Syscall Reversing

• Overview
  • Ransomware Example

Overview

When we are dealing with syscalls we need to be able to generate a syscall table from ntdll.dll that the sample is run with. The syscalls will vary between versions (DLL versions).

Ransomware Example

• Magniber
• Threat Analysis Report: PrintNightmare and Magniber Ransomware

import pefile
import struct
import re
pe = pefile.PE('/tmp/ntdll.dll')
pe_data = open('/tmp/ntdll.dll','rb').read()

pe.parse_data_directories(directories=[pefile.DIRECTORY_ENTRY['IMAGE_DIRECTORY_ENTRY_EXPORT']])
exports = []
for exp in pe.DIRECTORY_ENTRY_EXPORT.symbols:
    export_address = exp.address
    export_name = exp.name
    export_ord = exp.ordinal
    exports.append({'name':export_name, 'ord':export_ord, 'address':export_address})

for export in exports:
    if b'ZwQueryEaFile' == export.get('name'):
        break
        
export_name = export.get('name').decode('utf-8')
export_offset = pe.get_offset_from_rva(export.get('address'))
print(f"{export_name} {hex(export_offset)}")

syscall_offset = pe_data.find(b'\x0f\05\xc3', export_offset)
print(f"Syscall offset: {hex(syscall_offset)}")
match = re.search(rb'\xB8(..)\x00\x00', pe_data[export_offset:syscall_offset])
if match:
    syscall_number = struct.unpack('<H', match.group(1))[0]
    print(f"Syscall: {hex(syscall_number)}")

ZwQueryEaFile 0xa1210
Syscall offset: 0xa1222
Syscall: 0x13e

syscalls = {}
for export in exports:
    if export.get('name') is not None and b'Zw' == export.get('name')[:2]:
        export_name = export.get('name').decode('utf-8')
        export_offset = pe.get_offset_from_rva(export.get('address'))
        syscall_offset = pe_data.find(b'\x0f\05\xc3', export_offset)
        if syscall_offset == -1:
            print(f"ERROR no sycall found for export {export_name}")
            continue
        match = re.search(rb'\xB8(..)\x00\x00', pe_data[export_offset:syscall_offset], re.DOTALL)
        if match is None:
            print(f"ERROR no sycall number for export {export_name}")
            continue
        syscall_number = struct.unpack('<H', match.group(1))[0]
        syscalls[export_name] = syscall_number

        
print("enum syscalls{")
for export in syscalls:
    print(f"sys_{export} = {syscalls[export]},")
print("};")

enum syscalls{
sys_ZwAcceptConnectPort = 2,
sys_ZwAccessCheck = 0,
sys_ZwAccessCheckAndAuditAlarm = 41,
sys_ZwAccessCheckByType = 99,
sys_ZwAccessCheckByTypeAndAuditAlarm = 89,
sys_ZwAccessCheckByTypeResultList = 100,
sys_ZwAccessCheckByTypeResultListAndAuditAlarm = 101,
sys_ZwAccessCheckByTypeResultListAndAuditAlarmByHandle = 102,
sys_ZwAcquireProcessActivityReference = 103,
sys_ZwAddAtom = 71,
sys_ZwAddAtomEx = 104,
sys_ZwAddBootEntry = 105,
sys_ZwAddDriverEntry = 106,
sys_ZwAdjustGroupsToken = 107,
sys_ZwAdjustPrivilegesToken = 65,
sys_ZwAdjustTokenClaimsAndDeviceGroups = 108,
sys_ZwAlertResumeThread = 109,
sys_ZwAlertThread = 110,
sys_ZwAlertThreadByThreadId = 111,
sys_ZwAllocateLocallyUniqueId = 112,
sys_ZwAllocateReserveObject = 113,
sys_ZwAllocateUserPhysicalPages = 114,
sys_ZwAllocateUuids = 115,
sys_ZwAllocateVirtualMemory = 24,
sys_ZwAllocateVirtualMemoryEx = 116,
sys_ZwAlpcAcceptConnectPort = 117,
sys_ZwAlpcCancelMessage = 118,
sys_ZwAlpcConnectPort = 119,
sys_ZwAlpcConnectPortEx = 120,
sys_ZwAlpcCreatePort = 121,
sys_ZwAlpcCreatePortSection = 122,
sys_ZwAlpcCreateResourceReserve = 123,
sys_ZwAlpcCreateSectionView = 124,
sys_ZwAlpcCreateSecurityContext = 125,
sys_ZwAlpcDeletePortSection = 126,
sys_ZwAlpcDeleteResourceReserve = 127,
sys_ZwAlpcDeleteSectionView = 128,
sys_ZwAlpcDeleteSecurityContext = 129,
sys_ZwAlpcDisconnectPort = 130,
sys_ZwAlpcImpersonateClientContainerOfPort = 131,
sys_ZwAlpcImpersonateClientOfPort = 132,
sys_ZwAlpcOpenSenderProcess = 133,
sys_ZwAlpcOpenSenderThread = 134,
sys_ZwAlpcQueryInformation = 135,
sys_ZwAlpcQueryInformationMessage = 136,
sys_ZwAlpcRevokeSecurityContext = 137,
sys_ZwAlpcSendWaitReceivePort = 138,
sys_ZwAlpcSetInformation = 139,
sys_ZwApphelpCacheControl = 76,
sys_ZwAreMappedFilesTheSame = 140,
sys_ZwAssignProcessToJobObject = 141,
sys_ZwAssociateWaitCompletionPacket = 142,
sys_ZwCallEnclave = 143,
sys_ZwCallbackReturn = 5,
sys_ZwCancelIoFile = 93,
sys_ZwCancelIoFileEx = 144,
sys_ZwCancelSynchronousIoFile = 145,
sys_ZwCancelTimer = 97,
sys_ZwCancelTimer2 = 146,
sys_ZwCancelWaitCompletionPacket = 147,
sys_ZwClearEvent = 62,
sys_ZwClose = 15,
sys_ZwCloseObjectAuditAlarm = 59,
sys_ZwCommitComplete = 148,
sys_ZwCommitEnlistment = 149,
sys_ZwCommitRegistryTransaction = 150,
sys_ZwCommitTransaction = 151,
sys_ZwCompactKeys = 152,
sys_ZwCompareObjects = 153,
sys_ZwCompareSigningLevels = 154,
sys_ZwCompareTokens = 155,
sys_ZwCompleteConnectPort = 156,
sys_ZwCompressKey = 157,
sys_ZwConnectPort = 158,
sys_ZwContinue = 67,
sys_ZwConvertBetweenAuxiliaryCounterAndPerformanceCounter = 159,
sys_ZwCreateDebugObject = 160,
sys_ZwCreateDirectoryObject = 161,
sys_ZwCreateDirectoryObjectEx = 162,
sys_ZwCreateEnclave = 163,
sys_ZwCreateEnlistment = 164,
sys_ZwCreateEvent = 72,
sys_ZwCreateEventPair = 165,
sys_ZwCreateFile = 85,
sys_ZwCreateIRTimer = 166,
sys_ZwCreateIoCompletion = 167,
sys_ZwCreateJobObject = 168,
sys_ZwCreateJobSet = 169,
sys_ZwCreateKey = 29,
sys_ZwCreateKeyTransacted = 170,
sys_ZwCreateKeyedEvent = 171,
sys_ZwCreateLowBoxToken = 172,
sys_ZwCreateMailslotFile = 173,
sys_ZwCreateMutant = 174,
sys_ZwCreateNamedPipeFile = 175,
sys_ZwCreatePagingFile = 176,
sys_ZwCreatePartition = 177,
sys_ZwCreatePort = 178,
sys_ZwCreatePrivateNamespace = 179,
sys_ZwCreateProcess = 180,
sys_ZwCreateProcessEx = 77,
sys_ZwCreateProfile = 181,
sys_ZwCreateProfileEx = 182,
sys_ZwCreateRegistryTransaction = 183,
sys_ZwCreateResourceManager = 184,
sys_ZwCreateSection = 74,
sys_ZwCreateSectionEx = 185,
sys_ZwCreateSemaphore = 186,
sys_ZwCreateSymbolicLinkObject = 187,
sys_ZwCreateThread = 78,
sys_ZwCreateThreadEx = 188,
sys_ZwCreateTimer = 189,
sys_ZwCreateTimer2 = 190,
sys_ZwCreateToken = 191,
sys_ZwCreateTokenEx = 192,
sys_ZwCreateTransaction = 193,
sys_ZwCreateTransactionManager = 194,
sys_ZwCreateUserProcess = 195,
sys_ZwCreateWaitCompletionPacket = 196,
sys_ZwCreateWaitablePort = 197,
sys_ZwCreateWnfStateName = 198,
sys_ZwCreateWorkerFactory = 199,
sys_ZwDebugActiveProcess = 200,
sys_ZwDebugContinue = 201,
sys_ZwDelayExecution = 52,
sys_ZwDeleteAtom = 202,
sys_ZwDeleteBootEntry = 203,
sys_ZwDeleteDriverEntry = 204,
sys_ZwDeleteFile = 205,
sys_ZwDeleteKey = 206,
sys_ZwDeleteObjectAuditAlarm = 207,
sys_ZwDeletePrivateNamespace = 208,
sys_ZwDeleteValueKey = 209,
sys_ZwDeleteWnfStateData = 210,
sys_ZwDeleteWnfStateName = 211,
sys_ZwDeviceIoControlFile = 7,
sys_ZwDisableLastKnownGood = 212,
sys_ZwDisplayString = 213,
sys_ZwDrawText = 214,
sys_ZwDuplicateObject = 60,
sys_ZwDuplicateToken = 66,
sys_ZwEnableLastKnownGood = 215,
sys_ZwEnumerateBootEntries = 216,
sys_ZwEnumerateDriverEntries = 217,
sys_ZwEnumerateKey = 50,
sys_ZwEnumerateSystemEnvironmentValuesEx = 218,
sys_ZwEnumerateTransactionObject = 219,
sys_ZwEnumerateValueKey = 19,
sys_ZwExtendSection = 220,
sys_ZwFilterBootOption = 221,
sys_ZwFilterToken = 222,
sys_ZwFilterTokenEx = 223,
sys_ZwFindAtom = 20,
sys_ZwFlushBuffersFile = 75,
sys_ZwFlushBuffersFileEx = 224,
sys_ZwFlushInstallUILanguage = 225,
sys_ZwFlushInstructionCache = 226,
sys_ZwFlushKey = 227,
sys_ZwFlushProcessWriteBuffers = 228,
sys_ZwFlushVirtualMemory = 229,
sys_ZwFlushWriteBuffer = 230,
sys_ZwFreeUserPhysicalPages = 231,
sys_ZwFreeVirtualMemory = 30,
sys_ZwFreezeRegistry = 232,
sys_ZwFreezeTransactions = 233,
sys_ZwFsControlFile = 57,
sys_ZwGetCachedSigningLevel = 234,
sys_ZwGetCompleteWnfStateSubscription = 235,
sys_ZwGetContextThread = 236,
sys_ZwGetCurrentProcessorNumber = 237,
sys_ZwGetCurrentProcessorNumberEx = 238,
sys_ZwGetDevicePowerState = 239,
sys_ZwGetMUIRegistryInfo = 240,
sys_ZwGetNextProcess = 241,
sys_ZwGetNextThread = 242,
sys_ZwGetNlsSectionPtr = 243,
sys_ZwGetNotificationResourceManager = 244,
sys_ZwGetWriteWatch = 245,
sys_ZwImpersonateAnonymousToken = 246,
sys_ZwImpersonateClientOfPort = 31,
sys_ZwImpersonateThread = 247,
sys_ZwInitializeEnclave = 248,
sys_ZwInitializeNlsFiles = 249,
sys_ZwInitializeRegistry = 250,
sys_ZwInitiatePowerAction = 251,
sys_ZwIsProcessInJob = 79,
sys_ZwIsSystemResumeAutomatic = 252,
sys_ZwIsUILanguageComitted = 253,
sys_ZwListenPort = 254,
sys_ZwLoadDriver = 255,
sys_ZwLoadEnclaveData = 256,
sys_ZwLoadKey = 257,
sys_ZwLoadKey2 = 258,
sys_ZwLoadKeyEx = 259,
sys_ZwLockFile = 260,
sys_ZwLockProductActivationKeys = 261,
sys_ZwLockRegistryKey = 262,
sys_ZwLockVirtualMemory = 263,
sys_ZwMakePermanentObject = 264,
sys_ZwMakeTemporaryObject = 265,
sys_ZwManageHotPatch = 266,
sys_ZwManagePartition = 267,
sys_ZwMapCMFModule = 268,
sys_ZwMapUserPhysicalPages = 269,
sys_ZwMapUserPhysicalPagesScatter = 3,
sys_ZwMapViewOfSection = 40,
sys_ZwMapViewOfSectionEx = 270,
sys_ZwModifyBootEntry = 271,
sys_ZwModifyDriverEntry = 272,
sys_ZwNotifyChangeDirectoryFile = 273,
sys_ZwNotifyChangeDirectoryFileEx = 274,
sys_ZwNotifyChangeKey = 275,
sys_ZwNotifyChangeMultipleKeys = 276,
sys_ZwNotifyChangeSession = 277,
sys_ZwOpenDirectoryObject = 88,
sys_ZwOpenEnlistment = 278,
sys_ZwOpenEvent = 64,
sys_ZwOpenEventPair = 279,
sys_ZwOpenFile = 51,
sys_ZwOpenIoCompletion = 280,
sys_ZwOpenJobObject = 281,
sys_ZwOpenKey = 18,
sys_ZwOpenKeyEx = 282,
sys_ZwOpenKeyTransacted = 283,
sys_ZwOpenKeyTransactedEx = 284,
sys_ZwOpenKeyedEvent = 285,
sys_ZwOpenMutant = 286,
sys_ZwOpenObjectAuditAlarm = 287,
sys_ZwOpenPartition = 288,
sys_ZwOpenPrivateNamespace = 289,
sys_ZwOpenProcess = 38,
sys_ZwOpenProcessToken = 290,
sys_ZwOpenProcessTokenEx = 48,
sys_ZwOpenRegistryTransaction = 291,
sys_ZwOpenResourceManager = 292,
sys_ZwOpenSection = 55,
sys_ZwOpenSemaphore = 293,
sys_ZwOpenSession = 294,
sys_ZwOpenSymbolicLinkObject = 295,
sys_ZwOpenThread = 296,
sys_ZwOpenThreadToken = 36,
sys_ZwOpenThreadTokenEx = 47,
sys_ZwOpenTimer = 297,
sys_ZwOpenTransaction = 298,
sys_ZwOpenTransactionManager = 299,
sys_ZwPlugPlayControl = 300,
sys_ZwPowerInformation = 95,
sys_ZwPrePrepareComplete = 301,
sys_ZwPrePrepareEnlistment = 302,
sys_ZwPrepareComplete = 303,
sys_ZwPrepareEnlistment = 304,
sys_ZwPrivilegeCheck = 305,
sys_ZwPrivilegeObjectAuditAlarm = 306,
sys_ZwPrivilegedServiceAuditAlarm = 307,
sys_ZwPropagationComplete = 308,
sys_ZwPropagationFailed = 309,
sys_ZwProtectVirtualMemory = 80,
sys_ZwPulseEvent = 310,
sys_ZwQueryAttributesFile = 61,
sys_ZwQueryAuxiliaryCounterFrequency = 311,
sys_ZwQueryBootEntryOrder = 312,
sys_ZwQueryBootOptions = 313,
sys_ZwQueryDebugFilterState = 314,
sys_ZwQueryDefaultLocale = 21,
sys_ZwQueryDefaultUILanguage = 68,
sys_ZwQueryDirectoryFile = 53,
sys_ZwQueryDirectoryFileEx = 315,
sys_ZwQueryDirectoryObject = 316,
sys_ZwQueryDriverEntryOrder = 317,
sys_ZwQueryEaFile = 318,
sys_ZwQueryEvent = 86,
sys_ZwQueryFullAttributesFile = 319,
sys_ZwQueryInformationAtom = 320,
sys_ZwQueryInformationByName = 321,
sys_ZwQueryInformationEnlistment = 322,
sys_ZwQueryInformationFile = 17,
sys_ZwQueryInformationJobObject = 323,
sys_ZwQueryInformationPort = 324,
sys_ZwQueryInformationProcess = 25,
sys_ZwQueryInformationResourceManager = 325,
sys_ZwQueryInformationThread = 37,
sys_ZwQueryInformationToken = 33,
sys_ZwQueryInformationTransaction = 326,
sys_ZwQueryInformationTransactionManager = 327,
sys_ZwQueryInformationWorkerFactory = 328,
sys_ZwQueryInstallUILanguage = 329,
sys_ZwQueryIntervalProfile = 330,
sys_ZwQueryIoCompletion = 331,
sys_ZwQueryKey = 22,
sys_ZwQueryLicenseValue = 332,
sys_ZwQueryMultipleValueKey = 333,
sys_ZwQueryMutant = 334,
sys_ZwQueryObject = 16,
sys_ZwQueryOpenSubKeys = 335,
sys_ZwQueryOpenSubKeysEx = 336,
sys_ZwQueryPerformanceCounter = 49,
sys_ZwQueryPortInformationProcess = 337,
sys_ZwQueryQuotaInformationFile = 338,
sys_ZwQuerySection = 81,
sys_ZwQuerySecurityAttributesToken = 339,
sys_ZwQuerySecurityObject = 340,
sys_ZwQuerySecurityPolicy = 341,
sys_ZwQuerySemaphore = 342,
sys_ZwQuerySymbolicLinkObject = 343,
sys_ZwQuerySystemEnvironmentValue = 344,
sys_ZwQuerySystemEnvironmentValueEx = 345,
sys_ZwQuerySystemInformation = 54,
sys_ZwQuerySystemInformationEx = 346,
sys_ZwQuerySystemTime = 91,
sys_ZwQueryTimer = 56,
sys_ZwQueryTimerResolution = 347,
sys_ZwQueryValueKey = 23,
sys_ZwQueryVirtualMemory = 35,
sys_ZwQueryVolumeInformationFile = 73,
sys_ZwQueryWnfStateData = 348,
sys_ZwQueryWnfStateNameInformation = 349,
sys_ZwQueueApcThread = 69,
sys_ZwQueueApcThreadEx = 350,
sys_ZwRaiseException = 351,
sys_ZwRaiseHardError = 352,
sys_ZwReadFile = 6,
sys_ZwReadFileScatter = 46,
sys_ZwReadOnlyEnlistment = 353,
sys_ZwReadRequestData = 84,
sys_ZwReadVirtualMemory = 63,
sys_ZwRecoverEnlistment = 354,
sys_ZwRecoverResourceManager = 355,
sys_ZwRecoverTransactionManager = 356,
sys_ZwRegisterProtocolAddressInformation = 357,
sys_ZwRegisterThreadTerminatePort = 358,
sys_ZwReleaseKeyedEvent = 359,
sys_ZwReleaseMutant = 32,
sys_ZwReleaseSemaphore = 10,
sys_ZwReleaseWorkerFactoryWorker = 360,
sys_ZwRemoveIoCompletion = 9,
sys_ZwRemoveIoCompletionEx = 361,
sys_ZwRemoveProcessDebug = 362,
sys_ZwRenameKey = 363,
sys_ZwRenameTransactionManager = 364,
sys_ZwReplaceKey = 365,
sys_ZwReplacePartitionUnit = 366,
sys_ZwReplyPort = 12,
sys_ZwReplyWaitReceivePort = 11,
sys_ZwReplyWaitReceivePortEx = 43,
sys_ZwReplyWaitReplyPort = 367,
sys_ZwRequestPort = 368,
sys_ZwRequestWaitReplyPort = 34,
sys_ZwResetEvent = 369,
sys_ZwResetWriteWatch = 370,
sys_ZwRestoreKey = 371,
sys_ZwResumeProcess = 372,
sys_ZwResumeThread = 82,
sys_ZwRevertContainerImpersonation = 373,
sys_ZwRollbackComplete = 374,
sys_ZwRollbackEnlistment = 375,
sys_ZwRollbackRegistryTransaction = 376,
sys_ZwRollbackTransaction = 377,
sys_ZwRollforwardTransactionManager = 378,
sys_ZwSaveKey = 379,
sys_ZwSaveKeyEx = 380,
sys_ZwSaveMergedKeys = 381,
sys_ZwSecureConnectPort = 382,
sys_ZwSerializeBoot = 383,
sys_ZwSetBootEntryOrder = 384,
sys_ZwSetBootOptions = 385,
sys_ZwSetCachedSigningLevel = 386,
sys_ZwSetCachedSigningLevel2 = 387,
sys_ZwSetContextThread = 388,
sys_ZwSetDebugFilterState = 389,
sys_ZwSetDefaultHardErrorPort = 390,
sys_ZwSetDefaultLocale = 391,
sys_ZwSetDefaultUILanguage = 392,
sys_ZwSetDriverEntryOrder = 393,
sys_ZwSetEaFile = 394,
sys_ZwSetEvent = 14,
sys_ZwSetEventBoostPriority = 45,
sys_ZwSetHighEventPair = 395,
sys_ZwSetHighWaitLowEventPair = 396,
sys_ZwSetIRTimer = 397,
sys_ZwSetInformationDebugObject = 398,
sys_ZwSetInformationEnlistment = 399,
sys_ZwSetInformationFile = 39,
sys_ZwSetInformationJobObject = 400,
sys_ZwSetInformationKey = 401,
sys_ZwSetInformationObject = 92,
sys_ZwSetInformationProcess = 28,
sys_ZwSetInformationResourceManager = 402,
sys_ZwSetInformationSymbolicLink = 403,
sys_ZwSetInformationThread = 13,
sys_ZwSetInformationToken = 404,
sys_ZwSetInformationTransaction = 405,
sys_ZwSetInformationTransactionManager = 406,
sys_ZwSetInformationVirtualMemory = 407,
sys_ZwSetInformationWorkerFactory = 408,
sys_ZwSetIntervalProfile = 409,
sys_ZwSetIoCompletion = 410,
sys_ZwSetIoCompletionEx = 411,
sys_ZwSetLdtEntries = 412,
sys_ZwSetLowEventPair = 413,
sys_ZwSetLowWaitHighEventPair = 414,
sys_ZwSetQuotaInformationFile = 415,
sys_ZwSetSecurityObject = 416,
sys_ZwSetSystemEnvironmentValue = 417,
sys_ZwSetSystemEnvironmentValueEx = 418,
sys_ZwSetSystemInformation = 419,
sys_ZwSetSystemPowerState = 420,
sys_ZwSetSystemTime = 421,
sys_ZwSetThreadExecutionState = 422,
sys_ZwSetTimer = 98,
sys_ZwSetTimer2 = 423,
sys_ZwSetTimerEx = 424,
sys_ZwSetTimerResolution = 425,
sys_ZwSetUuidSeed = 426,
sys_ZwSetValueKey = 96,
sys_ZwSetVolumeInformationFile = 427,
sys_ZwSetWnfProcessNotificationEvent = 428,
sys_ZwShutdownSystem = 429,
sys_ZwShutdownWorkerFactory = 430,
sys_ZwSignalAndWaitForSingleObject = 431,
sys_ZwSinglePhaseReject = 432,
sys_ZwStartProfile = 433,
sys_ZwStopProfile = 434,
sys_ZwSubscribeWnfStateChange = 435,
sys_ZwSuspendProcess = 436,
sys_ZwSuspendThread = 437,
sys_ZwSystemDebugControl = 438,
sys_ZwTerminateEnclave = 439,
sys_ZwTerminateJobObject = 440,
sys_ZwTerminateProcess = 44,
sys_ZwTerminateThread = 83,
sys_ZwTestAlert = 441,
sys_ZwThawRegistry = 442,
sys_ZwThawTransactions = 443,
sys_ZwTraceControl = 444,
sys_ZwTraceEvent = 94,
sys_ZwTranslateFilePath = 445,
sys_ZwUmsThreadYield = 446,
sys_ZwUnloadDriver = 447,
sys_ZwUnloadKey = 448,
sys_ZwUnloadKey2 = 449,
sys_ZwUnloadKeyEx = 450,
sys_ZwUnlockFile = 451,
sys_ZwUnlockVirtualMemory = 452,
sys_ZwUnmapViewOfSection = 42,
sys_ZwUnmapViewOfSectionEx = 453,
sys_ZwUnsubscribeWnfStateChange = 454,
sys_ZwUpdateWnfStateData = 455,
sys_ZwVdmControl = 456,
sys_ZwWaitForAlertByThreadId = 457,
sys_ZwWaitForDebugEvent = 458,
sys_ZwWaitForKeyedEvent = 459,
sys_ZwWaitForMultipleObjects = 91,
sys_ZwWaitForMultipleObjects32 = 26,
sys_ZwWaitForSingleObject = 4,
sys_ZwWaitForWorkViaWorkerFactory = 460,
sys_ZwWaitHighEventPair = 461,
sys_ZwWaitLowEventPair = 462,
sys_ZwWorkerFactoryWorkerReady = 1,
sys_ZwWriteFile = 8,
sys_ZwWriteFileGather = 27,
sys_ZwWriteRequestData = 87,
sys_ZwWriteVirtualMemory = 58,
sys_ZwYieldExecution = 70,
};