2: DllBase(0x7c940000) C:\WINDOWS\system32\ntdll.dll
0:7c946e64 ==> NtAcceptConnectPort
1:7c946e78 ==> NtAccessCheck
2:7c946e86 ==> NtAccessCheckAndAuditAlarm
3:7c946ea1 ==> NtAccessCheckByType
4:7c946eb5 ==> NtAccessCheckByTypeAndAuditAlarm
5:7c946ed6 ==> NtAccessCheckByTypeResultList
6:7c946ef4 ==> NtAccessCheckByTypeResultListAndAuditAlarm
7:7c946f1f ==> NtAccessCheckByTypeResultListAndAuditAlarmByHandle
8:7c946f52 ==> NtAddAtom
9:7c946f5c ==> NtAddBootEntry
10:7c946f6b ==> NtAdjustGroupsToken
11:7c946f7f ==> NtAdjustPrivilegesToken
12:7c946f97 ==> NtAlertResumeThread
13:7c946fab ==> NtAlertThread
14:7c946fb9 ==> NtAllocateLocallyUniqueId
15:7c946fd3 ==> NtAllocateUserPhysicalPages
16:7c946fef ==> NtAllocateUuids
17:7c946fff ==> NtAllocateVirtualMemory
18:7c947017 ==> NtAreMappedFilesTheSame
19:7c94702f ==> NtAssignProcessToJobObject
20:7c94704a ==> NtCallbackReturn
21:7c94705b ==> NtCancelDeviceWakeupRequest
22:7c947077 ==> NtCancelIoFile
23:7c947086 ==> NtCancelTimer
24:7c947094 ==> NtClearEvent
[---]
2: DllBase(0x7c940000) C:\WINDOWS\system32\ntdll.dll
0:7c94b480 ==> ZwAcceptConnectPort
1:7c94b494 ==> ZwAccessCheck
2:7c94b4a2 ==> ZwAccessCheckAndAuditAlarm
3:7c94b4bd ==> ZwAccessCheckByType
4:7c94b4d1 ==> ZwAccessCheckByTypeAndAuditAlarm
5:7c94b4f2 ==> ZwAccessCheckByTypeResultList
6:7c94b510 ==> ZwAccessCheckByTypeResultListAndAuditAlarm
7:7c94b53b ==> ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
8:7c94b56e ==> ZwAddAtom
9:7c94b578 ==> ZwAddBootEntry
10:7c94b587 ==> ZwAdjustGroupsToken
11:7c94b59b ==> ZwAdjustPrivilegesToken
12:7c94b5b3 ==> ZwAlertResumeThread
13:7c94b5c7 ==> ZwAlertThread
14:7c94b5d5 ==> ZwAllocateLocallyUniqueId
15:7c94b5ef ==> ZwAllocateUserPhysicalPages
16:7c94b60b ==> ZwAllocateUuids
17:7c94b61b ==> ZwAllocateVirtualMemory
18:7c94b633 ==> ZwAreMappedFilesTheSame
19:7c94b64b ==> ZwAssignProcessToJobObject
20:7c94b666 ==> ZwCallbackReturn
21:7c94b677 ==> ZwCancelDeviceWakeupRequest
22:7c94b693 ==> ZwCancelIoFile
23:7c94b6a2 ==> ZwCancelTimer
24:7c94b6b0 ==> ZwClearEvent
[---]
0: nt!NtAcceptConnectPort (80591e01)
1: nt!NtAccessCheck (8057b0f1)
2: nt!NtAccessCheckAndAuditAlarm (805899a5)
3: nt!NtAccessCheckByType (8059313c)
4: nt!NtAccessCheckByTypeAndAuditAlarm (8058fa8f)
5: nt!NtAccessCheckByTypeResultList (8063a0b6)
6: nt!NtAccessCheckByTypeResultListAndAuditAlarm (8063c23f)
7: nt!NtAccessCheckByTypeResultListAndAuditAlarmByHandle (8063c288)
8: nt!NtAddAtom (8057c6e4)
9: nt!NtQueryBootOptions (8064b04d)
10: nt!NtAdjustGroupsToken (8063986d)
11: nt!NtAdjustPrivilegesToken (8058f0ad)
12: nt!NtAlertResumeThread (806319b4)
13: nt!NtAlertThread (8057cbcd)
14: nt!NtAllocateLocallyUniqueId (8058a934)
15: nt!NtAllocateUserPhysicalPages (80628937)
16: nt!NtAllocateUuids (805df3d9)
17: nt!NtAllocateVirtualMemory (8056afc3)
18: nt!NtAreMappedFilesTheSame (805db777)
19: nt!NtAssignProcessToJobObject (805a44ca)
20: nt!NtCallbackReturn (804e4cb4)
21: nt!NtCancelDeviceWakeupRequest (8064b063)
22: nt!NtCancelIoFile (805cbb16)
23: nt!NtCancelTimer (804eefac)
24: nt!NtClearEvent (8056b66f)
[---]
kd> u ZwAlertThread
ntdll!NtAlertThread:
7c94cf2e b80d000000 mov eax,0Dh
7c94cf33 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c94cf38 ff12 call dword ptr [edx]
7c94cf3a c20400 ret 4
7c94cf3d 90 nop
ntdll!NtAllocateLocallyUniqueId:
7c94cf3e b80e000000 mov eax,0Eh
7c94cf43 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c94cf48 ff12 call dword ptr [edx]
kd> u NtAlertThread
ntdll!NtAlertThread:
7c94cf2e b80d000000 mov eax,0Dh
7c94cf33 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c94cf38 ff12 call dword ptr [edx]
7c94cf3a c20400 ret 4
7c94cf3d 90 nop
ntdll!NtAllocateLocallyUniqueId:
7c94cf3e b80e000000 mov eax,0Eh
7c94cf43 ba0003fe7f mov edx,offset SharedUserData!SystemCallStub (7ffe0300)
7c94cf48 ff12 call dword ptr [edx]