Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help in removing web watcher, please


  • Please log in to reply
20 replies to this topic

#1 marcoangels

marcoangels

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 01:08 PM

My girlfriend has installed web watcher on my PC without my permission, she is violating my privacy. She denies installing it but when I run adaware, it finds it, but doesn't completely remove it. Help , please?

Edited by marcoangels, 18 July 2011 - 01:08 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:14 AM

Posted 18 July 2011 - 01:28 PM

Welcome aboard Posted Image

Download Security Check from HERE, and save it to your Desktop.

* Double-click SecurityCheck.exe
* Follow the onscreen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt; please post the contents of that document.

=============================================================================

Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer log
  • List Users, Partitions and Memory size
Click Go and post the result.

=============================================================================

Download Malwarebytes' Anti-Malware (aka MBAM): https://www.bleepingcomputer.com/download/malwarebytes-anti-malware/ to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Be sure to restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

=============================================================================

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 02:12 PM

Are these 4 different approaches or do you want me to perform all 4, in that order? I've already downloaded and ran malwarebytes, it doesn't come up with any infections.

#4 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:14 AM

Posted 18 July 2011 - 02:15 PM

Complete all three other steps.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#5 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 02:22 PM

Ok, here are 2 of the other 3 program scan results for 1 of my PC's. The mini=toolbox report is too long to post here, I could send it as an attachment to your email, if that would help. It's too long to post here, won't let me.

Edited by marcoangels, 18 July 2011 - 09:55 PM.


#6 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 05:53 PM

Results of screen317's Security Check version 0.99.7
Windows XP Service Pack 3
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Norton Internet Security
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Malwarebytes' Anti-Malware
CCleaner
Java™ 6 Update 26
Out of date Java installed!
Adobe Flash Player 10.3.181.26
Adobe Reader 9.4.3
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
``````````End of Log````````````

#7 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 08:58 PM

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-07-18 21:39:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500410AS rev.CC34
Running: 7c6jis1l.exe; Driver: C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pwdyrpod.sys


---- System - GMER 1.0.15 ----

SSDT 8A56DCD0 ZwAlertResumeThread
SSDT 8A63B408 ZwAlertThread
SSDT 8A56DD08 ZwAllocateVirtualMemory
SSDT 8A589D90 ZwAssignProcessToJobObject
SSDT 8A39B2A0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB3F19710]
SSDT 8A63CBF8 ZwCreateMutant
SSDT 8A552C78 ZwCreateSymbolicLinkObject
SSDT 8A5B5CF8 ZwCreateThread
SSDT 8A7857B0 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB3F19990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB3F19EF0]
SSDT 8A61A630 ZwDuplicateObject
SSDT 8A593790 ZwFreeVirtualMemory
SSDT 8A56C468 ZwImpersonateAnonymousToken
SSDT 8A35E798 ZwImpersonateThread
SSDT 8A6DAC70 ZwLoadDriver
SSDT 8A575E60 ZwMapViewOfSection
SSDT 8A79ACF8 ZwOpenEvent
SSDT 8A5A5D08 ZwOpenProcess
SSDT 8A5E76B8 ZwOpenProcessToken
SSDT 8A637FD0 ZwOpenSection
SSDT 8A585BB0 ZwOpenThread
SSDT 8A552D68 ZwProtectVirtualMemory
SSDT 8A734CD0 ZwResumeThread
SSDT 8A7A4BD8 ZwSetContextThread
SSDT 8A35E7D0 ZwSetInformationProcess
SSDT 8A5BAC10 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB3F1A140]
SSDT 8A797710 ZwSuspendProcess
SSDT 8A77ACD0 ZwSuspendThread
SSDT 8A58DBB0 ZwTerminateProcess
SSDT 8A660AD0 ZwTerminateThread
SSDT 8A360948 ZwUnmapViewOfSection
SSDT 8A2F83B8 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2DCC 80504668 6 Bytes [08, 5D, 5A, 8A, B8, 76]
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB66793A0, 0x88C445, 0xE8000020]
.text win32k.sys!HT_ComputeRGBGammaTable BF800393 1 Byte [57]
.text win32k.sys!HT_ComputeRGBGammaTable BF800419 3 Bytes [7B, 10, 05]
.text win32k.sys!HT_ComputeRGBGammaTable BF80041E 3 Bytes JMP BF8514C1 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!HT_ComputeRGBGammaTable BF80042D 1 Byte [0C]
.text win32k.sys!HT_ComputeRGBGammaTable BF800432 2 Bytes JMP BF80A131 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngReleaseSemaphore + 21 BF806240 20 Bytes [55, 8B, EC, 83, EC, 0C, 53, ...]
.text win32k.sys!EngAcquireSemaphore + C BF806255 30 Bytes [F6, 81, 95, 01, 00, 00, E0, ...]
.text win32k.sys!EngAcquireSemaphore + 2C BF806275 12 Bytes [00, 8B, 06, 05, 24, 01, 00, ...] {ADD [EBX+0x1240506], CL; ADD [EAX], AL; MOV [EBX], EAX; MOV EAX, [ESI]}
.text win32k.sys!EngAcquireSemaphore + 39 BF806282 45 Bytes [48, 2C, F6, 81, 94, 01, 00, ...]
.text win32k.sys!EngAcquireSemaphore + 67 BF8062B0 12 Bytes [00, 00, 01, 8B, 06, 8B, 40, ...]
.text win32k.sys!EngAcquireSemaphore + 74 BF8062BD 4 Bytes [00, 7F, EB, 2F] {ADD [EDI-0x15], BH; DAS }
.text ...
.text win32k.sys!EngFreeUserMem + 47 BF809335 11 Bytes [40, 20, 3B, C7, 74, 68, 6A, ...]
.text win32k.sys!EngFreeUserMem + 53 BF809341 16 Bytes CALL BF805EE4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeUserMem + 65 BF809353 8 Bytes [EB, 4E, 8B, 40, 50, 8D, 4D, ...] {JMP 0x50; MOV EAX, [EAX+0x50]; LEA ECX, [EBP-0x4]}
.text win32k.sys!EngFreeUserMem + 6F BF80935D 77 Bytes CALL BF809369 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeUserMem + BD BF8093AB 96 Bytes [06, 8B, 40, 48, 3B, C7, 75, ...]
.text ...
.text win32k.sys!EngDeleteSurface + 5 BF813916 6 Bytes [57, 8B, 7D, 08, F7, C7]
.text win32k.sys!EngDeleteSurface + C BF81391D 18 Bytes [00, 80, 00, 75, C2, 56, 8B, ...]
.text win32k.sys!EngDeleteSurface + 1F BF813930 1 Byte [00]
.text win32k.sys!EngDeleteSurface + 1F BF813930 107 Bytes [00, 00, 85, C0, 74, CF, 4E, ...]
.text win32k.sys!EngDeleteSurface + 8B BF81399C 36 Bytes [03, 0D, 18, 95, 9A, BF, 56, ...]
.text ...
.text win32k.sys!EngNineGrid + 1 BF81707D 2 Bytes [55, 20]
.text win32k.sys!EngNineGrid + 4 BF817080 20 Bytes [7A, 14, 52, FF, 75, 1C, 89, ...]
.text win32k.sys!EngNineGrid + 19 BF817095 66 Bytes [14, 89, 4D, F0, FF, 75, 10, ...]
.text win32k.sys!EngNineGrid + 5C BF8170D8 56 Bytes [C3, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!EngNineGrid + 95 BF817111 17 Bytes [8B, 45, E0, 89, 43, 08, 8B, ...] {MOV EAX, [EBP-0x20]; MOV [EBX+0x8], EAX; MOV EAX, [EBP-0x10]; POP EDI; POP ESI; MOV [EBX+0x18], EAX; POP EBX; LEAVE ; RET }
.text ...
.text win32k.sys!EngTransparentBlt + 10 BF819238 72 Bytes [46, 0C, 33, FF, 57, 57, 56, ...]
.text win32k.sys!EngTransparentBlt + 59 BF819281 13 Bytes [FF, FF, 8B, 4D, F0, 3B, 4D, ...]
.text win32k.sys!EngTransparentBlt + 67 BF81928F 42 Bytes [89, 7D, 08, 89, 75, D4, 8D, ...]
.text win32k.sys!EngTransparentBlt + 95 BF8192BD 35 Bytes [46, 56, 57, 8D, 4D, D4, 51, ...]
.text win32k.sys!EngTransparentBlt + BA BF8192E2 28 Bytes [8B, 45, 20, 8B, 4D, 10, 3B, ...]
.text ...
.text win32k.sys!EngCreateDeviceBitmap + 20 BF819751 11 Bytes [35, 28, EE, 9A, BF, 33, F6, ...]
.text win32k.sys!EngCreateDeviceBitmap + 2C BF81975D 17 Bytes [A1, EC, B9, 9A, BF, 85, C0, ...] {MOV EAX, [0xbf9ab9ec]; TEST EAX, EAX; JZ 0x20; MOV ECX, [EAX+0x4]; CMP ECX, [EBP+0x8]; JZ 0x15}
.text win32k.sys!EngCreateDeviceBitmap + 3E BF81976F 72 Bytes [00, EB, F0, 8B, 48, 08, 3B, ...]
.text win32k.sys!EngCreateDeviceBitmap + 87 BF8197B8 10 Bytes [EC, 80, 65, 11, B7, 57, 8B, ...]
.text win32k.sys!EngCreateDeviceBitmap + 92 BF8197C3 68 Bytes [74, DC, 83, 65, 0C, 00, 53, ...]
.text win32k.sys!EngAssociateSurface + F BF819808 32 Bytes [FF, 85, C0, 74, 41, 8B, 4E, ...]
.text win32k.sys!EngAssociateSurface + 30 BF819829 23 Bytes [89, 7E, 1C, 8B, 87, 04, 03, ...]
.text win32k.sys!EngAssociateSurface + 48 BF819841 3 Bytes CALL BF804718 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAssociateSurface + 4C BF819845 224 Bytes [8B, C7, 5E, 5B, 5F, 5D, C2, ...]
.text win32k.sys!EngSaveFloatingPointState + 56 BF819926 10 Bytes [10, 68, A0, 19, 99, BF, E8, ...]
.text win32k.sys!EngQueryPerformanceCounter + 2 BF819931 22 Bytes [8D, 45, E4, 50, FF, 75, 08, ...]
.text win32k.sys!EngQueryPerformanceCounter + 19 BF819948 45 Bytes [00, 84, C0, 75, B6, FF, 75, ...]
.text win32k.sys!EngQueryPerformanceCounter + 47 BF819976 68 Bytes [15, 50, F7, 98, BF, 3B, 45, ...]
.text win32k.sys!EngQueryPerformanceCounter + 8C BF8199BB 38 Bytes [36, FF, 15, 04, F8, 98, BF, ...]
.text win32k.sys!EngQueryPerformanceCounter + B6 BF8199E5 1 Byte [90]
.text ...
.text win32k.sys!BRUSHOBJ_pvGetRbrush + F BF81B4C0 13 Bytes [FE, FF, 83, 66, 04, 00, EB, ...]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 1D BF81B4CE 18 Bytes [FF, 55, 8B, EC, 56, 8B, 75, ...]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 30 BF81B4E1 12 Bytes [00, 00, 83, 39, 00, 74, 06, ...]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + 3D BF81B4EE 131 Bytes [33, D2, 42, FF, 15, 2C, F7, ...]
.text win32k.sys!BRUSHOBJ_pvGetRbrush + C1 BF81B572 32 Bytes [75, 0C, 74, D2, 33, D2, B9, ...]
.text ...
.text win32k.sys!BRUSHOBJ_pvAllocRbrush BF81B5A9 56 Bytes [90, 8B, 81, D0, 03, 00, 00, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 39 BF81B5E2 17 Bytes [6A, 00, 6A, 01, 50, E8, F9, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 4B BF81B5F4 38 Bytes [33, C0, 40, 5E, C3, 33, C0, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + 72 BF81B61B 106 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!BRUSHOBJ_pvAllocRbrush + DD BF81B686 41 Bytes [8B, 45, 0C, 3D, 02, 00, 00, ...]
.text ...
.text win32k.sys!EngSetLastError + 1 BF81C962 202 Bytes [EC, 83, EC, 0C, 8B, 55, 08, ...]
.text win32k.sys!EngSetLastError + CC BF81CA2D 1 Byte [33]
.text win32k.sys!EngSetLastError + CC BF81CA2D 33 Bytes [33, C0, 40, EB, 3D, 8B, 15, ...]
.text win32k.sys!EngSetLastError + F1 BF81CA52 56 Bytes [90, 8B, FF, 55, 8B, EC, 8B, ...]
.text win32k.sys!EngSetLastError + 12A BF81CA8B 71 Bytes [EB, ED, 90, 90, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngLpkInstalled + 6 BF8254BE 41 Bytes [50, FF, D7, 39, 05, 0C, 82, ...]
.text win32k.sys!EngLpkInstalled + 30 BF8254E8 4 Bytes JMP BF825DBD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLpkInstalled + 36 BF8254EE 2 Bytes [8B, 06] {MOV EAX, [ESI]}
.text win32k.sys!EngLpkInstalled + 39 BF8254F1 11 Bytes [40, 14, F6, 40, 31, 40, 0F, ...] {INC EAX; ADC AL, 0xf6; INC EAX; XOR [EAX+0xf], EAX; TEST EBP, EAX; ADD AL, [EAX]}
.text win32k.sys!EngLpkInstalled + 45 BF8254FD 33 Bytes JMP BF825DBE \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngBitBlt + 56 BF826CB8 14 Bytes [75, 2C, 53, FF, 75, 1C, FF, ...]
.text win32k.sys!EngBitBlt + 65 BF826CC7 10 Bytes JMP BF826DB0 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngBitBlt + 71 BF826CD3 6 Bytes [90, 90, 90, 90, 90, 8B]
.text win32k.sys!EngBitBlt + 78 BF826CDA 1 Byte [55]
.text win32k.sys!EngBitBlt + 78 BF826CDA 3 Bytes [55, 8B, EC] {PUSH EBP; MOV EBP, ESP}
.text ...
.text win32k.sys!EngPaint + 20 BF8277C5 23 Bytes [8B, FF, 55, 8B, EC, 8A, 45, ...]
.text win32k.sys!EngPaint + 38 BF8277DD 46 Bytes [C1, C1, E0, 08, 0B, C1, 5D, ...]
.text win32k.sys!EngPaint + 67 BF82780C 1 Byte [51]
.text win32k.sys!EngPaint + 67 BF82780C 6 Bytes [51, 08, 8B, 09, 89, 01]
.text win32k.sys!EngPaint + 71 BF827816 49 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text ...
.text win32k.sys!EngCreateBitmap + 6 BF827CDD 121 Bytes [C7, 46, 1C, 14, 00, 00, 00, ...]
.text win32k.sys!EngCreateBitmap + 80 BF827D57 14 Bytes [18, FF, 75, 14, FF, 75, 10, ...]
.text win32k.sys!EngCreateBitmap + 8F BF827D66 14 Bytes CALL BF814208 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateBitmap + 9E BF827D75 24 Bytes [00, 77, 24, 8B, 4D, 0C, C1, ...]
.text win32k.sys!EngCreateBitmap + B7 BF827D8E 11 Bytes [FF, 55, 8B, EC, 8B, 45, 08, ...]
.text ...
.text win32k.sys!EngMapFontFileFD + 15 BF82E868 4 Bytes [EB, F4, 90, 90] {JMP 0xfffffffffffffff6; NOP ; NOP }
.text win32k.sys!EngMapFontFileFD + 1C BF82E86F 31 Bytes [8B, FF, 55, 8B, EC, 6A, 01, ...]
.text win32k.sys!EngMapFontFileFD + 3C BF82E88F 43 Bytes [55, 8B, EC, 8B, 45, 08, 85, ...]
.text win32k.sys!EngMapFontFileFD + 68 BF82E8BB 170 Bytes [00, 39, 7E, 20, 0F, 84, 89, ...]
.text win32k.sys!EngMapFontFileFD + 113 BF82E966 34 Bytes [74, 17, 8B, 45, 0C, 3B, C7, ...]
.text ...
.text win32k.sys!EngUnmapFontFileFD + 1D BF82EA8B 62 Bytes [FF, 55, 8B, EC, 83, EC, 20, ...]
.text win32k.sys!EngUnmapFontFileFD + 5C BF82EACA 11 Bytes CALL BF84C9FB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnmapFontFileFD + 68 BF82EAD6 30 Bytes [C9, 0F, 84, 2E, 03, 00, 00, ...]
.text win32k.sys!EngUnmapFontFileFD + 87 BF82EAF5 32 Bytes CALL CF773083
.text win32k.sys!EngUnmapFontFileFD + A8 BF82EB16 47 Bytes JMP BF82EE09 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngAllocMem + 54 BF83A972 135 Bytes [8B, 01, 8B, 50, 24, 8D, 48, ...]
.text win32k.sys!EngFreeMem + 85 BF83A9FA 30 Bytes [FF, 89, 45, E4, 85, C0, 74, ...]
.text win32k.sys!EngFreeMem + A4 BF83AA19 64 Bytes [74, 26, 85, DB, 74, 22, 83, ...]
.text win32k.sys!EngFreeMem + E5 BF83AA5A 12 Bytes [0C, 00, FF, 75, E4, E8, 3C, ...] {OR AL, 0x0; PUSH DWORD [EBP-0x1c]; CALL 0xfffffffffffca446; JMP 0xfffffffffffffff8}
.text win32k.sys!EngFreeMem + F3 BF83AA68 36 Bytes [90, 90, 90, 8B, 0D, 30, EE, ...]
.text win32k.sys!EngFreeMem + 118 BF83AA8D 61 Bytes [00, 85, C0, 74, 09, 8B, 48, ...]
.text ...
.text win32k.sys!XFORMOBJ_iGetXform + 11 BF8494A7 59 Bytes [00, 8D, 9E, 68, 02, 00, 00, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + C BF8494E4 74 Bytes [52, 51, 50, 8B, D7, 8D, 4D, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + 57 BF84952F 5 Bytes [96, E4, 00, 00, 00] {XCHG ESI, EAX; IN AL, 0x0; ADD [EAX], AL}
.text win32k.sys!FONTOBJ_pxoGetXform + 5D BF849535 109 Bytes [42, 14, 8B, 4D, 0C, 89, 41, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + CB BF8495A3 26 Bytes [66, 8B, 8E, C2, 02, 00, 00, ...]
.text win32k.sys!FONTOBJ_pxoGetXform + E7 BF8495BF 37 Bytes [D2, 33, C9, 85, C0, 75, 45, ...]
.text ...
.text win32k.sys!EngMulDiv + 1 BF85273F 86 Bytes [9F, D0, 00, 00, 00, FF, 15, ...]
.text win32k.sys!EngMulDiv + 58 BF852796 52 Bytes CALL BF800B34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMulDiv + 8F BF8527CD 21 Bytes [F8, 33, F6, EB, 28, 90, 90, ...]
.text win32k.sys!EngMulDiv + A5 BF8527E3 20 Bytes [4D, 08, 85, C9, 74, 1D, E8, ...]
.text win32k.sys!EngMulDiv + BA BF8527F8 81 Bytes CALL BF800B34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!XLATEOBJ_iXlate + 23 BF85AFF6 49 Bytes [75, 10, 23, 75, 14, 33, F2, ...]
.text win32k.sys!XLATEOBJ_iXlate + 56 BF85B029 16 Bytes JMP BF85B0C3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XLATEOBJ_iXlate + 67 BF85B03A 92 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text win32k.sys!XLATEOBJ_iXlate + C4 BF85B097 18 Bytes [45, 0C, A9, 00, 00, 00, 01, ...]
.text win32k.sys!XLATEOBJ_iXlate + D7 BF85B0AA 9 Bytes [FF, FF, 83, 7E, 14, 00, 0F, ...]
.text ...
.text win32k.sys!EngCreatePalette + 16 BF85F7E0 5 Bytes [FF, FF, 8B, C3, 25]
.text win32k.sys!EngCreatePalette + 1C BF85F7E6 16 Bytes [F0, 00, 00, 0F, 85, 47, 02, ...]
.text win32k.sys!EngCreatePalette + 2D BF85F7F7 1 Byte [0F]
.text win32k.sys!EngCreatePalette + 30 BF85F7FA 44 Bytes [0F, 85, EE, 0E, FA, FF, 83, ...]
.text win32k.sys!EngCreatePalette + 5D BF85F827 11 Bytes [12, 6A, 08, 58, 3B, D0, 0F, ...]
.text ...
.text win32k.sys!EngDeviceIoControl + 2 BF8651D4 54 Bytes JMP BF86525F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeviceIoControl + 39 BF86520B 95 Bytes [00, 8D, 85, F4, FD, FF, FF, ...]
.text win32k.sys!EngDeviceIoControl + 99 BF86526B 107 Bytes [C9, C2, 04, 00, 8B, 47, 2C, ...]
.text win32k.sys!EngDeviceIoControl + 105 BF8652D7 28 Bytes JMP BF86536F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeviceIoControl + 122 BF8652F4 1 Byte [00]
.text ...
.text win32k.sys!EngUnicodeToMultiByteN + 19 BF865673 33 Bytes CALL BF866030 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnicodeToMultiByteN + 3B BF865695 14 Bytes JMP BF86579D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnicodeToMultiByteN + 4B BF8656A5 45 Bytes [8B, 77, 28, 8B, 48, 20, 52, ...]
.text win32k.sys!EngUnicodeToMultiByteN + 79 BF8656D3 37 Bytes JMP BF86579D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnicodeToMultiByteN + 9F BF8656F9 204 Bytes JMP BF86579D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngCreateDeviceSurface + 1 BF86C0E4 2 Bytes [4E, 04]
.text win32k.sys!EngCreateDeviceSurface + 4 BF86C0E7 81 Bytes [0C, 8D, 0C, 4D, 9A, BF, E9, ...]
.text win32k.sys!EngCreateDeviceSurface + 56 BF86C139 85 Bytes JMP BF86C31D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateDeviceSurface + AC BF86C18F 2 Bytes [FF, 55]
.text win32k.sys!EngCreateDeviceSurface + AF BF86C192 56 Bytes [EC, 81, EC, 90, 00, 00, 00, ...]
.text ...
.text win32k.sys!EngGetCurrentCodePage + 3D BF86FE82 21 Bytes [FF, 8D, 45, A8, 89, 85, 48, ...]
.text win32k.sys!EngGetCurrentCodePage + 53 BF86FE98 21 Bytes [FF, FF, 20, 00, 00, 00, C7, ...]
.text win32k.sys!EngGetCurrentCodePage + 69 BF86FEAE 175 Bytes [89, 8D, 4C, FF, FF, FF, 89, ...]
.text win32k.sys!EngGetCurrentCodePage + 119 BF86FF5E 77 Bytes CALL BF8A0EB7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetCurrentCodePage + 167 BF86FFAC 15 Bytes [15, 2C, F8, 98, BF, E9, FA, ...]
.text ...
.text win32k.sys!EngFntCacheLookUp + 14 BF87D843 107 Bytes [56, 8B, F0, 6A, 00, 56, 8D, ...]
.text win32k.sys!EngFntCacheLookUp + 80 BF87D8AF 34 Bytes [FF, 55, 8B, EC, 0F, B7, 05, ...]
.text win32k.sys!EngFntCacheLookUp + A3 BF87D8D2 19 Bytes [F0, 3B, F7, 75, 45, 57, 68, ...]
.text win32k.sys!EngFntCacheLookUp + B7 BF87D8E6 94 Bytes [3B, F7, 74, AA, 0F, B7, 05, ...]
.text win32k.sys!EngFntCacheLookUp + 116 BF87D945 36 Bytes [8B, FF, 55, 8B, EC, 56, 8B, ...]
.text ...
.text win32k.sys!EngFntCacheAlloc + 1 BF87DCCC 49 Bytes [4D, EC, 89, 48, 1C, 83, E3, ...]
.text win32k.sys!EngFntCacheAlloc + 33 BF87DCFE 25 Bytes [FF, F6, C2, 01, 0F, 85, 5F, ...]
.text win32k.sys!EngFntCacheAlloc + 4D BF87DD18 70 Bytes [75, DC, FF, 75, D8, 6A, 00, ...]
.text win32k.sys!EngFntCacheAlloc + 94 BF87DD5F 380 Bytes [55, 8B, EC, A1, 98, D8, 9A, ...]
.text win32k.sys!EngFntCacheAlloc + 212 BF87DEDD 38 Bytes CALL BF8D86CB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngWideCharToMultiByte + 136 BF87F4CA 79 Bytes [0D, 40, E2, 9A, BF, FF, 15, ...]
.text win32k.sys!EngWideCharToMultiByte + 187 BF87F51B 2 Bytes [50, 04]
.text win32k.sys!EngWideCharToMultiByte + 18A BF87F51E 22 Bytes CALL 90C3B4BD
.text win32k.sys!EngWideCharToMultiByte + 1A1 BF87F535 11 Bytes [EB, 53, 89, 08, EB, 2C, 90, ...] {JMP 0x55; MOV [EAX], ECX; JMP 0x32; NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngWideCharToMultiByte + 1AD BF87F541 2 Bytes [FF, 55]
.text ...
.text win32k.sys!EngMultiByteToUnicodeN + 41 BF8813B8 25 Bytes [FF, FF, 89, 47, 28, 89, B5, ...]
.text win32k.sys!EngMultiByteToUnicodeN + 5B BF8813D2 3 Bytes [75, 10, FF]
.text win32k.sys!EngMultiByteToUnicodeN + 5F BF8813D6 36 Bytes CALL BF808218 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMultiByteToUnicodeN + 85 BF8813FC 197 Bytes [20, 0F, 85, DE, FD, FF, FF, ...]
.text win32k.sys!EngMultiByteToUnicodeN + 14B BF8814C2 62 Bytes [45, 90, 3B, 05, B4, 1F, 99, ...]
.text ...
.text win32k.sys!EngFindImageProcAddress + 13 BF884FF6 23 Bytes [83, 3D, 04, E1, 9A, BF, 00, ...]
.text win32k.sys!EngFindImageProcAddress + 2C BF88500F 5 Bytes [0F, 87, FF, 04, 00]
.text win32k.sys!EngFindImageProcAddress + 32 BF885015 85 Bytes [83, 25, 04, E1, 9A, BF, 00, ...]
.text win32k.sys!EngFindImageProcAddress + 88 BF88506B 176 Bytes [8B, 35, 80, EC, 9A, BF, E9, ...]
.text win32k.sys!EngFindImageProcAddress + 139 BF88511C 26 Bytes CALL BF853AF4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngLoadImage + 1 BF88515A 8 Bytes [45, F8, F7, D0, 21, 05, 2C, ...]
.text win32k.sys!EngLoadImage + B BF885164 115 Bytes JMP BF885399 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLoadImage + 80 BF8851D9 6 Bytes [00, 89, 55, 2C, E9, 88] {ADD [ECX-0x7716d3ab], CL}
.text win32k.sys!EngLoadImage + 88 BF8851E1 118 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!EngLoadImage + 100 BF885259 11 Bytes [0F, 85, A0, 02, 00, 00, 85, ...]
.text ...
.text win32k.sys!EngQueryPerformanceFrequency + 49 BF88705B 17 Bytes [94, C0, EB, 34, 0F, B7, 49, ...]
.text win32k.sys!EngQueryPerformanceFrequency + 5B BF88706D 81 Bytes [57, 66, 89, 45, 08, 0B, C8, ...]
.text win32k.sys!EngQueryPerformanceFrequency + AD BF8870BF 261 Bytes CALL BF928522 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQueryPerformanceFrequency + 1B4 BF8871C6 4 Bytes [83, 3D, 38, EA]
.text win32k.sys!EngQueryPerformanceFrequency + 1BA BF8871CC 88 Bytes [08, 74, 7B, 6A, 14, 68, 84, ...]
.text ...
.text win32k.sys!EngUnloadImage + 7 BF8890B1 2 Bytes JMP BF88984B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnloadImage + B BF8890B5 57 Bytes [C9, C2, 10, 00, 66, 81, 7D, ...]
.text win32k.sys!EngCreateEvent + 35 BF8890EF 32 Bytes JMP BF889D38 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQuerySystemAttribute + 12 BF889110 35 Bytes [00, 00, 39, 53, 08, 0F, 85, ...]
.text win32k.sys!EngQuerySystemAttribute + 36 BF889134 42 Bytes [8D, 50, F5, 39, 55, D0, 0F, ...]
.text win32k.sys!EngQuerySystemAttribute + 61 BF88915F 6 Bytes [6A, 48, 58, E9, CF, 0C]
.text win32k.sys!EngQuerySystemAttribute + 69 BF889167 15 Bytes [83, F8, 24, 76, 03, 6A, 24, ...] {CMP EAX, 0x24; JBE 0x8; PUSH 0x24; POP EAX; DEC EAX; PUSH EAX; PUSH 0xbf999288}
.text win32k.sys!EngQuerySystemAttribute + 7A BF889178 1 Byte [F4]
.text ...
.text win32k.sys!EngFindResource + F BF88B374 50 Bytes [FF, A8, 01, 74, 0C, 8B, 45, ...]
.text win32k.sys!EngFindResource + 42 BF88B3A7 25 Bytes [74, 16, 8B, 45, 08, C6, 43, ...]
.text win32k.sys!EngFindResource + 5C BF88B3C1 25 Bytes [00, 04, 00, 74, 16, 8B, 45, ...]
.text win32k.sys!EngFindResource + 77 BF88B3DC 27 Bytes [A9, 00, 00, 08, 00, 0F, 84, ...]
.text win32k.sys!EngFindResource + 93 BF88B3F8 30 Bytes JMP BF88A332 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngLoadModule + 2 BF88BC74 75 Bytes [FF, 15, 60, F9, 98, BF, 8D, ...]
.text win32k.sys!EngLoadModule + 4F BF88BCC1 38 Bytes [68, 40, 44, 99, BF, E8, ED, ...]
.text win32k.sys!EngLoadModule + 76 BF88BCE8 21 Bytes CALL BF832B55 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLoadModule + 8C BF88BCFE 13 Bytes [85, 58, FD, FF, FF, 3B, D8, ...]
.text win32k.sys!EngLoadModule + 9A BF88BD0C 4 Bytes [FF, 3B, D8, 0F]
.text ...
.text win32k.sys!EngFreeModule + 31 BF88BE21 47 Bytes [08, 66, 85, C9, 74, 1F, 40, ...]
.text win32k.sys!EngFreeModule + 61 BF88BE51 165 Bytes [C9, C2, 08, 00, 66, 8B, 07, ...]
.text win32k.sys!EngFreeModule + 107 BF88BEF7 78 Bytes [35, 20, E6, 9A, BF, 3B, F7, ...]
.text win32k.sys!EngFreeModule + 156 BF88BF46 37 Bytes CALL BF819B21 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFreeModule + 17C BF88BF6C 186 Bytes [6A, 6E, 89, 7D, FC, E8, 60, ...]
.text ...
.text win32k.sys!EngGetLastError + 33 BF88FC42 14 Bytes [FF, 50, 8D, 85, 00, FB, FF, ...]
.text win32k.sys!EngGetLastError + 42 BF88FC51 79 Bytes [8D, 85, 00, FB, FF, FF, 89, ...]
.text win32k.sys!EngGetLastError + 92 BF88FCA1 8 Bytes [75, 1C, 33, FF, 89, BD, 08, ...]
.text win32k.sys!EngGetLastError + 9B BF88FCAA 5 Bytes [FF, E8, 5A, 0E, F7]
.text win32k.sys!EngGetLastError + A1 BF88FCB0 55 Bytes [89, BD, FC, FA, FF, FF, 89, ...]
.text ...
.text win32k.sys!EngGradientFill + 6 BF8920D8 56 Bytes [E0, 01, 89, 85, D4, FE, FF, ...]
.text win32k.sys!EngGradientFill + 3F BF892111 51 Bytes [FF, 39, BD, F4, FE, FF, FF, ...]
.text win32k.sys!EngGradientFill + 73 BF892145 16 Bytes [FF, 83, E0, FD, 83, 25, 44, ...]
.text win32k.sys!EngGradientFill + 84 BF892156 5 Bytes [0F, 85, 32, F6, FF]
.text win32k.sys!EngGradientFill + 8A BF89215C 21 Bytes [83, E0, FB, 83, 25, 24, EC, ...]
.text ...
.text win32k.sys!EngStretchBltROP + 60 BF894D75 147 Bytes [B5, 0C, FF, FF, FF, E8, C0, ...]
.text win32k.sys!EngStretchBltROP + F4 BF894E09 1 Byte [C8]
.text win32k.sys!EngStretchBltROP + F4 BF894E09 11 Bytes CALL BF881C38 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStretchBltROP + 100 BF894E15 124 Bytes [00, 39, 1D, D8, EC, 9A, BF, ...]
.text win32k.sys!EngStretchBltROP + 17D BF894E92 18 Bytes [00, 75, 06, 09, 98, E4, 00, ...] {ADD [EBP+0x6], DH; OR [EAX+0xe4], EBX; MOV EAX, [EAX]; MOV ECX, EAX; JMP 0xffffffffffffffec; PUSH DWORD [EBP+0x8]}
.text ...
.text win32k.sys!EngUnlockSurface + 74 BF897DD7 5 Bytes JMP BF897D0C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockSurface + 7A BF897DDD 25 Bytes [85, F0, FD, FF, FF, EB, 09, ...]
.text win32k.sys!EngLockSurface + 2 BF897DF7 19 Bytes CALL BF80D921 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLockSurface + 16 BF897E0B 14 Bytes [55, 8B, EC, 6A, 00, FF, 75, ...] {PUSH EBP; MOV EBP, ESP; PUSH 0x0; PUSH DWORD [EBP+0x18]; PUSH DWORD [EBP+0x14]; PUSH DWORD [EBP+0x10]}
.text win32k.sys!EngLockSurface + 25 BF897E1A 5 Bytes [75, 0C, FF, 75, 08] {JNZ 0xe; PUSH DWORD [EBP+0x8]}
.text win32k.sys!EngLockSurface + 2B BF897E20 3 Bytes CALL BF8630BB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngLockSurface + 2F BF897E24 92 Bytes [5D, C2, 14, 00, 90, 90, 90, ...]
.text ...
.text win32k.sys!CLIPOBJ_bEnum + 84 BF898522 1 Byte [E0]
.text win32k.sys!CLIPOBJ_bEnum + 88 BF898526 76 Bytes [C7, 46, 04, B7, ED, 97, BF, ...]
.text win32k.sys!CLIPOBJ_bEnum + D5 BF898573 68 Bytes [89, BD, D8, FE, FF, FF, C7, ...]
.text win32k.sys!CLIPOBJ_bEnum + 11B BF8985B9 8 Bytes [50, 6A, 00, 56, 8D, 04, 3B, ...] {PUSH EAX; PUSH 0x0; PUSH ESI; LEA EAX, [EBX+EDI]; PUSH EAX}
.text win32k.sys!CLIPOBJ_bEnum + 124 BF8985C2 32 Bytes [15, 70, FA, 98, BF, 03, F3, ...]
.text ...
.text win32k.sys!EngCopyBits + 2 BF898DEE 128 Bytes [8A, D0, 2A, D3, 88, 94, 35, ...]
.text win32k.sys!EngCopyBits + 83 BF898E6F 2 Bytes [5E, 04]
.text win32k.sys!EngCopyBits + 86 BF898E72 3 Bytes CALL BF862DAD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCopyBits + 8B BF898E77 76 Bytes [85, 54, FA, FF, FF, 8B, 08, ...]
.text win32k.sys!EngCopyBits + D8 BF898EC4 38 Bytes [48, 08, 3B, 4D, 10, 75, 24, ...]
.text ...
.text win32k.sys!PATHOBJ_bEnum + 3F BF8A3994 4 Bytes [C9, 66, 3B, C3] {LEAVE ; CMP AX, BX}
.text win32k.sys!PATHOBJ_bEnum + 45 BF8A399A 102 Bytes [C1, 57, 68, 60, 0A, 99, BF, ...]
.text win32k.sys!PATHOBJ_bEnum + AC BF8A3A01 150 Bytes [0F, B7, C0, 33, C9, 3B, C3, ...]
.text win32k.sys!PATHOBJ_bEnum + 143 BF8A3A98 136 Bytes [0D, 98, D8, 9A, BF, 66, A3, ...]
.text win32k.sys!PATHOBJ_bEnum + 1CC BF8A3B21 103 Bytes [FF, 55, 8B, EC, 56, 33, F6, ...]
.text ...
.text win32k.sys!STROBJ_vEnumStart + 6 BF8A5243 13 Bytes [55, 10, 33, C0, 56, 8B, 75, ...]
.text win32k.sys!STROBJ_vEnumStart + 14 BF8A5251 145 Bytes [00, 00, 8B, 0D, 18, DE, 99, ...]
.text win32k.sys!STROBJ_vEnumStart + A6 BF8A52E3 32 Bytes [FF, 85, C0, 75, B8, 39, 35, ...]
.text win32k.sys!STROBJ_vEnumStart + C7 BF8A5304 73 Bytes [FF, 55, 8B, EC, 83, EC, 24, ...]
.text win32k.sys!STROBJ_vEnumStart + 111 BF8A534E 108 Bytes [00, 00, 89, 7D, E0, C7, 45, ...]
.text ...
.text win32k.sys!EngTextOut + 14 BF8A59B4 2 Bytes [75, 10] {JNZ 0x12}
.text win32k.sys!EngTextOut + 17 BF8A59B7 57 Bytes [3E, 39, 7D, 14, 0F, 84, 53, ...]
.text win32k.sys!EngTextOut + 51 BF8A59F1 10 Bytes [FF, 8D, 48, 48, 3B, C8, 0F, ...]
.text win32k.sys!EngTextOut + 5D BF8A59FD 10 Bytes [3B, 0D, 80, ED, 9A, BF, 0F, ...]
.text win32k.sys!EngTextOut + 69 BF8A5A09 70 Bytes [0F, B7, 48, 44, 89, 4D, BC, ...]
.text ...
.text win32k.sys!EngModifySurface + 4 BF8ACDF3 29 Bytes [43, 1C, 3B, C6, 0F, 84, 54, ...]
.text win32k.sys!EngModifySurface + 22 BF8ACE11 22 Bytes [39, B5, DC, FB, FF, FF, 0F, ...]
.text win32k.sys!EngModifySurface + 39 BF8ACE28 17 Bytes [89, 85, 08, FB, FF, FF, 48, ...]
.text win32k.sys!EngModifySurface + 4B BF8ACE3A 21 Bytes [FF, 8B, 85, 9C, FB, FF, FF, ...]
.text win32k.sys!EngModifySurface + 61 BF8ACE50 16 Bytes [B5, C8, FB, FF, FF, 8D, 85, ...]
.text ...
.text win32k.sys!EngAlphaBlend + 2 BF8AD8EA 83 Bytes [FF, FF, BF, B0, 83, 99, BF, ...]
.text win32k.sys!EngAlphaBlend + 56 BF8AD93E 13 Bytes [4D, E0, 23, 45, F8, BF, F0, ...]
.text win32k.sys!EngAlphaBlend + 64 BF8AD94C 63 Bytes [A3, FC, FF, FF, 8B, 3C, 3A, ...]
.text win32k.sys!EngAlphaBlend + A4 BF8AD98C 25 Bytes [4D, EC, C1, E6, 10, 03, D6, ...]
.text win32k.sys!EngAlphaBlend + BE BF8AD9A6 197 Bytes [28, EB, F4, BF, B0, 83, 99, ...]
.text ...
.text win32k.sys!EngStretchBlt + 2 BF8AE1AE 31 Bytes [83, C4, 0C, 8D, 45, 94, 50, ...]
.text win32k.sys!EngStretchBlt + 22 BF8AE1CE 144 Bytes [FF, 8B, 85, 34, FC, FF, FF, ...]
.text win32k.sys!EngStretchBlt + B3 BF8AE25F 31 Bytes [0D, FC, D7, 99, BF, 89, 08, ...]
.text win32k.sys!EngStretchBlt + D3 BF8AE27F 27 Bytes JMP BF8AEF69 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStretchBlt + F0 BF8AE29C 18 Bytes [00, 56, 33, FF, 57, E8, A2, ...] {ADD [ESI+0x33], DL; CALL [EDI-0x18]; MOV [0x85fffc0b], AL; SAL BYTE [ESP+ECX-0x77], 0xbd; XOR AH, BH}
.text ...
.text win32k.sys!EngComputeGlyphSet + B BF8B31C3 10 Bytes [74, 33, 8B, 5D, 08, 53, E8, ...]
.text win32k.sys!EngComputeGlyphSet + 16 BF8B31CE 22 Bytes CALL BF800B33 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngComputeGlyphSet + 2D BF8B31E5 1 Byte [F8]
.text win32k.sys!EngComputeGlyphSet + 2D BF8B31E5 86 Bytes [F8, 85, FF, 0F, 85, 68, FF, ...]
.text win32k.sys!EngMultiByteToWideChar + 1 BF8B323C 36 Bytes [3D, 18, E6, 9A, BF, 83, C7, ...]
.text win32k.sys!EngMultiByteToWideChar + 26 BF8B3261 1 Byte [EB]
.text win32k.sys!EngMultiByteToWideChar + 26 BF8B3261 45 Bytes [EB, 8B, 84, DB, 74, 66, EB, ...]
.text win32k.sys!EngMultiByteToWideChar + 54 BF8B328F 67 Bytes [84, DB, 57, FF, 75, 08, 74, ...]
.text win32k.sys!EngMultiByteToWideChar + 99 BF8B32D4 2 Bytes [8B, F0] {MOV ESI, EAX}
.text ...
.text win32k.sys!EngCreateSemaphore + 90 BF8B427B 15 Bytes [9A, BF, 0F, 84, 45, 03, 00, ...]
.text win32k.sys!EngCreateSemaphore + A0 BF8B428B 8 Bytes [00, 39, 75, B0, 0F, 85, AE, ...]
.text win32k.sys!EngCreateSemaphore + AA BF8B4295 64 Bytes [3B, DE, 0F, 8C, 03, 05, 00, ...]
.text win32k.sys!EngCreateSemaphore + EB BF8B42D6 1 Byte [4D]
.text win32k.sys!EngCreateSemaphore + EB BF8B42D6 7 Bytes [4D, FC, FF, C7, 45, 9C, 20]
.text ...
.text win32k.sys!EngEraseSurface + 2 BF8B7772 38 Bytes [83, F8, FF, 0F, 85, 4C, 01, ...]
.text win32k.sys!EngEraseSurface + 29 BF8B7799 34 Bytes [0D, 28, DC, 9A, BF, F6, 46, ...]
.text win32k.sys!EngEraseSurface + 4C BF8B77BC 23 Bytes [53, 74, 08, A8, 01, 0F, 84, ...]
.text win32k.sys!EngEraseSurface + 64 BF8B77D4 94 Bytes [FF, F6, 46, 08, 40, 74, 14, ...]
.text win32k.sys!EngEraseSurface + C3 BF8B7833 11 Bytes [39, 35, 50, E6, 9A, BF, 0F, ...]
.text ...
.text win32k.sys!PATHOBJ_vEnumStart + 3D BF8C5C09 29 Bytes [66, B5, F3, FF, 83, 65, FC, ...]
.text win32k.sys!PATHOBJ_vEnumStart + 5B BF8C5C27 2 Bytes CALL BF800B37 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + 5F BF8C5C2B 37 Bytes CALL BF800BF1 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + 85 BF8C5C51 124 Bytes CALL BF800B34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vEnumStart + 102 BF8C5CCE 56 Bytes [C0, 74, 25, 8B, 40, 08, 8B, ...]
.text ...
.text win32k.sys!EngFillPath + 36 BF8C90D1 24 Bytes [F6, C1, 02, 74, 3A, 8B, 48, ...]
.text win32k.sys!EngFillPath + 4F BF8C90EA 22 Bytes [FF, 8B, 40, 34, 83, C0, 0F, ...]
.text win32k.sys!EngFillPath + 66 BF8C9101 9 Bytes [8D, 88, FC, FF, FF, E8, B7, ...]
.text win32k.sys!EngFillPath + 70 BF8C910B 16 Bytes JMP BF8C8FA2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngFillPath + 81 BF8C911C 41 Bytes CALL BF8E68BF \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!PATHOBJ_vGetBounds + 2C BF8CB987 72 Bytes [00, FF, 15, F4, F6, 98, BF, ...]
.text win32k.sys!PATHOBJ_vGetBounds + 75 BF8CB9D0 7 Bytes [83, 4D, FC, FF, 8B, B5, 30]
.text win32k.sys!PATHOBJ_vGetBounds + 7D BF8CB9D8 20 Bytes JMP BF8CBE18 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_vGetBounds + 93 BF8CB9EE 109 Bytes [2B, 33, 89, B5, F8, FE, FF, ...]
.text win32k.sys!PATHOBJ_vGetBounds + 101 BF8CBA5C 17 Bytes JMP BF8CBFEC \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngDeletePalette + 41 BF8D0AA6 127 Bytes [74, 14, 8B, 45, 08, 48, 48, ...]
.text win32k.sys!EngDeletePalette + C1 BF8D0B26 11 Bytes CALL BF800B34 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeletePalette + CD BF8D0B32 4 Bytes [F3, FF, C2, 08]
.text win32k.sys!EngDeletePalette + D2 BF8D0B37 62 Bytes [FF, 15, F4, F6, 98, BF, EB, ...]
.text win32k.sys!EngDeletePalette + 111 BF8D0B76 108 Bytes [45, E4, 3B, C7, 74, 3E, 89, ...]
.text ...
.text win32k.sys!EngStrokePath + 7A BF8D0F81 15 Bytes [00, BB, A4, 00, 00, 00, E9, ...]
.text win32k.sys!EngStrokePath + 8B BF8D0F92 105 Bytes JMP BF8D1152 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStrokePath + F5 BF8D0FFC 10 Bytes JMP BF8D1266 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngStrokePath + 100 BF8D1007 9 Bytes [01, 00, FF, 75, F0, 68, 12, ...]
.text win32k.sys!EngStrokePath + 10B BF8D1012 2 Bytes JMP BF8D12A5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngSort + 1D BF8DB9E0 67 Bytes [C0, 8B, 45, 28, 7E, 07, 8B, ...]
.text win32k.sys!EngSort + 61 BF8DBA24 94 Bytes JMP BF8DBC9D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSort + C0 BF8DBA83 51 Bytes [08, 8B, 45, 18, 53, 2B, C2, ...]
.text win32k.sys!EngSort + F4 BF8DBAB7 19 Bytes [4D, 14, 03, D0, 8B, 45, FC, ...] {DEC EBP; ADC AL, 0x3; ROR BYTE [EBX-0x52e03bb], 0x1; MOV [EAX], EDX; MOV EDX, [EBP+0x1c]; POP EDI; ADD EDX, ECX; SAR EDX, 0x1}
.text win32k.sys!EngSort + 108 BF8DBACB 123 Bytes [89, 50, 04, 5B, 8B, E5, 5D, ...]
.text ...
.text win32k.sys!EngLineTo + A BF8DD485 134 Bytes [85, C9, 74, 0C, C7, 45, F8, ...]
.text win32k.sys!EngLineTo + 91 BF8DD50C 4 Bytes [25, 0D, 14, 00]
.text win32k.sys!EngLineTo + 96 BF8DD511 11 Bytes [5B, 5D, C2, 04, 00, 90, 90, ...]
.text win32k.sys!EngLineTo + A2 BF8DD51D 59 Bytes [55, 8B, EC, 0F, BF, 41, 28, ...]
.text win32k.sys!EngLineTo + DE BF8DD559 2 Bytes [32, 5E]
.text ...
.text win32k.sys!EngDeleteSemaphore + 2F BF8E8798 1 Byte [F8]
.text win32k.sys!EngDeleteSemaphore + 2F BF8E8798 8 Bytes [F8, 8B, C1, C1, E9, 02, F3, ...] {CLC ; MOV EAX, ECX; SHR ECX, 0x2; REP MOVSD }
.text win32k.sys!EngDeleteSemaphore + 38 BF8E87A1 59 Bytes [C8, 8B, 45, 08, 83, E1, 03, ...]
.text win32k.sys!EngDeleteSemaphore + 74 BF8E87DD 36 Bytes CALL CC6F48EE
.text win32k.sys!EngDeleteSemaphore + 99 BF8E8802 216 Bytes [0C, 50, 6A, FF, FF, 15, 64, ...]
.text ...
.text win32k.sys!PATHOBJ_bPolyLineTo + 14 BF8F781A 23 Bytes [98, BF, 33, C9, 85, C0, 8B, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 2C BF8F7832 20 Bytes [74, 09, 5F, 5E, 8B, C3, 5B, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 41 BF8F7847 19 Bytes [0F, 86, C9, 04, 00, 00, 3B, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 55 BF8F785B 203 Bytes [56, 8D, 45, 0C, 50, 8D, 45, ...]
.text win32k.sys!PATHOBJ_bPolyLineTo + 121 BF8F7927 126 Bytes [00, 00, 89, 45, FC, 8D, 45, ...]
.text ...
.text win32k.sys!PATHOBJ_bCloseFigure + 6 BF8F7C57 49 Bytes [80, 88, 00, 00, 00, 8B, 75, ...]
.text win32k.sys!PATHOBJ_bCloseFigure + 38 BF8F7C89 2 Bytes [88, 00] {MOV [EAX], AL}
.text win32k.sys!PATHOBJ_bCloseFigure + 3C BF8F7C8D 25 Bytes [FF, 75, EC, FF, 75, E8, E8, ...]
.text win32k.sys!PATHOBJ_bCloseFigure + 57 BF8F7CA8 11 Bytes [48, 1C, 89, 4D, FC, F6, 41, ...] {DEC EAX; SBB AL, 0x89; DEC EBP; CLD ; TEST BYTE [ECX+0x20], 0x40; JZ 0xfffffffffffffff2}
.text win32k.sys!PATHOBJ_bCloseFigure + 64 BF8F7CB5 1 Byte [2C]
.text ...
.text win32k.sys!FONTOBJ_pifi + 44 BF8F9C1C 20 Bytes [39, 3D, 60, C0, 9A, BF, 74, ...]
.text win32k.sys!FONTOBJ_pifi + 59 BF8F9C31 51 Bytes [07, 8B, 57, 04, 8B, 14, B2, ...]
.text win32k.sys!FONTOBJ_pifi + 8E BF8F9C66 2 Bytes [30, 01] {XOR [ECX], AL}
.text win32k.sys!FONTOBJ_pifi + 92 BF8F9C6A 50 Bytes [0F, B7, 48, 10, 3B, F1, 7D, ...]
.text win32k.sys!FONTOBJ_pifi + C5 BF8F9C9D 56 Bytes [5B, 8B, E5, 5D, C3, 8B, 80, ...]
.text ...
.text win32k.sys!EngAllocUserMem + D BF8FAEB1 51 Bytes JMP BF8FAF76 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngAllocUserMem + 41 BF8FAEE5 101 Bytes CALL 9BD4B1ED
.text win32k.sys!EngAllocUserMem + A7 BF8FAF4B 62 Bytes [AF, 45, E0, 83, C0, 05, 6A, ...]
.text win32k.sys!EngAllocUserMem + E6 BF8FAF8A 7 Bytes [CA, 0F, AF, 4D, 08, 8B, D1]
.text win32k.sys!EngAllocUserMem + EE BF8FAF92 24 Bytes JMP BF583299
.text ...
.text win32k.sys!EngMarkBandingSurface + 44 BF8FB4AE 2 Bytes [FF, FF]
.text win32k.sys!EngMarkBandingSurface + 47 BF8FB4B1 45 Bytes [75, FC, 8D, 4D, F0, E8, 06, ...]
.text win32k.sys!EngMarkBandingSurface + 75 BF8FB4DF 23 Bytes [45, 0C, 8D, 45, 0C, 50, 8D, ...]
.text win32k.sys!EngMarkBandingSurface + 8D BF8FB4F7 42 Bytes CALL BF979DC4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMarkBandingSurface + B8 BF8FB522 91 Bytes JMP BF8FB5D8 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + F BF8FBD7B 98 Bytes [F8, 89, 5D, FC, FF, 15, E8, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + 72 BF8FBDDE 50 Bytes [3B, FB, 0F, 84, 32, FF, FF, ...]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + A5 BF8FBE11 1 Byte [C0]
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + B0 BF8FBE1C 3 Bytes [8B, 45, 0C] {MOV EAX, [EBP+0xc]}
.text win32k.sys!BRUSHOBJ_ulGetBrushColor + B4 BF8FBE20 101 Bytes [4D, 10, 8B, 00, 8B, 09, 3B, ...]
.text ...
.text win32k.sys!EngStrokeAndFillPath + 6C BF8FD7CC 44 Bytes [8B, 4D, 14, 89, 45, 1C, 8A, ...]
.text win32k.sys!EngStrokeAndFillPath + 99 BF8FD7F9 282 Bytes [1C, 8B, 7D, 14, 8B, 4D, 20, ...]
.text win32k.sys!EngStrokeAndFillPath + 1B4 BF8FD914 70 Bytes [FE, 8A, 45, FD, 22, C8, F6, ...]
.text win32k.sys!EngStrokeAndFillPath + 1FB BF8FD95B 83 Bytes [C1, FA, 08, 4E, 88, 51, FF, ...]
.text win32k.sys!EngStrokeAndFillPath + 250 BF8FD9B0 14 Bytes [00, 8B, CA, F3, A5, 0F, B6, ...]
.text ...
.text win32k.sys!STROBJ_bEnum + 3A BF8FDC6F 56 Bytes [4D, F0, 7F, AA, 8B, 7D, E0, ...]
.text win32k.sys!STROBJ_bEnum + 73 BF8FDCA8 64 Bytes JMP 83FF4F8D
.text win32k.sys!STROBJ_bEnum + B4 BF8FDCE9 43 Bytes [48, 18, 0F, AF, CA, 03, 48, ...]
.text win32k.sys!STROBJ_bEnum + E1 BF8FDD16 21 Bytes JMP BF8FDDDD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_bEnum + F7 BF8FDD2C 28 Bytes [90, 90, 90, 90, 90, 33, C0, ...]
.text ...
.text win32k.sys!HT_Get8BPPMaskPalette + D BF904163 55 Bytes [89, 45, FC, 8B, 45, 08, 57, ...]
.text win32k.sys!HT_Get8BPPMaskPalette + 45 BF90419B 3 Bytes [8B, 53, 1C] {MOV EDX, [EBX+0x1c]}
.text win32k.sys!HT_Get8BPPMaskPalette + 49 BF90419F 11 Bytes [95, 58, FF, FF, FF, 8B, 42, ...]
.text win32k.sys!HT_Get8BPPMaskPalette + 55 BF9041AB 70 Bytes [2D, 01, 00, 00, 39, 8A, 6C, ...]
.text win32k.sys!HT_Get8BPPMaskPalette + 9C BF9041F2 5 Bytes [00, 00, 8B, 85, 58]
.text ...
.text win32k.sys!HT_Get8BPPFormatPalette + 31 BF904546 3 Bytes [8F, 40, FF] {POP DWORD [EAX-0x1]}
.text win32k.sys!HT_Get8BPPFormatPalette + 35 BF90454A 9 Bytes [FF, 39, 75, F0, 0F, 8C, 37, ...]
.text win32k.sys!HT_Get8BPPFormatPalette + 3F BF904554 9 Bytes [8B, 55, FC, 3B, 51, 14, 0F, ...]
.text win32k.sys!HT_Get8BPPFormatPalette + 49 BF90455E 3 Bytes [FF, FF, 39]
.text win32k.sys!HT_Get8BPPFormatPalette + 4D BF904562 84 Bytes [F4, 0F, 8C, 22, FF, FF, FF, ...]
.text ...
.text win32k.sys!STROBJ_bEnumPositionsOnly + 1 BF9047B7 62 Bytes CALL BF8E735D \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_bEnumPositionsOnly + 40 BF9047F6 129 Bytes [FC, 01, 00, 00, 00, 83, BE, ...]
.text win32k.sys!XFORMOBJ_bApplyXform + 13 BF904878 73 Bytes CALL BF979E48 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + 5D BF9048C2 48 Bytes CALL BF8E735B \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + 8E BF9048F3 20 Bytes CALL BF949AF3 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + A4 BF904909 11 Bytes CALL BF8E6EE9 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!XFORMOBJ_bApplyXform + B0 BF904915 30 Bytes [45, F8, 8B, C8, C1, E9, 02, ...]
.text ...
.text win32k.sys!FONTOBJ_vGetInfo + 1A BF904AD7 72 Bytes [23, C1, 23, D1, 8A, 8A, 38, ...]
.text win32k.sys!FONTOBJ_vGetInfo + 63 BF904B20 253 Bytes [8D, 45, 8C, 50, 8D, 45, 1C, ...]
.text win32k.sys!FONTOBJ_vGetInfo + 161 BF904C1E 2 Bytes [A6, CC] {CMPSB ; INT 3 }
.text win32k.sys!FONTOBJ_vGetInfo + 165 BF904C22 5 Bytes [00, FE, 83, 7D, D4]
.text win32k.sys!FONTOBJ_vGetInfo + 16B BF904C28 168 Bytes [0F, 85, 7A, FD, FF, FF, 83, ...]
.text ...
.text win32k.sys!FONTOBJ_cGetGlyphs + 3D BF904DA8 281 Bytes [8B, 06, 89, 45, E0, 8D, 45, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 8F BF904EC2 73 Bytes [00, 00, 8D, 45, 08, 50, 8D, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + D9 BF904F0C 30 Bytes [55, 8B, EC, 83, EC, 30, 56, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + F8 BF904F2B 53 Bytes [8B, 75, F0, 3B, F7, 74, 8B, ...]
.text win32k.sys!STROBJ_bGetAdvanceWidths + 12E BF904F61 27 Bytes CALL BF8E73E4 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!STROBJ_bGetAdvanceWidths + 14A BF904F7D 25 Bytes CALL BF8E7043 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!BRUSHOBJ_hGetColorTransform + 8F BF905186 34 Bytes [CF, F7, F9, 8B, 55, 08, 3B, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + B2 BF9051A9 32 Bytes [02, 8B, 45, F0, 03, 75, F8, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + D3 BF9051CA 15 Bytes [FF, FF, FF, 45, 1C, 8B, 45, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + E3 BF9051DA 22 Bytes [FF, 5B, B8, 00, 01, 00, 00, ...]
.text win32k.sys!BRUSHOBJ_hGetColorTransform + FB BF9051F2 35 Bytes [83, 7D, 18, 01, 0F, 82, E1, ...]
.text ...
.text win32k.sys!EngCreateDriverObj + 5 BF906D83 23 Bytes [8B, 45, 08, 8B, 48, 5C, 8B, ...]
.text win32k.sys!EngCreateDriverObj + 1D BF906D9B 14 Bytes [F2, 0F, BF, CF, C1, E6, 02, ...]
.text win32k.sys!EngCreateDriverObj + 2C BF906DAA 8 Bytes [0B, 89, 5D, 0C, 8B, 5C, 90, ...]
.text win32k.sys!EngCreateDriverObj + 35 BF906DB3 23 Bytes [55, 08, 2B, CB, 83, 65, 08, ...]
.text win32k.sys!EngCreateDriverObj + 4D BF906DCB 58 Bytes [FF, 8B, 50, 3C, 3B, CA, 0F, ...]
.text ...
.text win32k.sys!EngDeleteDriverObj + 46 BF906FA3 87 Bytes CALL BF920913 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteDriverObj + 9E BF906FFB 39 Bytes [85, EF, FE, FF, FF, F7, 5D, ...]
.text win32k.sys!EngDeleteDriverObj + C6 BF907023 42 Bytes [FF, F6, 40, 0C, 01, 74, 18, ...]
.text win32k.sys!EngDeleteDriverObj + F1 BF90704E 26 Bytes [08, 8B, 55, 0C, 8D, 14, 50, ...]
.text win32k.sys!EngDeleteDriverObj + 10C BF907069 100 Bytes [EC, 8B, 01, 8B, 40, 48, 8B, ...]
.text ...
.text win32k.sys!EngGetCurrentProcessId + 39 BF9075EC 32 Bytes [85, C0, 8B, 75, 0C, 74, 0E, ...]
.text win32k.sys!EngGetCurrentProcessId + 5A BF90760D 30 Bytes [C0, 5E, 5D, C2, 08, 00, 90, ...]
.text win32k.sys!EngGetCurrentProcessId + 79 BF90762C 16 Bytes [FF, 55, 8B, EC, A1, B0, 81, ...] {CALL [EBP-0x75]; IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0xb4]}
.text win32k.sys!EngGetCurrentProcessId + 8C BF90763F 3 Bytes [90, 90, 8B]
.text win32k.sys!EngGetCurrentProcessId + 90 BF907643 31 Bytes [55, 8B, EC, A1, B0, 81, 9A, ...]
.text ...
.text win32k.sys!PATHOBJ_vEnumStartClipLines + 7 BF90D2DB 4 Bytes [B0, 89, 43, 28]
.text win32k.sys!PATHOBJ_vEnumStartClipLines + C BF90D2E0 44 Bytes [45, E0, 89, 45, B4, 85, C0, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + E BF90D30D 15 Bytes CALL BF801171 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bEnumClipLines + 21 BF90D320 38 Bytes [33, C0, 40, C3, 90, 90, 90, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + 48 BF90D347 85 Bytes CALL BF800BF2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PATHOBJ_bEnumClipLines + A2 BF90D3A1 26 Bytes [8B, FF, 55, 8B, EC, 83, EC, ...]
.text win32k.sys!PATHOBJ_bEnumClipLines + BD BF90D3BC 7 Bytes [74, 75, 0F, B7, 47, 2A, 25]
.text ...
.text win32k.sys!EngMapFontFile + D BF90DC91 34 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!EngMapFontFile + 31 BF90DCB5 19 Bytes [01, 00, 74, 04, 33, DB, EB, ...]
.text win32k.sys!EngMapFontFile + 46 BF90DCCA 44 Bytes [2B, C3, 89, 45, F4, 8B, 47, ...]
.text win32k.sys!EngMapFontFile + 73 BF90DCF7 20 Bytes [03, 89, 4D, EC, 83, 7D, EC, ...]
.text win32k.sys!EngMapFontFile + 88 BF90DD0C 3 Bytes [8B, 47, 14] {MOV EAX, [EDI+0x14]}
.text ...
.text win32k.sys!EngUnmapFontFile + 4 BF90EA88 20 Bytes [85, E0, FD, FF, FF, 89, 78, ...]
.text win32k.sys!EngUnmapFontFile + 19 BF90EA9D 55 Bytes [FF, 8D, 8D, AC, FD, FF, FF, ...]
.text win32k.sys!EngUnmapFontFile + 51 BF90EAD5 180 Bytes [95, C8, FD, FF, FF, 89, 4A, ...]
.text win32k.sys!EngUnmapFontFile + 106 BF90EB8A 14 Bytes [00, 00, 83, 7D, 24, 00, 74, ...]
.text win32k.sys!EngUnmapFontFile + 115 BF90EB99 18 Bytes [8B, 4A, 08, 3B, C8, 72, 04, ...]
.text ...
.text win32k.sys!PALOBJ_cGetColors + 54 BF90EEEB 45 Bytes CALL BF90FAB2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!PALOBJ_cGetColors + 82 BF90EF19 4 Bytes [74, 05, 83, FF]
.text win32k.sys!PALOBJ_cGetColors + 87 BF90EF1E 65 Bytes [75, 12, 85, DB, 0F, 85, FB, ...]
.text win32k.sys!PALOBJ_cGetColors + C9 BF90EF60 10 Bytes [10, 00, 56, 57, 8B, 3D, 58, ...] {ADC [EAX], AL; PUSH ESI; PUSH EDI; MOV EDI, [0xbf9adc58]}
.text win32k.sys!PALOBJ_cGetColors + D4 BF90EF6B 1 Byte [59]
.text ...
.text win32k.sys!EngCreateClip + 12 BF911A18 82 Bytes [8B, CF, 8B, FA, C1, E7, 03, ...]
.text win32k.sys!EngCreateClip + 65 BF911A6B 23 Bytes [4C, 8D, A0, 23, CA, 0B, CE, ...]
.text win32k.sys!EngCreateClip + 7D BF911A83 28 Bytes [A0, 23, CF, 0B, CE, 89, 48, ...]
.text win32k.sys!EngCreateClip + 9A BF911AA0 17 Bytes [EB, BA, 8B, 4D, 14, 03, C1, ...] {JMP 0xffffffffffffffbc; MOV ECX, [EBP+0x14]; ADD EAX, ECX; MOV ECX, [EBP+0xc]; SAR ECX, 0x3; ADD ECX, [EBP+0x8]; DEC EDX}
.text win32k.sys!EngCreateClip + AC BF911AB2 57 Bytes [1C, 06, 89, 5D, FC, 0F, 84, ...]
.text ...
.text win32k.sys!EngSetPointerTag BF916D79 3 Bytes [90, 90, 6A]
.text win32k.sys!EngSetPointerTag + 4 BF916D7D 15 Bytes [68, F8, 08, 99, BF, E8, 31, ...] {PUSH 0xbf9908f8; CALL 0xffffffffffee9e3b; CALL 0xffffffffffee9d8d}
.text win32k.sys!EngSetPointerTag + 14 BF916D8D 12 Bytes CALL BF8015D6 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetPointerTag + 21 BF916D9A 82 Bytes JMP BF916E25 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetPointerTag + 74 BF916DED 20 Bytes [F6, 74, 31, 6A, 04, 6A, 04, ...]
.text ...
.text win32k.sys!XFORMOBJ_iGetFloatObjXform + 1 BF935EC5 80 Bytes [4E, 48, 50, 56, 51, E8, F2, ...]
.text win32k.sys!FLOATOBJ_SetFloat + 2 BF935F16 33 Bytes [74, 44, 53, 8B, 5D, 0C, 56, ...]
.text win32k.sys!FLOATOBJ_SetLong + B BF935F38 11 Bytes [8B, 79, 04, 3B, F7, 7F, 02, ...]
.text win32k.sys!FLOATOBJ_SetLong + 17 BF935F44 37 Bytes [10, 8B, 49, 0C, 3B, C1, 7C, ...]
.text win32k.sys!FLOATOBJ_GetLong + 14 BF935F6A 158 Bytes [EC, 56, 8B, F1, 8B, 4D, 08, ...]
.text win32k.sys!FLOATOBJ_SubFloat + 22 BF936009 60 Bytes CALL BF95FADB \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_Sub + 9 BF936046 62 Bytes CALL BF85F167 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_MulLong + 1 BF936085 194 Bytes [F0, 89, 41, 44, 3B, 56, 04, ...]
.text win32k.sys!FLOATOBJ_Neg + B BF936148 7 Bytes JMP BF8048D8 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FLOATOBJ_EqualLong BF936153 24 Bytes [90, 8B, FF, 55, 8B, EC, 83, ...]
.text win32k.sys!FLOATOBJ_EqualLong + 19 BF93616C 38 Bytes [08, FF, 15, 7C, F7, 98, BF, ...]
.text win32k.sys!FLOATOBJ_EqualLong + 43 BF936196 47 Bytes [8B, FF, 55, 8B, EC, 5D, E9, ...]
.text win32k.sys!FLOATOBJ_GreaterThanLong + 2F BF9361C6 72 Bytes [9E, 4A, 05, 00, 57, 8D, 85, ...]
.text win32k.sys!FLOATOBJ_LessThanLong + 30 BF93620F 5 Bytes [15, E4, F6, 98, BF] {ADC EAX, 0xbf98f6e4}
.text win32k.sys!FLOATOBJ_Equal BF936218 26 Bytes [90, 8B, FF, 55, 8B, EC, 57, ...]
.text win32k.sys!FLOATOBJ_GreaterThan + 2 BF936233 38 Bytes [15, 0C, F7, 98, BF, 8D, 04, ...]
.text win32k.sys!FLOATOBJ_LessThan + 10 BF93625A 120 Bytes [55, 8B, EC, 83, EC, 0C, 8B, ...]
.text win32k.sys!FLOATOBJ_LessThan + 89 BF9362D3 32 Bytes JMP B35395DA
.text win32k.sys!FLOATOBJ_LessThan + AA BF9362F4 43 Bytes [EC, 83, 7D, 0C, 00, 74, 09, ...]
.text win32k.sys!FLOATOBJ_LessThan + D6 BF936320 42 Bytes [EC, 0C, 56, 33, F6, 56, 8D, ...]
.text win32k.sys!FLOATOBJ_LessThan + 101 BF93634B 143 Bytes [57, 74, 34, 8B, 7D, 14, 6A, ...]
.text ...
.text win32k.sys!CLIPOBJ_ppoGetPath + 6 BF936561 19 Bytes [FF, 55, 8B, EC, A1, B0, 81, ...] {CALL [EBP-0x75]; IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0xec]; NOP ; NOP ; NOP }
.text win32k.sys!EngGetProcessHandle + 5 BF936576 89 Bytes [8B, FF, 55, 8B, EC, A1, B0, ...]
.text win32k.sys!EngIsSemaphoreOwnedByCurrentThread + B BF9365D0 14 Bytes [55, 8B, EC, A1, B0, 81, 9A, ...]
.text win32k.sys!EngDebugPrint + A BF9365DF 52 Bytes [90, 90, 90, 90, 90, 8B, FF, ...]
.text win32k.sys!EngDebugPrint + 3F BF936614 16 Bytes [EC, A1, B0, 81, 9A, BF, 5D, ...] {IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0x1b4]; NOP ; NOP ; NOP }
.text win32k.sys!EngDebugPrint + 51 BF936626 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngDebugPrint + 55 BF93662A 7 Bytes [EC, A1, B0, 81, 9A, BF, 5D] {IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP}
.text win32k.sys!EngDebugPrint + 5D BF936632 11 Bytes [A0, 8C, 00, 00, 00, 90, 90, ...]
.text ...
.text win32k.sys!EngAllocSectionMem BF936687 26 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text win32k.sys!EngAllocSectionMem + 1B BF9366A2 152 Bytes [EC, A1, B0, 81, 9A, BF, 5D, ...]
.text win32k.sys!EngFreeSectionMem + 1C BF93673B 93 Bytes [60, 54, 90, 90, 90, 90, 90, ...]
.text win32k.sys!EngMapSection + 50 BF936799 45 Bytes [55, 8B, EC, A1, B0, 81, 9A, ...]
.text win32k.sys!EngMapSection + 7E BF9367C7 16 Bytes [EC, A1, B0, 81, 9A, BF, 5D, ...] {IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0x1dc]; NOP ; NOP ; NOP }
.text win32k.sys!EngMapSection + 90 BF9367D9 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngMapSection + 94 BF9367DD 13 Bytes [EC, A1, B0, 81, 9A, BF, 5D, ...] {IN AL, DX ; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0x1e4]}
.text win32k.sys!EngInitializeSafeSemaphore BF9367ED 17 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text win32k.sys!EngInitializeSafeSemaphore + 12 BF9367FF 29 Bytes [00, 90, 90, 90, 90, 90, 8B, ...]
.text win32k.sys!EngInitializeSafeSemaphore + 30 BF93681D 23 Bytes [55, 8B, EC, A1, B0, 81, 9A, ...]
.text win32k.sys!EngDeleteSafeSemaphore + C BF936835 35 Bytes [EC, A1, B0, 81, 9A, BF, 5D, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 30 BF936859 65 Bytes [90, 90, 90, 90, 8B, FF, 55, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 74 BF93689D 35 Bytes [90, 90, 8B, FF, 55, 8B, EC, ...]
.text win32k.sys!EngDeleteSafeSemaphore + 98 BF9368C1 9 Bytes [A0, 34, 02, 00, 00, 90, 90, ...] {MOV AL, [0x234]; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngDeleteSafeSemaphore + A2 BF9368CB 17 Bytes [8B, FF, 55, 8B, EC, A1, B0, ...] {MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; MOV EAX, [0xbf9a81b0]; POP EBP; JMP [EAX+0x23c]}
.text ...
.text win32k.sys!HeapVidMemAllocAligned + 5 BF936D41 54 Bytes [01, 75, C4, 8B, 75, D4, 2B, ...]
.text win32k.sys!EngAllocPrivateUserMem + 10 BF936D78 43 Bytes [39, 75, EC, 0F, 8D, 25, 02, ...]
.text win32k.sys!EngDxIoctl + 11 BF936DA5 116 Bytes JMP BF936FA5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngUnlockDirectDrawSurface + 5A BF936E1A 39 Bytes [BF, E4, 05, 00, 00, EB, 05, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + 82 BF936E42 13 Bytes [D7, 8B, 45, B0, 85, C0, C7, ...] {XLATB ; MOV EAX, [EBP-0x50]; TEST EAX, EAX; MOV DWORD [EBP+0x20], 0xbf9a81d4}
.text win32k.sys!EngUnlockDirectDrawSurface + 90 BF936E50 12 Bytes [05, 21, 45, 0C, EB, 06, 83, ...] {ADD EAX, 0xeb0c4521; PUSH ES; ADD EAX, 0x10; MOV [EBP+0xc], EAX}
.text win32k.sys!EngUnlockDirectDrawSurface + 9D BF936E5D 29 Bytes [75, A8, 8B, 4D, FC, BF, D8, ...]
.text win32k.sys!EngUnlockDirectDrawSurface + BB BF936E7B 240 Bytes [FF, FF, 8B, 4D, A4, 50, 89, ...]
.text ...
.text win32k.sys!EngGetType1FontList + 22 BF937921 39 Bytes CALL BF800BB5 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetType1FontList + 4A BF937949 80 Bytes [06, 89, 45, E0, EB, 13, 90, ...]
.text win32k.sys!EngGetType1FontList + 9B BF93799A 6 Bytes [85, C0, 74, 0D, FF, 75]
.text win32k.sys!EngGetType1FontList + A2 BF9379A1 10 Bytes CALL BF963081 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetType1FontList + AD BF9379AC 176 Bytes CALL BF800BF2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngQueryLocalTime + 2C BF937A5D 8 Bytes [75, 01, 43, 3B, 5D, FC, 7E, ...] {JNZ 0x3; INC EBX; CMP EBX, [EBP-0x4]; JLE 0x11}
.text win32k.sys!EngQueryLocalTime + 35 BF937A66 158 Bytes [47, 04, 89, 45, F8, 89, 5D, ...]
.text win32k.sys!EngQueryLocalTime + D4 BF937B05 53 Bytes [70, 0C, 66, F3, A5, 8B, 4D, ...]
.text win32k.sys!EngQueryLocalTime + 10A BF937B3B 8 Bytes [85, FF, 74, 71, 8B, 40, 5C, ...]
.text win32k.sys!EngQueryLocalTime + 113 BF937B44 26 Bytes [8B, 40, 14, 8D, 4D, DC, 51, ...]
.text ...
.text win32k.sys!EngCheckAbort + 6 BF937CC4 16 Bytes [03, F6, 40, 18, 01, 74, 22, ...]
.text win32k.sys!EngCheckAbort + 17 BF937CD5 67 Bytes [57, 8D, 4D, 08, 51, 50, E8, ...]
.text win32k.sys!EngCheckAbort + 5B BF937D19 25 Bytes [8B, F1, 89, 46, 10, E8, 79, ...]
.text win32k.sys!EngCheckAbort + 75 BF937D33 77 Bytes [EC, 83, EC, 3C, 53, 56, 57, ...]
.text win32k.sys!EngCheckAbort + C3 BF937D81 17 Bytes [00, 00, 6A, 02, 53, 57, 8D, ...] {ADD [EAX], AL; PUSH 0x2; PUSH EBX; PUSH EDI; LEA ECX, [EBP-0x4]; CALL 0xffffffffffecfca6; CMP [EBP-0x4], EBX}
.text ...
.text win32k.sys!EngDeleteEvent + 6 BF9394C8 108 Bytes CALL BF80108F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMapEvent + 4F BF939535 1 Byte [CA]
.text win32k.sys!EngMapEvent + 4F BF939535 166 Bytes [CA, 7C, E0, 8D, 04, 12, EB, ...]
.text win32k.sys!EngClearEvent + 1 BF9395DC 17 Bytes [4D, 20, 53, 8B, 18, 8B, 40, ...]
.text win32k.sys!EngClearEvent + 13 BF9395EE 11 Bytes [57, 8B, 38, 56, 8B, D7, E8, ...] {PUSH EDI; MOV EDI, [EAX]; PUSH ESI; MOV EDX, EDI; CALL 0xfffffffffff815db}
.text win32k.sys!EngReadStateEvent + 7 BF9395FB 39 Bytes [30, 85, C0, 74, 22, 8B, 08, ...]
.text win32k.sys!EngReadStateEvent + 2F BF939623 135 Bytes [4D, 34, 85, C9, 74, 24, 8B, ...]
.text win32k.sys!EngReadStateEvent + B7 BF9396AB 47 Bytes [55, 8B, EC, 83, EC, 30, 8B, ...]
.text win32k.sys!EngGetFilePath + 8 BF9396DB 45 Bytes [8B, 40, 04, 03, CF, 03, C6, ...]
.text win32k.sys!EngGetFileChangeTime + A BF939709 20 Bytes [14, 89, 45, EC, 8B, 42, 0C, ...]
.text win32k.sys!EngGetFileChangeTime + 1F BF93971E 82 Bytes [FF, 75, 3C, 8B, CF, FF, 75, ...]
.text win32k.sys!EngGetFileChangeTime + 72 BF939771 2 Bytes [18, FF] {SBB BH, BH}
.text win32k.sys!EngGetFileChangeTime + 75 BF939774 1 Byte [10]
.text win32k.sys!EngGetFileChangeTime + 75 BF939774 101 Bytes [10, FF, 55, 08, 8B, 4D, 20, ...]
.text ...
.text win32k.sys!EngDeleteFile + C BF939989 7 Bytes [00, 90, 90, 90, 90, 90, 8B]
.text win32k.sys!EngDeleteFile + 14 BF939991 92 Bytes [56, 8B, F1, 8B, 0E, 85, C9, ...]
.text win32k.sys!EngDeleteFile + 71 BF9399EE 6 Bytes [06, 03, C3, 89, 45, F4] {PUSH ES; ADD EAX, EBX; MOV [EBP-0xc], EAX}
.text win32k.sys!EngDeleteFile + 78 BF9399F5 82 Bytes [46, 04, 03, 45, 0C, 8D, 75, ...]
.text win32k.sys!EngDeleteFile + CB BF939A48 16 Bytes [FC, F7, DE, F7, DA, 56, 8B, ...] {CLD ; NEG ESI; NEG EDX; PUSH ESI; MOV ECX, EDI; MOV [EBP+0x28], EDX; CALL 0xfffffffffffbc3d6}
.text ...
.text win32k.sys!EngControlSprites + 8A BF93ABF2 353 Bytes [FF, 55, 8B, EC, 83, EC, 34, ...]
.text win32k.sys!EngControlSprites + 1ED BF93AD55 191 Bytes [03, 8A, 98, 00, 00, 00, 89, ...]
.text win32k.sys!EngControlSprites + 2AD BF93AE15 47 Bytes [C1, 8B, 48, 08, 3B, CB, 75, ...]
.text win32k.sys!EngControlSprites + 2DF BF93AE47 15 Bytes [83, C7, 04, 3B, 46, 0C, 72, ...]
.text win32k.sys!EngControlSprites + 2EF BF93AE57 17 Bytes CALL BF802A27 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text ...
.text win32k.sys!EngMovePointer + 80 BF93B553 22 Bytes [7D, 0C, B8, 00, 00, 00, F8, ...]
.text win32k.sys!EngMovePointer + 97 BF93B56A 3 Bytes [18, 23, C8]
.text win32k.sys!EngMovePointer + 9B BF93B56E 9 Bytes [04, 3B, C8, 75, 10, 23, D0, ...]
.text win32k.sys!EngMovePointer + A5 BF93B578 5 Bytes [D0, 75, 08, 23, F8] {SAL BYTE [EBP+0x8], 0x1; AND EDI, EAX}
.text win32k.sys!EngMovePointer + AB BF93B57E 38 Bytes [08, 3B, F8, 74, 04, 6A, 57, ...]
.text ...
.text win32k.sys!EngSetPointerShape + 1 BF93B656 37 Bytes CALL BF80EBED \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngSetPointerShape + 27 BF93B67C 15 Bytes [45, 0C, 83, 65, FC, 00, 3B, ...]
.text win32k.sys!EngSetPointerShape + 38 BF93B68D 18 Bytes [8B, 7D, 10, 8B, 5D, 18, 3B, ...]
.text win32k.sys!EngSetPointerShape + 4B BF93B6A0 16 Bytes [3B, C1, 0F, 8C, 07, 01, 00, ...] {CMP EAX, ECX; JL 0x10f; MOV EAX, 0x7ffffff; CMP [EBP+0x14], EAX}
.text win32k.sys!EngSetPointerShape + 5C BF93B6B1 54 Bytes [8F, F9, 00, 00, 00, 3B, F9, ...]
.text ...
.text win32k.sys!EngQueryPalette + C BF93BCFA 7 Bytes [8B, 47, 08, 83, 48, 34, 01] {MOV EAX, [EDI+0x8]; OR DWORD [EAX+0x34], 0x1}
.text win32k.sys!EngQueryPalette + 14 BF93BD02 85 Bytes [36, 85, F6, 75, 89, 8B, 4D, ...]
.text win32k.sys!EngQueryPalette + 6A BF93BD58 16 Bytes [8B, 80, 8C, 00, 00, 00, 83, ...] {MOV EAX, [EAX+0x8c]; AND EAX, 0x20; POP EBP; RET 0x4; NOP ; NOP ; NOP }
.text win32k.sys!EngQueryPalette + 7C BF93BD6A 3 Bytes [8B, FF, 55] {MOV EDI, EDI; PUSH EBP}
.text win32k.sys!EngQueryPalette + 80 BF93BD6E 29 Bytes [EC, FF, 75, 14, 8B, 4D, 08, ...]
.text ...
.text win32k.sys!EngCreatePath + 2D BF93C031 156 Bytes [8B, 45, FC, 83, C0, 10, 89, ...]
.text win32k.sys!EngDeletePath + 7B BF93C0CE 12 Bytes [FF, 3B, C6, 89, 87, 94, 00, ...]
.text win32k.sys!EngDeletePath + 88 BF93C0DB 26 Bytes [00, 00, 80, 4D, 17, 10, 89, ...]
.text win32k.sys!EngDeletePath + A3 BF93C0F6 52 Bytes [FC, FF, 75, 08, 8D, 75, E0, ...]
.text win32k.sys!EngDeletePath + D8 BF93C12B 24 Bytes [00, 3B, 45, 18, 0F, 85, 89, ...]
.text win32k.sys!PATHOBJ_bPolyBezierTo + 10 BF93C144 34 Bytes [8B, 4D, 14, 89, 46, 2C, 8B, ...]
.text win32k.sys!PATHOBJ_bPolyBezierTo + 33 BF93C167 49 Bytes [00, 00, 8B, 4B, 0C, 89, 8E, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + D BF93C19A 163 Bytes [40, 09, 43, 18, 09, 86, 8C, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + B1 BF93C23E 140 Bytes [8B, 46, 0C, 33, DB, 3B, C7, ...]
.text win32k.sys!WNDOBJ_vSetConsumer + 13E BF93C2CB 3 Bytes CALL BF802A29 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!WNDOBJ_vSetConsumer + 142 BF93C2CF 68 Bytes CALL BF939F7C \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateWnd + 3E BF93C315 39 Bytes [85, C0, 74, 08, 6A, 00, 50, ...]
.text win32k.sys!EngCreateWnd + 66 BF93C33D 123 Bytes [EE, 9A, BF, 8D, 4D, F4, E8, ...]
.text win32k.sys!EngCreateWnd + E2 BF93C3B9 112 Bytes CALL BF801948 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateWnd + 153 BF93C42A 59 Bytes CALL BF801948 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngCreateWnd + 190 BF93C467 118 Bytes [04, 74, 0F, 6A, 40, 25, FF, ...]
.text ...
.text win32k.sys!EngDeleteWnd + 5 BF93C704 30 Bytes CALL BF801946 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngDeleteWnd + 24 BF93C723 120 Bytes [55, 8B, EC, 51, 51, 8B, 45, ...]
.text win32k.sys!EngDeleteWnd + 9D BF93C79C 3 Bytes [00, B8, 00]
.text win32k.sys!EngDeleteWnd + A1 BF93C7A0 33 Bytes [00, 40, EB, 03, 8B, 75, F4, ...]
.text win32k.sys!EngDeleteWnd + C3 BF93C7C2 4 Bytes [3F, 23, FA, B9]
.text ...
.text win32k.sys!EngDitherColor + 21 BF93D464 19 Bytes [89, 7D, F8, 75, 03, 89, 75, ...]
.text win32k.sys!EngDitherColor + 35 BF93D478 216 Bytes [74, 08, FF, 75, 08, E8, A6, ...]
.text win32k.sys!EngDitherColor + 10E BF93D551 13 Bytes [80, 89, 7E, 24, 89, 7E, 70, ...]
.text win32k.sys!EngDitherColor + 11E BF93D561 50 Bytes [89, BE, 98, 00, 00, 00, 89, ...]
.text win32k.sys!EngDitherColor + 151 BF93D594 2 Bytes [53, 8B]
.text ...
.text win32k.sys!EngEnumForms + 4F BF93DD26 23 Bytes [1B, 83, 7D, 10, 03, 75, 19, ...]
.text win32k.sys!EngEnumForms + 67 BF93DD3E 131 Bytes [85, C0, 75, 04, 83, 65, FC, ...]
.text win32k.sys!EngEnumForms + EB BF93DDC2 26 Bytes [00, 00, 85, F6, 8B, 4D, 18, ...]
.text win32k.sys!EngGetPrinter + 16 BF93DDDD 164 Bytes [CA, 83, E1, 03, F3, A4, 89, ...]
.text win32k.sys!EngGetPrinter + BB BF93DE82 1 Byte [55]
.text win32k.sys!EngGetPrinter + BB BF93DE82 403 Bytes [55, 8B, EC, 51, 51, 83, 7D, ...]
.text win32k.sys!EngGetForm + 137 BF93E016 23 Bytes [16, 3B, CA, 76, 08, 3B, 0D, ...]
.text win32k.sys!EngGetForm + 14F BF93E02E 29 Bytes [CE, 8B, F2, 8B, F8, 8B, D1, ...]
.text win32k.sys!EngGetForm + 16D BF93E04C 29 Bytes [D0, 8D, BB, B0, 00, 00, 00, ...]
.text win32k.sys!EngGetForm + 18B BF93E06A 27 Bytes [00, 8B, 07, 89, 43, 6C, C7, ...]
.text win32k.sys!EngGetForm + 1A7 BF93E086 2 Bytes [83, 84]
.text ...
.text win32k.sys!EngGetPrinterDriver + 4 BF93E169 26 Bytes [45, 08, 89, 7E, 74, 89, 86, ...]
.text win32k.sys!EngGetPrinterData + F BF93E184 18 Bytes CALL BF8A89A7 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngGetPrinterData + 23 BF93E198 34 Bytes [75, 02, 33, DB, 8D, 4D, FC, ...]
.text win32k.sys!EngGetPrinterData + 46 BF93E1BB 8 Bytes [55, 8B, EC, 57, 8B, 7D, 10, ...]
.text win32k.sys!EngGetPrinterData + 4F BF93E1C4 1 Byte [6A]
.text win32k.sys!EngGetPrinterData + 4F BF93E1C4 59 Bytes [6A, 00, 6A, 00, 57, FF, 75, ...]
.text ...
.text win32k.sys!EngSetPrinterData + 1 BF93E283 176 Bytes [47, 02, FF, 4D, 10, F6, C4, ...]
.text win32k.sys!EngSetPrinterData + B3 BF93E335 93 Bytes [FF, 24, B5, D1, EE, 93, BF, ...]
.text win32k.sys!EngWritePrinter + 2B BF93E393 42 Bytes [C7, 45, DC, 1C, 04, 23, 00, ...]
.text win32k.sys!EngWritePrinter + 56 BF93E3BE 88 Bytes [EB, 7B, 39, 3D, A8, 82, 9A, ...]
.text win32k.sys!EngWritePrinter + AF BF93E417 2 Bytes [7B, 04] {JNP 0x6}
.text win32k.sys!EngWritePrinter + B2 BF93E41A 2 Bytes [FB, 72]
.text win32k.sys!EngWritePrinter + B6 BF93E41E 1 Byte [3D]
.text ...
.text win32k.sys!EngFileWrite + F BF93E5CA 30 Bytes [8B, 45, 0C, 8B, 4D, 10, 03, ...]
.text win32k.sys!EngFileWrite + 2E BF93E5E9 44 Bytes [FF, 75, 10, 8B, 4D, 0C, 03, ...]
.text win32k.sys!EngFileIoControl + 29 BF93E617 207 Bytes [0C, 8D, 41, 0C, 3B, C1, 72, ...]
.text win32k.sys!EngGetTickCount + C1 BF93E6E7 172 Bytes [FC, 6A, 01, 8B, C6, C1, E0, ...]
.text win32k.sys!EngGetTickCount + 16F BF93E795 58 Bytes [8A, 08, 88, 0B, 43, 89, 5D, ...]
.text win32k.sys!EngGetTickCount + 1AA BF93E7D0 3 Bytes [06, FF, 15]
.text win32k.sys!EngGetTickCount + 1AE BF93E7D4 201 Bytes [F7, 98, BF, 8B, 4D, 14, 8D, ...]
.text win32k.sys!EngGetTickCount + 279 BF93E89F 27 Bytes [03, D8, 8A, 43, 01, 8A, C8, ...]
.text ...
.text win32k.sys!EngHangNotification + 47 BF940F1A 40 Bytes [55, 8B, EC, 51, 51, 53, 8B, ...]
.text win32k.sys!EngHangNotification + 71 BF940F44 9 Bytes CALL BF801960 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngHangNotification + 7B BF940F4E 25 Bytes CALL BF80195F \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngHangNotification + 95 BF940F68 23 Bytes [3B, C7, 74, 09, 8B, 48, 04, ...]
.text win32k.sys!EngHangNotification + AD BF940F80 94 Bytes [73, 14, 33, C0, 39, 45, 0C, ...]
.text ...
.text win32k.sys!EngFntCacheFault + 37 BF941980 80 Bytes [E4, FF, 15, 98, F7, 98, BF, ...]
.text win32k.sys!EngFntCacheFault + 88 BF9419D1 2 Bytes [55, DC]
.text win32k.sys!EngFntCacheFault + 8B BF9419D4 22 Bytes [11, 8D, 50, 08, 8B, 0D, 80, ...]
.text win32k.sys!EngFntCacheFault + A2 BF9419EB 13 Bytes [00, 00, 83, 4D, FC, FF, EB, ...] {ADD [EAX], AL; OR DWORD [EBP-0x4], -0x1; JMP 0x33; NOP ; NOP ; NOP ; NOP ; NOP }
.text win32k.sys!EngFntCacheFault + B1 BF9419FA 56 Bytes [40, C3, 90, 90, 90, 90, 90, ...]
.text ...
.text win32k.sys!EngUnmapFile + 4E BF941C06 19 Bytes [EC, 83, EC, 40, 53, 56, 57, ...]
.text win32k.sys!EngUnmapFile + 62 BF941C1A 11 Bytes [FF, 15, C8, F9, 98, BF, 8B, ...]
.text win32k.sys!EngUnmapFile + 6E BF941C26 150 Bytes [6A, 0E, 8B, D8, 59, 8D, 7D, ...]
.text win32k.sys!EngUnmapFile + 105 BF941CBD 26 Bytes [7A, 0C, 8B, F8, 8B, 45, 08, ...]
.text win32k.sys!EngUnmapFile + 120 BF941CD8 19 Bytes [4D, 14, 89, 01, FF, 15, C4, ...]
.text ...
.text win32k.sys!EngMapFile + 2C BF94230D 3 Bytes CALL BF802AB2 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngMapFile + 30 BF942311 96 Bytes [8B, 0B, 89, 81, D0, 02, 00, ...]
.text win32k.sys!EngMapFile + 91 BF942372 19 Bytes [8A, 8C, 05, 00, 00, 8B, 03, ...]
.text win32k.sys!EngMapFile + A5 BF942386 19 Bytes [05, 00, 00, 8D, B2, 98, 05, ...]
.text win32k.sys!EngMapFile + BB BF94239C 50 Bytes [8B, 03, 8B, 8A, F8, 01, 00, ...]
.text ...
.text win32k.sys!EngGetPrinterDataFileName + 9 BF942461 57 Bytes [0B, 33, C0, 40, 89, 41, 14, ...]
.text win32k.sys!EngQueryDeviceAttribute + F BF94249B 24 Bytes [03, 83, 78, 2C, 00, 74, 0E, ...]
.text win32k.sys!EngQueryDeviceAttribute + 28 BF9424B4 10 Bytes [28, 85, C0, 74, 06, 50, E8, ...]
.text win32k.sys!EngQueryDeviceAttribute + 33 BF9424BF 15 Bytes [8B, 03, 8B, 80, 80, 05, 00, ...]
.text win32k.sys!EngQueryDeviceAttribute + 43 BF9424CF 56 Bytes [EC, FF, 8B, 03, 8B, 80, D0, ...]
.text win32k.sys!EngQueryDeviceAttribute + 7D BF942509 15 Bytes [8B, 03, 83, A0, 94, 05, 00, ...] {MOV EAX, [EBX]; AND DWORD [EAX+0x594], 0x0; MOV ECX, [0xbf9aee08]}
.text ...
.text win32k.sys!EngPlgBlt + 8A BF944B18 194 Bytes [00, 39, 7D, 10, 8B, 45, A4, ...]
.text win32k.sys!EngPlgBlt + 14D BF944BDB 82 Bytes [FF, C6, 85, 44, FF, FF, FF, ...]
.text win32k.sys!EngPlgBlt + 1A0 BF944C2E 34 Bytes [40, 48, 56, 56, 25, 00, 00, ...]
.text win32k.sys!EngPlgBlt + 1C4 BF944C52 8 Bytes CALL BF808FBD \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!EngPlgBlt + 1CD BF944C5B 80 Bytes [FF, FF, 3B, CE, 75, 08, 89, ...]
.text ...
.text win32k.sys!STROBJ_fxCharacterExtra + 1 BF947247 126 Bytes [D9, 89, 5D, 08, 89, 7D, FC, ...]
.text win32k.sys!STROBJ_fxBreakExtra + 62 BF9472C6 13 Bytes [38, 89, 55, F4, 53, 85, FF, ...] {CMP [ECX-0x7aac0bab], CL; DEC DWORD [ECX+0x7589084d]; CLD }
.text win32k.sys!STROBJ_fxBreakExtra + 70 BF9472D4 3 Bytes [1E, 89, 7D]
.text win32k.sys!STROBJ_fxBreakExtra + 74 BF9472D8 16 Bytes [8B, 55, 08, 0F, B6, 1A, FF, ...]
.text win32k.sys!STROBJ_fxBreakExtra + 85 BF9472E9 36 Bytes [88, 1A, FF, 45, FC, FF, 4D, ...]
.text win32k.sys!STROBJ_fxBreakExtra + AA BF94730E 5 Bytes [EC, 83, EC, 10, 8B]
.text ...
.text win32k.sys!FONTOBJ_cGetAllGlyphHandles + 1E BF94882E 78 Bytes [89, 58, 48, EB, 11, 8B, 48, ...]
.text win32k.sys!FONTOBJ_pvTrueTypeFontFile + 3C BF94887D 66 Bytes [85, C0, 74, 07, 8B, 06, 8B, ...]
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 1 BF9488C0 2 Bytes [45, 08]
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 4 BF9488C3 28 Bytes [48, 0C, 6A, 00, FF, 75, 10, ...]
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 21 BF9488E0 1 Byte [EC]
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 21 BF9488E0 13 Bytes [EC, 83, EC, 18, 8B, 4D, 18, ...] {IN AL, DX ; SUB ESP, 0x18; MOV ECX, [EBP+0x18]; XOR EDX, EDX; CMP ECX, EDX; JNZ 0x1c}
.text win32k.sys!FONTOBJ_pjOpenTypeTablePointer + 2F BF9488EE 14 Bytes [45, 0C, 89, 10, 8B, 45, 08, ...] {INC EBP; OR AL, 0x89; ADC [EBX+0x10890845], CL; JMP 0x1ac}
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 4 BF9488FD 19 Bytes [45, 10, 53, 8B, 18, 3B, DA, ...] {INC EBP; ADC [EBX-0x75], DL; SBB [EBX], BH; FIDIV DWORD [EBP+0x1d]; CMP [EAX+0x4], EDX; JNZ 0x26; MOV EAX, ECX; CDQ ; SUB EAX, EDX}
.text win32k.sys!FONTOBJ_pwszFontFilePaths + 18 BF948911 47 Bytes [55, 08, D1, F8, 89, 02, 2B, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 1 BF948941 334 Bytes [F0, D1, FE, 03, F7, 85, FF, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 150 BF948A90 15 Bytes CALL BF827764 \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 160 BF948AA0 53 Bytes [90, 90, 90, 8B, FF, 55, 8B, ...]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 196 BF948AD6 2 Bytes [00, 04]
.text win32k.sys!FONTOBJ_pQueryGlyphAttrs + 199 BF948AD9 57 Bytes [88, BC, 00, 00, 00, 8B, 09, ...]
.text ...
.text win32k.sys!XLATEOBJ_cGetPalette + 1 BF949EEC 56 Bytes [EB, FF, 83, 26, 00, 8B, CE, ...]
.text win32k.sys!XLATEOBJ_cGetPalette + 3A BF949F25 78 Bytes [53, 68, 47, 78, 6C, 74, 50, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 7 BF949F75 35 Bytes [FC, 66, 89, 5E, 0A, 66, 89, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 2B BF949F99 184 Bytes JMP B354D2A0
.text win32k.sys!XLATEOBJ_hGetColorTransform + E4 BF94A052 50 Bytes [0F, B7, 14, 48, 83, FA, 14, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 117 BF94A085 56 Bytes [77, 34, 3B, F0, 74, 6B, 33, ...]
.text win32k.sys!XLATEOBJ_hGetColorTransform + 150 BF94A0BE 50 Bytes [D7, 8B, 77, 30, 3B, F0, 74, ...]
.text ...
.text win32k.sys!EngDeleteClip + 76 BF980499 101 Bytes [30, 8B, 46, 28, 6A, F0, 5B, ...]
.text win32k.sys!EngDeleteClip + DC BF9804FF 81 Bytes [3B, 45, 0C, 89, 11, 0F, 84, ...]
.text win32k.sys!EngDeleteClip + 12E BF980551 51 Bytes [44, 05, 80, 89, 45, C0, 8B, ...]
.text win32k.sys!EngDeleteClip + 162 BF980585 2 Bytes [55, D8]
.text win32k.sys!EngDeleteClip + 165 BF980588 20 Bytes [5E, 33, C0, 89, 45, 18, EB, ...]
.text ...
.text win32k.sys!HT_ComputeRGBGammaTable + D BF98108B 5 Bytes [00, 00, 0F, 84, A4]
.text win32k.sys!HT_ComputeRGBGammaTable + 13 BF981091 87 Bytes [00, 00, 2B, CA, 8B, 55, E0, ...]
.text win32k.sys!HT_ComputeRGBGammaTable + 6B BF9810E9 75 Bytes [00, 00, 2B, D3, 8B, 5D, E8, ...]
.text win32k.sys!HT_ComputeRGBGammaTable + B8 BF981136 7 Bytes [00, 0F, B7, 5F, 02, 2B, CA]
.text win32k.sys!HT_ComputeRGBGammaTable + C0 BF98113E 20 Bytes [55, E0, C1, EA, 10, C1, E9, ...]
.text ...
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB28D4300, 0x3AF78, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83F8300, 0x1BCE, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2208] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\win32k.sys[Dxapi.sys!_DxApiGetVersion@0] [8053B5A0] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExAcquireFastMutex] [80535BA0] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!ExReleaseFastMutex] [805789A2] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[HAL.dll!KeQueryPerformanceCounter] [8060CD16] \WINDOWS\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdDdiWatchdogDpcCallback] 00000000
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdResumeDeferredWatch] FFFFFFFF
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdSuspendDeferredWatch] [BF8CB6E9] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdAllocateDeferredWatchdog] [BF8CB6FB] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStartDeferredWatch] 00000000
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdStopDeferredWatch] FFFFFFFF
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdFreeDeferredWatchdog] [BF80EC18] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdExitMonitoredSection] [BF80EC2A] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)
IAT \SystemRoot\System32\win32k.sys[watchdog.sys!WdEnterMonitoredSection] 00000000
IAT \SystemRoot\System32\drivers\dxgthk.sys[WIN32K.SYS!EngDebugPrint] [BF9361A6] \SystemRoot\System32\win32k.sys (Multi-User Win32 Driver/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\csrss.exe[1308] @ C:\WINDOWS\system32\winsrv.dll [CSRSRV.dll!CsrCreateWait] [75B463F8] C:\WINDOWS\system32\CSRSRV.dll (Client Server Runtime Process/Microsoft Corporation)
IAT C:\WINDOWS\system32\csrss.exe[1308] @ C:\WINDOWS\system32\winsrv.dll [CSRSRV.dll!CsrMoveSatisfiedWait] [75B4660F] C:\WINDOWS\system32\CSRSRV.dll (Client Server Runtime Process/Microsoft Corporation)
IAT C:\WINDOWS\system32\csrss.exe[1308] @ C:\WINDOWS\system32\winsrv.dll [CSRSRV.dll!CsrDereferenceWait] [75B46585] C:\WINDOWS\system32\CSRSRV.dll (Client Server Runtime Process/Microsoft Corporation)
IAT C:\WINDOWS\system32\csrss.exe[1308] @ C:\WINDOWS\system32\winsrv.dll [CSRSRV.dll!CsrNotifyWait] [75B46527] C:\WINDOWS\system32\CSRSRV.dll (Client Server Runtime Process/Microsoft Corporation)
IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2208] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs bb-run.sys (Promise Disk Accelerator/Promise Technology, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

#8 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:14 AM

Posted 18 July 2011 - 09:49 PM

I still need MiniToolbox log.

Where exactly do you see Web Watcher items?

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#9 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 18 July 2011 - 09:59 PM

When I run adaware free, it picks it up and I have emails proving she purchased the web watcher, actually I believe it might be on my other PC, which I'll scan with your tools tomorrow. AdAware takes whatever action it chooses to remove the web watcher, but it shows up again on a scan the next day.

#10 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:14 AM

Posted 18 July 2011 - 10:03 PM

I still need MiniToolbox log.


Then I'd need to see some kind of Ad-aware report to see those findings.

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#11 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 19 July 2011 - 12:29 PM

I've got a screenshot of AdAware showing it removed webwatcher, but I can't seem to copy it to this reply.

#12 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,847 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:02:14 AM

Posted 19 July 2011 - 01:01 PM

Take a look here: Inserting An Image Within A Post

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#13 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 19 July 2011 - 04:52 PM

Here's the photobucket link to my AdAware scan results. Even though AdAware says it removed the threat, it shows up again and again and I know I'm being keystroked for passwords.

http://s1011.photobucket.com/albums/af237/marcoangels/?action=view&current=Snap_20110719131834_001.jpg

#14 marcoangels

marcoangels
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:05:14 AM

Posted 19 July 2011 - 04:53 PM

The mini-toolbox log is too long, it won't let me post it.Suggestions?

#15 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,680 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:02:14 AM

Posted 19 July 2011 - 07:06 PM

The mini-toolbox log is too long


Upload the file(s) here: http://www.filedropper.com/
Post download link (copy URL: link):
Posted Image

My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users