# NmxSvcps.dll

## Program

- Language: `x86:LE:32:default`
- Compiler spec: `windows`
- Image base: `10000000`
- Executable format: `Portable Executable (PE)`

## Memory Blocks

| Name | Start | End | Size | R | W | X |
| --- | ---: | ---: | ---: | :---: | :---: | :---: |
| `Headers` | `10000000` | `100003ff` | 1024 | Y |  |  |
| `.text` | `10001000` | `100057ff` | 18432 | Y |  | Y |
| `.orpc` | `10006000` | `100061ff` | 512 | Y |  | Y |
| `.rdata` | `10007000` | `10009fff` | 12288 | Y |  |  |
| `.data` | `1000a000` | `1000b9bb` | 6588 | Y | Y |  |
| `.rsrc` | `1000c000` | `1000c5ff` | 1536 | Y |  |  |
| `.reloc` | `1000d000` | `1000d9ff` | 2560 | Y |  |  |
| `tdb` | `ffdff000` | `ffdfffff` | 4096 | Y | Y |  |

## External Imports

- `KERNEL32.DLL::DecodePointer`
- `KERNEL32.DLL::DeleteCriticalSection`
- `KERNEL32.DLL::DisableThreadLibraryCalls`
- `KERNEL32.DLL::EncodePointer`
- `KERNEL32.DLL::EnterCriticalSection`
- `KERNEL32.DLL::ExitProcess`
- `KERNEL32.DLL::FreeEnvironmentStringsW`
- `KERNEL32.DLL::GetACP`
- `KERNEL32.DLL::GetCPInfo`
- `KERNEL32.DLL::GetCommandLineA`
- `KERNEL32.DLL::GetCurrentProcess`
- `KERNEL32.DLL::GetCurrentProcessId`
- `KERNEL32.DLL::GetCurrentThreadId`
- `KERNEL32.DLL::GetEnvironmentStringsW`
- `KERNEL32.DLL::GetFileType`
- `KERNEL32.DLL::GetLastError`
- `KERNEL32.DLL::GetModuleFileNameA`
- `KERNEL32.DLL::GetModuleFileNameW`
- `KERNEL32.DLL::GetModuleHandleW`
- `KERNEL32.DLL::GetOEMCP`
- `KERNEL32.DLL::GetProcAddress`
- `KERNEL32.DLL::GetStartupInfoW`
- `KERNEL32.DLL::GetStdHandle`
- `KERNEL32.DLL::GetStringTypeW`
- `KERNEL32.DLL::GetSystemTimeAsFileTime`
- `KERNEL32.DLL::GetTickCount`
- `KERNEL32.DLL::HeapAlloc`
- `KERNEL32.DLL::HeapCreate`
- `KERNEL32.DLL::HeapDestroy`
- `KERNEL32.DLL::HeapFree`
- `KERNEL32.DLL::HeapReAlloc`
- `KERNEL32.DLL::HeapSize`
- `KERNEL32.DLL::InitializeCriticalSectionAndSpinCount`
- `KERNEL32.DLL::InterlockedDecrement`
- `KERNEL32.DLL::InterlockedIncrement`
- `KERNEL32.DLL::IsDebuggerPresent`
- `KERNEL32.DLL::IsProcessorFeaturePresent`
- `KERNEL32.DLL::IsValidCodePage`
- `KERNEL32.DLL::LCMapStringW`
- `KERNEL32.DLL::LeaveCriticalSection`
- `KERNEL32.DLL::LoadLibraryW`
- `KERNEL32.DLL::MultiByteToWideChar`
- `KERNEL32.DLL::QueryPerformanceCounter`
- `KERNEL32.DLL::RtlUnwind`
- `KERNEL32.DLL::SetHandleCount`
- `KERNEL32.DLL::SetLastError`
- `KERNEL32.DLL::SetUnhandledExceptionFilter`
- `KERNEL32.DLL::Sleep`
- `KERNEL32.DLL::TerminateProcess`
- `KERNEL32.DLL::TlsAlloc`
- `KERNEL32.DLL::TlsFree`
- `KERNEL32.DLL::TlsGetValue`
- `KERNEL32.DLL::TlsSetValue`
- `KERNEL32.DLL::UnhandledExceptionFilter`
- `KERNEL32.DLL::WideCharToMultiByte`
- `KERNEL32.DLL::WriteFile`
- `OLEAUT32.DLL::BSTR_UserFree`
- `OLEAUT32.DLL::BSTR_UserMarshal`
- `OLEAUT32.DLL::BSTR_UserSize`
- `OLEAUT32.DLL::BSTR_UserUnmarshal`
- `RPCRT4.DLL::CStdStubBuffer_AddRef`
- `RPCRT4.DLL::CStdStubBuffer_Connect`
- `RPCRT4.DLL::CStdStubBuffer_CountRefs`
- `RPCRT4.DLL::CStdStubBuffer_DebugServerQueryInterface`
- `RPCRT4.DLL::CStdStubBuffer_DebugServerRelease`
- `RPCRT4.DLL::CStdStubBuffer_Disconnect`
- `RPCRT4.DLL::CStdStubBuffer_Invoke`
- `RPCRT4.DLL::CStdStubBuffer_IsIIDSupported`
- `RPCRT4.DLL::CStdStubBuffer_QueryInterface`
- `RPCRT4.DLL::IUnknown_AddRef_Proxy`
- `RPCRT4.DLL::IUnknown_QueryInterface_Proxy`
- `RPCRT4.DLL::IUnknown_Release_Proxy`
- `RPCRT4.DLL::NdrCStdStubBuffer_Release`
- `RPCRT4.DLL::NdrDllCanUnloadNow`
- `RPCRT4.DLL::NdrDllGetClassObject`
- `RPCRT4.DLL::NdrDllRegisterProxy`
- `RPCRT4.DLL::NdrDllUnregisterProxy`
- `RPCRT4.DLL::NdrOleAllocate`
- `RPCRT4.DLL::NdrOleFree`

## Exports and Globals

| Name | Address | Function |
| --- | ---: | --- |
| `Ordinal_2` | `10001000` | `DllGetClassObject` |
| `DllGetClassObject` | `10001000` | `DllGetClassObject` |
| `Ordinal_1` | `10001040` | `DllCanUnloadNow` |
| `DllCanUnloadNow` | `10001040` | `DllCanUnloadNow` |
| `Ordinal_3` | `100010a0` | `DllRegisterServer` |
| `DllRegisterServer` | `100010a0` | `DllRegisterServer` |
| `Ordinal_4` | `100010e0` | `DllUnregisterServer` |
| `DllUnregisterServer` | `100010e0` | `DllUnregisterServer` |
| `NdrCStdStubBuffer_Release` | `1000111c` | `NdrCStdStubBuffer_Release` |
| `__CRT_INIT@12` | `1000118e` | `__CRT_INIT@12` |
| `___DllMainCRTStartup` | `100012f2` | `___DllMainCRTStartup` |
| `entry` | `100013e8` | `entry` |
| `___set_flsgetvalue` | `1000141d` | `___set_flsgetvalue` |
| `__mtterm` | `10001451` | `__mtterm` |
| `__initptd` | `1000148e` | `__initptd` |
| `__getptd_noexit` | `10001542` | `__getptd_noexit` |
| `__getptd` | `100015bb` | `__getptd` |
| `__freefls@4` | `100015d5` | `__freefls@4` |
| `__freeptd` | `10001704` | `__freeptd` |
| `__mtinit` | `10001772` | `__mtinit` |
| `_free` | `100018ed` | `_free` |
| `__malloc_crt` | `10001927` | `__malloc_crt` |
| `__calloc_crt` | `1000196c` | `__calloc_crt` |
| `__realloc_crt` | `100019b8` | `__realloc_crt` |
| `___crtCorExitProcess` | `10001a06` | `___crtCorExitProcess` |
| `___crtExitProcess` | `10001a31` | `___crtExitProcess` |
| `__init_pointers` | `10001a5b` | `__init_pointers` |
| `__initterm_e` | `10001a8e` | `__initterm_e` |
| `__cinit` | `10001ab2` | `__cinit` |
| `doexit` | `10001b49` | `doexit` |
| `_doexit` | `10001b49` | `doexit` |
| `__exit` | `10001c89` | `__exit` |
| `__cexit` | `10001c9f` | `__cexit` |
| `__amsg_exit` | `10001cae` | `__amsg_exit` |
| `__ioinit` | `10001ccc` | `__ioinit` |
| `__ioterm` | `10001f11` | `__ioterm` |
| `__setenvp` | `10001f64` | `__setenvp` |
| `parse_cmdline` | `10002040` | `parse_cmdline` |
| `_parse_cmdline` | `10002040` | `parse_cmdline` |
| `__setargv` | `100021da` | `__setargv` |
| `___crtGetEnvironmentStringsA` | `10002295` | `___crtGetEnvironmentStringsA` |
| `__RTC_Initialize` | `1000232c` | `__RTC_Initialize` |
| `__heap_init` | `10002378` | `__heap_init` |
| `__heap_term` | `10002396` | `__heap_term` |
| `__SEH_prolog4` | `100023b0` | `__SEH_prolog4` |
| `__SEH_epilog4` | `100023f5` | `__SEH_epilog4` |
| `__except_handler4` | `10002410` | `__except_handler4` |
| `__XcptFilter` | `1000259f` | `__XcptFilter` |
| `___CppXcptFilter` | `100026e9` | `___CppXcptFilter` |
| `___security_init_cookie` | `10002709` | `___security_init_cookie` |
| `__mtinitlocks` | `100027a4` | `__mtinitlocks` |
| `__mtdeletelocks` | `100027ee` | `__mtdeletelocks` |
| `__mtinitlocknum` | `1000285c` | `__mtinitlocknum` |
| `__lock` | `1000291e` | `__lock` |
| `___addlocaleref` | `10002951` | `___addlocaleref` |
| `___removelocaleref` | `100029e0` | `___removelocaleref` |
| `___freetlocinfo` | `10002a79` | `___freetlocinfo` |
| `__updatetlocinfoEx_nolock` | `10002bc4` | `__updatetlocinfoEx_nolock` |
| `___updatetlocinfo` | `10002c11` | `___updatetlocinfo` |
| `CPtoLCID` | `10002c8a` | `CPtoLCID` |
| `?CPtoLCID@@YAHH@Z` | `10002c8a` | `CPtoLCID` |
| `setSBCS` | `10002cb9` | `setSBCS` |
| `?setSBCS@@YAXPAUthreadmbcinfostruct@@@Z` | `10002cb9` | `setSBCS` |
| `setSBUpLow` | `10002d1d` | `setSBUpLow` |
| `?setSBUpLow@@YAXPAUthreadmbcinfostruct@@@Z` | `10002d1d` | `setSBUpLow` |
| `___updatetmbcinfo` | `10002ead` | `___updatetmbcinfo` |
| `??0_LocaleUpdate@@QAE@PAUlocaleinfo_struct@@@Z` | `10002f51` | `_LocaleUpdate` |
| `getSystemCP` | `10002fd8` | `getSystemCP` |
| `?getSystemCP@@YAHH@Z` | `10002fd8` | `getSystemCP` |
| `__setmbcp_nolock` | `10003054` | `__setmbcp_nolock` |
| `__setmbcp` | `1000323d` | `__setmbcp` |
| `___initmbctable` | `100033d7` | `___initmbctable` |
| `__get_errno_from_oserr` | `100033f5` | `__get_errno_from_oserr` |
| `__errno` | `10003437` | `__errno` |
| `_malloc` | `1000344a` | `_malloc` |
| `__calloc_impl` | `100034de` | `__calloc_impl` |
| `_realloc` | `10003560` | `_realloc` |
| `__initp_misc_winsig` | `10003657` | `__initp_misc_winsig` |
| `siglookup` | `10003675` | `siglookup` |
| `_siglookup` | `10003675` | `siglookup` |
| `_raise` | `100036b9` | `_raise` |
| `__call_reportfault` | `10003889` | `__call_reportfault` |
| `__invoke_watson` | `100039b2` | `__invoke_watson` |
| `__invalid_parameter` | `100039d7` | `__invalid_parameter` |
| `__callnewh` | `10003a23` | `__callnewh` |
| `__onexit_nolock` | `10003a4b` | `__onexit_nolock` |
| `__onexit` | `10003b32` | `__onexit` |
| `_atexit` | `10003b6e` | `_atexit` |
| `__initp_misc_cfltcvt_tab` | `10003b85` | `__initp_misc_cfltcvt_tab` |
| `__ValidateImageBase` | `10003bb0` | `__ValidateImageBase` |
| `__FindPESection` | `10003bf0` | `__FindPESection` |
| `__IsNonwritableInCurrentImage` | `10003c40` | `__IsNonwritableInCurrentImage` |
| `__GET_RTERRMSG` | `10003cfc` | `__GET_RTERRMSG` |
| `__NMSG_WRITE` | `10003d22` | `__NMSG_WRITE` |
| `__FF_MSGBANNER` | `10003ed1` | `__FF_MSGBANNER` |
| `_strcpy_s` | `10003f0a` | `_strcpy_s` |
| `_strlen` | `10003f70` | `_strlen` |
| `x_ismbbtype_l` | `10003ffb` | `x_ismbbtype_l` |
| `?x_ismbbtype_l@@YAHPAUlocaleinfo_struct@@IHH@Z` | `10003ffb` | `x_ismbbtype_l` |
| `__ismbblead` | `1000404e` | `__ismbblead` |
| `__security_check_cookie` | `10004066` | `__security_check_cookie` |
| `@__security_check_cookie@4` | `10004066` | `__security_check_cookie` |
| `__local_unwind4` | `10004080` | `__local_unwind4` |
| `_EH4_CallFilterFunc` | `10004172` | `_EH4_CallFilterFunc` |
| `@_EH4_CallFilterFunc@8` | `10004172` | `_EH4_CallFilterFunc` |
| `_EH4_TransferToHandler` | `10004189` | `_EH4_TransferToHandler` |
| `@_EH4_TransferToHandler@8` | `10004189` | `_EH4_TransferToHandler` |
| `_EH4_GlobalUnwind2` | `100041a2` | `_EH4_GlobalUnwind2` |
| `@_EH4_GlobalUnwind2@8` | `100041a2` | `_EH4_GlobalUnwind2` |
| `_EH4_LocalUnwind` | `100041bb` | `_EH4_LocalUnwind` |
| `@_EH4_LocalUnwind@16` | `100041bb` | `_EH4_LocalUnwind` |
| `___free_lc_time` | `100041d2` | `___free_lc_time` |
| `___free_lconv_num` | `10004549` | `___free_lconv_num` |
| `___free_lconv_mon` | `100045b2` | `___free_lconv_mon` |
| `_memset` | `100046b0` | `_memset` |
| `__freea` | `1000472a` | `__freea` |
| `__crtLCMapStringA_stat` | `1000474a` | `__crtLCMapStringA_stat` |
| `?__crtLCMapStringA_stat@@YAHPAUlocaleinfo_struct@@KKPBDHPADHHH@Z` | `1000474a` | `__crtLCMapStringA_stat` |
| `___crtLCMapStringA` | `10004931` | `___crtLCMapStringA` |
| `__crtGetStringTypeA_stat` | `10004977` | `__crtGetStringTypeA_stat` |
| `?__crtGetStringTypeA_stat@@YAHPAUlocaleinfo_struct@@KPBDHPAGHHH@Z` | `10004977` | `__crtGetStringTypeA_stat` |
| `___crtGetStringTypeA` | `10004a5e` | `___crtGetStringTypeA` |
| `__msize` | `10004a9e` | `__msize` |
| `_abort` | `10004ad1` | `_abort` |
| `FID_conflict:_memcpy` | `10004b10` | `FID_conflict:_memcpy` |
| `_memmove` | `10004b10` | `FID_conflict:_memcpy` |
| `_memcpy` | `10004b10` | `FID_conflict:_memcpy` |
| `___crtMessageBoxW` | `10004e82` | `___crtMessageBoxW` |
| `_wcscat_s` | `10004fee` | `_wcscat_s` |
| `_wcsncpy_s` | `10005063` | `_wcsncpy_s` |
| `_wcslen` | `10005130` | `_wcslen` |
| `_wcscpy_s` | `1000514b` | `_wcscpy_s` |
| `__set_error_mode` | `100051ae` | `__set_error_mode` |
| `___report_gsfailure` | `100051ed` | `___report_gsfailure` |
| `__global_unwind2` | `10005300` | `__global_unwind2` |
| `__local_unwind2` | `10005365` | `__local_unwind2` |
| `__NLG_Notify` | `10005415` | `__NLG_Notify` |
| `__VEC_memzero` | `10005437` | `__VEC_memzero` |
| `__alloca_probe_16` | `10005510` | `__alloca_probe_16` |
| `__alloca_probe_8` | `10005526` | `__alloca_probe_8` |
| `__alloca_probe` | `10005640` | `__alloca_probe` |
| `__chkstk` | `10005640` | `__alloca_probe` |
| `RtlUnwind` | `1000566c` | `RtlUnwind` |
| `Rsrc_Version_1_409` | `1000c0a0` | `` |
| `Rsrc_Manifest_2_409` | `1000c46c` | `` |
| `ExceptionList` | `ffdff000` | `` |
| `StackBase` | `ffdff004` | `` |
| `StackLimit` | `ffdff008` | `` |
| `SubSystemTib` | `ffdff00c` | `` |
| `FiberData` | `ffdff010` | `` |
| `ArbitraryUserPointer` | `ffdff014` | `` |
| `Self` | `ffdff018` | `` |
| `EnvironmentPointer` | `ffdff01c` | `` |
| `ClientId` | `ffdff020` | `` |
| `ActiveRpcHandle` | `ffdff028` | `` |
| `ThreadLocalStoragePointer` | `ffdff02c` | `` |
| `ProcessEnvironmentBlock` | `ffdff030` | `` |
| `LastErrorValue` | `ffdff034` | `` |
| `CountOfOwnedCriticalSections` | `ffdff038` | `` |
| `CsrClientThread` | `ffdff03c` | `` |
| `Win32ThreadInfo` | `ffdff040` | `` |
| `User32Reserved` | `ffdff044` | `` |
| `UserReserved` | `ffdff0ac` | `` |
| `WOW32Reserved` | `ffdff0c0` | `` |
| `CurrentLocale` | `ffdff0c4` | `` |
| `FpSoftwareStatusRegister` | `ffdff0c8` | `` |
| `SystemReserved1` | `ffdff0cc` | `` |
| `ExceptionCode` | `ffdff1a4` | `` |
| `ActivationContextStackPointer` | `ffdff1a8` | `` |
| `SpareBytes` | `ffdff1ac` | `` |
| `TxFsContext` | `ffdff1d0` | `` |
| `GdiTebBatch` | `ffdff1d4` | `` |
| `RealClientId` | `ffdff6b4` | `` |
| `GdiCachedProcessHandle` | `ffdff6bc` | `` |
| `GdiClientPID` | `ffdff6c0` | `` |
| `GdiCLientTID` | `ffdff6c4` | `` |
| `GdiThreadLocalInfo` | `ffdff6c8` | `` |
| `Win32ClientInfo` | `ffdff6cc` | `` |
| `glDispatchTable` | `ffdff7c4` | `` |
| `glReserved1` | `ffdffb68` | `` |
| `glReserved2` | `ffdffbdc` | `` |
| `glSectionInfo` | `ffdffbe0` | `` |
| `glSection` | `ffdffbe4` | `` |
| `glTable` | `ffdffbe8` | `` |
| `glCurrentRC` | `ffdffbec` | `` |
| `glContext` | `ffdffbf0` | `` |
| `LastStatusValue` | `ffdffbf4` | `` |
| `StaticUnicodeBuffer` | `ffdffc00` | `` |
| `DeallocationStack` | `ffdffe0c` | `` |
| `TlsSlots` | `ffdffe10` | `` |
| `TlsLinks.Flink` | `ffdfff10` | `` |
| `TlsLinks.Blink` | `ffdfff14` | `` |
| `Vdm` | `ffdfff18` | `` |
| `ReservedForNtRpc` | `ffdfff1c` | `` |
| `DbgSsReserved` | `ffdfff20` | `` |
| `HardErrorMode` | `ffdfff28` | `` |
| `Instrumentation` | `ffdfff2c` | `` |
| `ActivityId` | `ffdfff50` | `` |
| `SubProcessTag` | `ffdfff60` | `` |
| `EtwLocalData` | `ffdfff64` | `` |
| `EtwTraceData` | `ffdfff68` | `` |
| `WinSockData` | `ffdfff6c` | `` |
| `GdiBatchCount` | `ffdfff70` | `` |
| `IdealProcessorValue` | `ffdfff74` | `` |
| `GuaranteedStackBytes` | `ffdfff78` | `` |
| `ReservedForPerf` | `ffdfff7c` | `` |
| `ReservedForOle` | `ffdfff80` | `` |
| `WaitingOnLoaderLock` | `ffdfff84` | `` |
| `SavedPriorityState` | `ffdfff88` | `` |
| `SoftPatchPtr1` | `ffdfff8c` | `` |
| `ThreadPoolData` | `ffdfff90` | `` |
| `TlsExpansionSlots` | `ffdfff94` | `` |
| `MuiGeneration` | `ffdfff98` | `` |
| `IsImpersonating` | `ffdfff9c` | `` |
| `NlsCache` | `ffdfffa0` | `` |
| `pShimData` | `ffdfffa4` | `` |
| `HeapVirtualAffinity` | `ffdfffa8` | `` |
| `CurrentTransactionHandle` | `ffdfffac` | `` |
| `ActiveFrame` | `ffdfffb0` | `` |
| `FlsData` | `ffdfffb4` | `` |
| `PreferredLanguages` | `ffdfffb8` | `` |
| `UserPrefLanguages` | `ffdfffbc` | `` |
| `MergedPrefLanguages` | `ffdfffc0` | `` |
| `MuiImpersonation` | `ffdfffc4` | `` |
| `CrossTebFlags` | `ffdfffc8` | `` |
| `SameTebFlags` | `ffdfffca` | `` |
| `TxnScopeEnterCallback` | `ffdfffcc` | `` |
| `TxnScopeExitCallback` | `ffdfffd0` | `` |
| `TxnScopeContext` | `ffdfffd4` | `` |
| `LockCount` | `ffdfffd8` | `` |
| `ResourceRetValue` | `ffdfffe0` | `` |

## Interesting Strings and Referencing Functions

| Address | String | Referencing Functions |
| ---: | --- | --- |
| `10007538` | `INmxSvcCallback` | `` |
| `10007548` | `INmxNotify` | `` |
| `10007554` | `INmxService` | `` |
| `10007560` | `INmxStatus` | `` |
| `1000756c` | `INmxSvcStatistics` | `` |
| `10007580` | `INmxService2` | `` |
| `100097f6` | `NdrDllGetClassObject` | `` |
| `1000980e` | `NdrDllCanUnloadNow` | `` |
| `10009824` | `NdrCStdStubBuffer_Release` | `` |
| `10009840` | `NdrDllRegisterProxy` | `` |
| `10009856` | `NdrDllUnregisterProxy` | `` |
| `100099d2` | `NdrOleFree` | `` |
| `100099e0` | `NdrOleAllocate` | `` |
| `100099f0` | `RPCRT4.dll` | `` |
| `10009e80` | `NmxSvcPS.dll` | `` |
| `1000c1d0` | `NmxSvc_v0032` | `` |
| `1000c214` | `NmxSvcps Module` | `` |
| `1000c40c` | `NmxSvcps.dll` | `` |

## Interesting API Callers

| Caller | Entry | Call Targets |
| --- | ---: | --- |
| `DllGetClassObject` | `10001000` | `NdrDllGetClassObject` |
| `DllCanUnloadNow` | `10001040` | `NdrDllCanUnloadNow` |
| `FUN_10001050` | `10001050` | `NdrCStdStubBuffer_Release` |
| `DllRegisterServer` | `100010a0` | `NdrDllRegisterProxy` |
| `DllUnregisterServer` | `100010e0` | `NdrDllUnregisterProxy` |
| `setSBCS` | `10002cb9` | `_memset` |
| `setSBUpLow` | `10002d1d` | `_memset` |
| `__setmbcp_nolock` | `10003054` | `_memset` |
| `__call_reportfault` | `10003889` | `_memset` |
| `__crtGetStringTypeA_stat` | `10004977` | `_memset` |