IN ULONG Level, + IN BOOLEAN State); + +EXTERN_C NTSTATUS Sw3NtSetDefaultHardErrorPort( + IN HANDLE PortHandle); + +EXTERN_C NTSTATUS Sw3NtSetDefaultLocale( + IN BOOLEAN UserProfile, + IN LCID DefaultLocaleId); + +EXTERN_C NTSTATUS Sw3NtSetDefaultUILanguage( + IN LANGID DefaultUILanguageId); + +EXTERN_C NTSTATUS Sw3NtSetDriverEntryOrder( + IN PULONG Ids, + IN PULONG Count); + +EXTERN_C NTSTATUS Sw3NtSetEaFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_FULL_EA_INFORMATION EaBuffer, + IN ULONG EaBufferSize); + +EXTERN_C NTSTATUS Sw3NtSetHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetHighWaitLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetIRTimer( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationDebugObject( + IN HANDLE DebugObject, + IN DEBUGOBJECTINFOCLASS InformationClass, + IN PVOID Information, + IN ULONG InformationLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetInformationEnlistment( + IN HANDLE EnlistmentHandle, + IN ENLISTMENT_INFORMATION_CLASS EnlistmentInformationClass, + IN PVOID EnlistmentInformation, + IN ULONG EnlistmentInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationJobObject( + IN HANDLE JobHandle, + IN JOBOBJECTINFOCLASS JobObjectInformationClass, + IN PVOID JobObjectInformation, + IN ULONG JobObjectInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationKey( + IN HANDLE KeyHandle, + IN KEY_SET_INFORMATION_CLASS KeySetInformationClass, + IN PVOID KeySetInformation, + IN ULONG KeySetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationResourceManager( + IN HANDLE ResourceManagerHandle, + IN RESOURCEMANAGER_INFORMATION_CLASS ResourceManagerInformationClass, + IN PVOID ResourceManagerInformation, + IN ULONG ResourceManagerInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationSymbolicLink( + IN HANDLE Handle, + IN ULONG Class, + IN PVOID Buffer, + IN ULONG BufferLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationToken( + IN HANDLE TokenHandle, + IN TOKEN_INFORMATION_CLASS TokenInformationClass, + IN PVOID TokenInformation, + IN ULONG TokenInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransaction( + IN HANDLE TransactionHandle, + IN TRANSACTIONMANAGER_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationTransactionManager( + IN HANDLE TransactionHandle, + IN TRANSACTION_INFORMATION_CLASS TransactionInformationClass, + IN PVOID TransactionInformation, + IN ULONG TransactionInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationVirtualMemory( + IN HANDLE ProcessHandle, + IN VIRTUAL_MEMORY_INFORMATION_CLASS VmInformationClass, + IN ULONG_PTR NumberOfEntries, + IN PMEMORY_RANGE_ENTRY VirtualAddresses, + IN PVOID VmInformation, + IN ULONG VmInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetInformationWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN WORKERFACTORYINFOCLASS WorkerFactoryInformationClass, + IN PVOID WorkerFactoryInformation, + IN ULONG WorkerFactoryInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetIntervalProfile( + IN ULONG Interval, + IN KPROFILE_SOURCE Source); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletion( + IN HANDLE IoCompletionHandle, + IN ULONG CompletionKey, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN NTSTATUS CompletionStatus, + IN ULONG NumberOfBytesTransfered); + +EXTERN_C NTSTATUS Sw3NtSetIoCompletionEx( + IN HANDLE IoCompletionHandle, + IN HANDLE IoCompletionPacketHandle, + IN PVOID KeyContext OPTIONAL, + IN PVOID ApcContext OPTIONAL, + IN NTSTATUS IoStatus, + IN ULONG_PTR IoStatusInformation); + +EXTERN_C NTSTATUS Sw3NtSetLdtEntries( + IN ULONG Selector0, + IN ULONG Entry0Low, + IN ULONG Entry0Hi, + IN ULONG Selector1, + IN ULONG Entry1Low, + IN ULONG Entry1Hi); + +EXTERN_C NTSTATUS Sw3NtSetLowEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetLowWaitHighEventPair( + IN HANDLE EventPairHandle); + +EXTERN_C NTSTATUS Sw3NtSetQuotaInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PFILE_USER_QUOTA_INFORMATION Buffer, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtSetSecurityObject( + IN HANDLE ObjectHandle, + IN SECURITY_INFORMATION SecurityInformationClass, + IN PSECURITY_DESCRIPTOR DescriptorBuffer); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValue( + IN PUNICODE_STRING VariableName, + IN PUNICODE_STRING Value); + +EXTERN_C NTSTATUS Sw3NtSetSystemEnvironmentValueEx( + IN PUNICODE_STRING VariableName, + IN LPGUID VendorGuid, + IN PVOID Value OPTIONAL, + IN ULONG ValueLength, + IN ULONG Attributes); + +EXTERN_C NTSTATUS Sw3NtSetSystemInformation( + IN SYSTEM_INFORMATION_CLASS SystemInformationClass, + IN PVOID SystemInformation, + IN ULONG SystemInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetSystemPowerState( + IN POWER_ACTION SystemAction, + IN SYSTEM_POWER_STATE MinSystemState, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtSetSystemTime( + IN PLARGE_INTEGER SystemTime, + OUT PLARGE_INTEGER PreviousTime OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSetThreadExecutionState( + IN EXECUTION_STATE ExecutionState, + OUT PEXECUTION_STATE PreviousExecutionState); + +EXTERN_C NTSTATUS Sw3NtSetTimer2( + IN HANDLE TimerHandle, + IN PLARGE_INTEGER DueTime, + IN PLARGE_INTEGER Period OPTIONAL, + IN PT2_SET_PARAMETERS Parameters); + +EXTERN_C NTSTATUS Sw3NtSetTimerEx( + IN HANDLE TimerHandle, + IN TIMER_SET_INFORMATION_CLASS TimerSetInformationClass, + IN OUT PVOID TimerSetInformation OPTIONAL, + IN ULONG TimerSetInformationLength); + +EXTERN_C NTSTATUS Sw3NtSetTimerResolution( + IN ULONG DesiredResolution, + IN BOOLEAN SetResolution, + OUT PULONG CurrentResolution); + +EXTERN_C NTSTATUS Sw3NtSetUuidSeed( + IN PUCHAR Seed); + +EXTERN_C NTSTATUS Sw3NtSetVolumeInformationFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PVOID FileSystemInformation, + IN ULONG Length, + IN FSINFOCLASS FileSystemInformationClass); + +EXTERN_C NTSTATUS Sw3NtSetWnfProcessNotificationEvent( + IN HANDLE NotificationEvent); + +EXTERN_C NTSTATUS Sw3NtShutdownSystem( + IN SHUTDOWN_ACTION Action); + +EXTERN_C NTSTATUS Sw3NtShutdownWorkerFactory( + IN HANDLE WorkerFactoryHandle, + IN OUT PLONG PendingWorkerCount); + +EXTERN_C NTSTATUS Sw3NtSignalAndWaitForSingleObject( + IN HANDLE hObjectToSignal, + IN HANDLE hObjectToWaitOn, + IN BOOLEAN bAlertable, + IN PLARGE_INTEGER dwMilliseconds OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSinglePhaseReject( + IN HANDLE EnlistmentHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtStartProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtStopProfile( + IN HANDLE ProfileHandle); + +EXTERN_C NTSTATUS Sw3NtSubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName, + IN WNF_CHANGE_STAMP ChangeStamp OPTIONAL, + IN ULONG EventMask, + OUT PLARGE_INTEGER SubscriptionId OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtSuspendProcess( + IN HANDLE ProcessHandle); + +EXTERN_C NTSTATUS Sw3NtSuspendThread( + IN HANDLE ThreadHandle, + OUT PULONG PreviousSuspendCount); + +EXTERN_C NTSTATUS Sw3NtSystemDebugControl( + IN DEBUG_CONTROL_CODE Command, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtTerminateEnclave( + IN PVOID BaseAddress, + IN BOOLEAN WaitForThread); + +EXTERN_C NTSTATUS Sw3NtTerminateJobObject( + IN HANDLE JobHandle, + IN NTSTATUS ExitStatus); + +EXTERN_C NTSTATUS Sw3NtTestAlert(); + +EXTERN_C NTSTATUS Sw3NtThawRegistry(); + +EXTERN_C NTSTATUS Sw3NtThawTransactions(); + +EXTERN_C NTSTATUS Sw3NtTraceControl( + IN ULONG FunctionCode, + IN PVOID InputBuffer OPTIONAL, + IN ULONG InputBufferLength, + OUT PVOID OutputBuffer OPTIONAL, + IN ULONG OutputBufferLength, + OUT PULONG ReturnLength); + +EXTERN_C NTSTATUS Sw3NtTranslateFilePath( + IN PFILE_PATH InputFilePath, + IN ULONG OutputType, + OUT PFILE_PATH OutputFilePath OPTIONAL, + IN OUT PULONG OutputFilePathLength OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUmsThreadYield( + IN PVOID SchedulerParam); + +EXTERN_C NTSTATUS Sw3NtUnloadDriver( + IN PUNICODE_STRING DriverServiceName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey( + IN POBJECT_ATTRIBUTES DestinationKeyName); + +EXTERN_C NTSTATUS Sw3NtUnloadKey2( + IN POBJECT_ATTRIBUTES TargetKey, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnloadKeyEx( + IN POBJECT_ATTRIBUTES TargetKey, + IN HANDLE Event OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtUnlockFile( + IN HANDLE FileHandle, + OUT PIO_STATUS_BLOCK IoStatusBlock, + IN PULARGE_INTEGER ByteOffset, + IN PULARGE_INTEGER Length, + IN ULONG Key); + +EXTERN_C NTSTATUS Sw3NtUnlockVirtualMemory( + IN HANDLE ProcessHandle, + IN PVOID * BaseAddress, + IN PSIZE_T NumberOfBytesToUnlock, + IN ULONG LockType); + +EXTERN_C NTSTATUS Sw3NtUnmapViewOfSectionEx( + IN HANDLE ProcessHandle, + IN PVOID BaseAddress OPTIONAL, + IN ULONG Flags); + +EXTERN_C NTSTATUS Sw3NtUnsubscribeWnfStateChange( + IN PCWNF_STATE_NAME StateName); + +EXTERN_C NTSTATUS Sw3NtUpdateWnfStateData( + IN PCWNF_STATE_NAME StateName, + IN PVOID Buffer OPTIONAL, + IN ULONG Length OPTIONAL, + IN PCWNF_TYPE_ID TypeId OPTIONAL, + IN PVOID ExplicitScope OPTIONAL, + IN WNF_CHANGE_STAMP MatchingChangeStamp, + IN ULONG CheckStamp); + +EXTERN_C NTSTATUS Sw3NtVdmControl( + IN VDMSERVICECLASS Service, + IN OUT PVOID ServiceData); + +EXTERN_C NTSTATUS Sw3NtWaitForAlertByThreadId( + IN HANDLE Handle, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForDebugEvent( + IN HANDLE DebugObjectHandle, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL, + OUT PVOID WaitStateChange); + +EXTERN_C NTSTATUS Sw3NtWaitForKeyedEvent( + IN HANDLE KeyedEventHandle, + IN PVOID Key, + IN BOOLEAN Alertable, + IN PLARGE_INTEGER Timeout OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtWaitForWorkViaWorkerFactory( + IN HANDLE WorkerFactoryHandle, + OUT PVOID MiniPacket); + +EXTERN_C NTSTATUS Sw3NtWaitHighEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtWaitLowEventPair( + IN HANDLE EventHandle); + +EXTERN_C NTSTATUS Sw3NtAcquireCMFViewOwnership( + OUT BOOLEAN TimeStamp, + OUT BOOLEAN TokenTaken, + IN BOOLEAN ReplaceExisting); + +EXTERN_C NTSTATUS Sw3NtCancelDeviceWakeupRequest( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtClearAllSavepointsTransaction( + IN HANDLE TransactionHandle); + +EXTERN_C NTSTATUS Sw3NtClearSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtRollbackSavepointTransaction( + IN HANDLE TransactionHandle, + IN ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointTransaction( + IN HANDLE TransactionHandle, + IN BOOLEAN Flag, + OUT ULONG SavePointId); + +EXTERN_C NTSTATUS Sw3NtSavepointComplete( + IN HANDLE TransactionHandle, + IN PLARGE_INTEGER TmVirtualClock OPTIONAL); + +EXTERN_C NTSTATUS Sw3NtCreateSectionEx( + OUT PHANDLE SectionHandle, + IN ACCESS_MASK DesiredAccess, + IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, + IN PLARGE_INTEGER MaximumSize OPTIONAL, + IN ULONG SectionPageProtection, + IN ULONG AllocationAttributes, + IN HANDLE FileHandle OPTIONAL, + IN PMEM_EXTENDED_PARAMETER ExtendedParameters, + IN ULONG ExtendedParametersCount); + +EXTERN_C NTSTATUS Sw3NtCreateCrossVmEvent(); + +EXTERN_C NTSTATUS Sw3NtGetPlugPlayEvent( + IN HANDLE EventHandle, + IN PVOID Context OPTIONAL, + OUT PPLUGPLAY_EVENT_BLOCK EventBlock, + IN ULONG EventBufferSize); + +EXTERN_C NTSTATUS Sw3NtListTransactions(); + +EXTERN_C NTSTATUS Sw3NtMarshallTransaction(); + +EXTERN_C NTSTATUS Sw3NtPullTransaction(); + +EXTERN_C NTSTATUS Sw3NtReleaseCMFViewOwnership(); + +EXTERN_C NTSTATUS Sw3NtWaitForWnfNotifications(); + +EXTERN_C NTSTATUS Sw3NtStartTm(); + +EXTERN_C NTSTATUS Sw3NtSetInformationProcess( + IN HANDLE DeviceHandle, + IN PROCESSINFOCLASS ProcessInformationClass, + IN PVOID ProcessInformation, + IN ULONG Length); + +EXTERN_C NTSTATUS Sw3NtRequestDeviceWakeup( + IN HANDLE DeviceHandle); + +EXTERN_C NTSTATUS Sw3NtRequestWakeupLatency( + IN ULONG LatencyTime); + +EXTERN_C NTSTATUS Sw3NtQuerySystemTime( + OUT PLARGE_INTEGER SystemTime); + +EXTERN_C NTSTATUS Sw3NtManageHotPatch( + IN ULONG UnknownParameter1, + IN ULONG UnknownParameter2, + IN ULONG UnknownParameter3, + IN ULONG UnknownParameter4); + +EXTERN_C NTSTATUS Sw3NtContinueEx( + IN PCONTEXT ContextRecord, + IN PKCONTINUE_ARGUMENT ContinueArgument); + +#endif