Joseph Doherty
fe2a6db786
rust / build / test / clippy / fmt (push) Has been cancelled
Layout:
- src/ .NET 10 x64 reference: MxNativeCodec, MxNativeClient,
MxAsbClient, probes, tests, harnesses. Executable spec.
- design/ Architectural plan for the Rust port (M0–M6), error
model, protocol invariants, risks (R1–R16), adversarial
review log (review.md).
- rust/ Rust workspace. M0 skeleton + M1 codec parity.
mxaccess-codec: 215 unit tests + 2 cross-implementation
parity tests (byte-identical against .NET reference).
Other crates are M0 stubs awaiting M2+.
- captures/ Frida + netsh + pcap evidence per CLAUDE.md
("captures are evidence, not throwaway logs").
- analysis/ Decompiled C# (frida/proxy/decompiled-*),
Ghidra exports for native DLLs (`exports/` only —
working state at `projects/` and AVEVA's input
binaries at `input/` are gitignored).
- docs/ Reverse-engineering reference docs.
- tools/ Setup-LiveProbeEnv.ps1 (Infisical credential fetcher),
Compute-Crc.ps1 (.NET parity helper).
- .github/workflows/ Rust CI: fmt + build + test + clippy on Windows.
- LICENSE MIT (Joseph Doherty, 2026).
Verified:
- cargo test --workspace → 217 passed (215 unit + 2 .NET parity), 0 failed
- cargo clippy --workspace -- -D warnings → clean
- cargo fmt --all -- --check → clean
- cargo publish --dry-run -p mxaccess-codec → packages cleanly
Excluded from history (see .gitignore):
- **/bin, **/obj, **/target — build artifacts
- analysis/ghidra/projects/ — Ghidra working state (regenerable)
- analysis/ghidra/input/ — AVEVA proprietary DLLs (vendor IP)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
379 lines
16 KiB
Markdown
379 lines
16 KiB
Markdown
# NmxSvcps.dll
|
|
|
|
## Program
|
|
|
|
- Language: `x86:LE:32:default`
|
|
- Compiler spec: `windows`
|
|
- Image base: `10000000`
|
|
- Executable format: `Portable Executable (PE)`
|
|
|
|
## Memory Blocks
|
|
|
|
| Name | Start | End | Size | R | W | X |
|
|
| --- | ---: | ---: | ---: | :---: | :---: | :---: |
|
|
| `Headers` | `10000000` | `100003ff` | 1024 | Y | | |
|
|
| `.text` | `10001000` | `100057ff` | 18432 | Y | | Y |
|
|
| `.orpc` | `10006000` | `100061ff` | 512 | Y | | Y |
|
|
| `.rdata` | `10007000` | `10009fff` | 12288 | Y | | |
|
|
| `.data` | `1000a000` | `1000b9bb` | 6588 | Y | Y | |
|
|
| `.rsrc` | `1000c000` | `1000c5ff` | 1536 | Y | | |
|
|
| `.reloc` | `1000d000` | `1000d9ff` | 2560 | Y | | |
|
|
| `tdb` | `ffdff000` | `ffdfffff` | 4096 | Y | Y | |
|
|
|
|
## External Imports
|
|
|
|
- `KERNEL32.DLL::DecodePointer`
|
|
- `KERNEL32.DLL::DeleteCriticalSection`
|
|
- `KERNEL32.DLL::DisableThreadLibraryCalls`
|
|
- `KERNEL32.DLL::EncodePointer`
|
|
- `KERNEL32.DLL::EnterCriticalSection`
|
|
- `KERNEL32.DLL::ExitProcess`
|
|
- `KERNEL32.DLL::FreeEnvironmentStringsW`
|
|
- `KERNEL32.DLL::GetACP`
|
|
- `KERNEL32.DLL::GetCPInfo`
|
|
- `KERNEL32.DLL::GetCommandLineA`
|
|
- `KERNEL32.DLL::GetCurrentProcess`
|
|
- `KERNEL32.DLL::GetCurrentProcessId`
|
|
- `KERNEL32.DLL::GetCurrentThreadId`
|
|
- `KERNEL32.DLL::GetEnvironmentStringsW`
|
|
- `KERNEL32.DLL::GetFileType`
|
|
- `KERNEL32.DLL::GetLastError`
|
|
- `KERNEL32.DLL::GetModuleFileNameA`
|
|
- `KERNEL32.DLL::GetModuleFileNameW`
|
|
- `KERNEL32.DLL::GetModuleHandleW`
|
|
- `KERNEL32.DLL::GetOEMCP`
|
|
- `KERNEL32.DLL::GetProcAddress`
|
|
- `KERNEL32.DLL::GetStartupInfoW`
|
|
- `KERNEL32.DLL::GetStdHandle`
|
|
- `KERNEL32.DLL::GetStringTypeW`
|
|
- `KERNEL32.DLL::GetSystemTimeAsFileTime`
|
|
- `KERNEL32.DLL::GetTickCount`
|
|
- `KERNEL32.DLL::HeapAlloc`
|
|
- `KERNEL32.DLL::HeapCreate`
|
|
- `KERNEL32.DLL::HeapDestroy`
|
|
- `KERNEL32.DLL::HeapFree`
|
|
- `KERNEL32.DLL::HeapReAlloc`
|
|
- `KERNEL32.DLL::HeapSize`
|
|
- `KERNEL32.DLL::InitializeCriticalSectionAndSpinCount`
|
|
- `KERNEL32.DLL::InterlockedDecrement`
|
|
- `KERNEL32.DLL::InterlockedIncrement`
|
|
- `KERNEL32.DLL::IsDebuggerPresent`
|
|
- `KERNEL32.DLL::IsProcessorFeaturePresent`
|
|
- `KERNEL32.DLL::IsValidCodePage`
|
|
- `KERNEL32.DLL::LCMapStringW`
|
|
- `KERNEL32.DLL::LeaveCriticalSection`
|
|
- `KERNEL32.DLL::LoadLibraryW`
|
|
- `KERNEL32.DLL::MultiByteToWideChar`
|
|
- `KERNEL32.DLL::QueryPerformanceCounter`
|
|
- `KERNEL32.DLL::RtlUnwind`
|
|
- `KERNEL32.DLL::SetHandleCount`
|
|
- `KERNEL32.DLL::SetLastError`
|
|
- `KERNEL32.DLL::SetUnhandledExceptionFilter`
|
|
- `KERNEL32.DLL::Sleep`
|
|
- `KERNEL32.DLL::TerminateProcess`
|
|
- `KERNEL32.DLL::TlsAlloc`
|
|
- `KERNEL32.DLL::TlsFree`
|
|
- `KERNEL32.DLL::TlsGetValue`
|
|
- `KERNEL32.DLL::TlsSetValue`
|
|
- `KERNEL32.DLL::UnhandledExceptionFilter`
|
|
- `KERNEL32.DLL::WideCharToMultiByte`
|
|
- `KERNEL32.DLL::WriteFile`
|
|
- `OLEAUT32.DLL::BSTR_UserFree`
|
|
- `OLEAUT32.DLL::BSTR_UserMarshal`
|
|
- `OLEAUT32.DLL::BSTR_UserSize`
|
|
- `OLEAUT32.DLL::BSTR_UserUnmarshal`
|
|
- `RPCRT4.DLL::CStdStubBuffer_AddRef`
|
|
- `RPCRT4.DLL::CStdStubBuffer_Connect`
|
|
- `RPCRT4.DLL::CStdStubBuffer_CountRefs`
|
|
- `RPCRT4.DLL::CStdStubBuffer_DebugServerQueryInterface`
|
|
- `RPCRT4.DLL::CStdStubBuffer_DebugServerRelease`
|
|
- `RPCRT4.DLL::CStdStubBuffer_Disconnect`
|
|
- `RPCRT4.DLL::CStdStubBuffer_Invoke`
|
|
- `RPCRT4.DLL::CStdStubBuffer_IsIIDSupported`
|
|
- `RPCRT4.DLL::CStdStubBuffer_QueryInterface`
|
|
- `RPCRT4.DLL::IUnknown_AddRef_Proxy`
|
|
- `RPCRT4.DLL::IUnknown_QueryInterface_Proxy`
|
|
- `RPCRT4.DLL::IUnknown_Release_Proxy`
|
|
- `RPCRT4.DLL::NdrCStdStubBuffer_Release`
|
|
- `RPCRT4.DLL::NdrDllCanUnloadNow`
|
|
- `RPCRT4.DLL::NdrDllGetClassObject`
|
|
- `RPCRT4.DLL::NdrDllRegisterProxy`
|
|
- `RPCRT4.DLL::NdrDllUnregisterProxy`
|
|
- `RPCRT4.DLL::NdrOleAllocate`
|
|
- `RPCRT4.DLL::NdrOleFree`
|
|
|
|
## Exports and Globals
|
|
|
|
| Name | Address | Function |
|
|
| --- | ---: | --- |
|
|
| `Ordinal_2` | `10001000` | `DllGetClassObject` |
|
|
| `DllGetClassObject` | `10001000` | `DllGetClassObject` |
|
|
| `Ordinal_1` | `10001040` | `DllCanUnloadNow` |
|
|
| `DllCanUnloadNow` | `10001040` | `DllCanUnloadNow` |
|
|
| `Ordinal_3` | `100010a0` | `DllRegisterServer` |
|
|
| `DllRegisterServer` | `100010a0` | `DllRegisterServer` |
|
|
| `Ordinal_4` | `100010e0` | `DllUnregisterServer` |
|
|
| `DllUnregisterServer` | `100010e0` | `DllUnregisterServer` |
|
|
| `NdrCStdStubBuffer_Release` | `1000111c` | `NdrCStdStubBuffer_Release` |
|
|
| `__CRT_INIT@12` | `1000118e` | `__CRT_INIT@12` |
|
|
| `___DllMainCRTStartup` | `100012f2` | `___DllMainCRTStartup` |
|
|
| `entry` | `100013e8` | `entry` |
|
|
| `___set_flsgetvalue` | `1000141d` | `___set_flsgetvalue` |
|
|
| `__mtterm` | `10001451` | `__mtterm` |
|
|
| `__initptd` | `1000148e` | `__initptd` |
|
|
| `__getptd_noexit` | `10001542` | `__getptd_noexit` |
|
|
| `__getptd` | `100015bb` | `__getptd` |
|
|
| `__freefls@4` | `100015d5` | `__freefls@4` |
|
|
| `__freeptd` | `10001704` | `__freeptd` |
|
|
| `__mtinit` | `10001772` | `__mtinit` |
|
|
| `_free` | `100018ed` | `_free` |
|
|
| `__malloc_crt` | `10001927` | `__malloc_crt` |
|
|
| `__calloc_crt` | `1000196c` | `__calloc_crt` |
|
|
| `__realloc_crt` | `100019b8` | `__realloc_crt` |
|
|
| `___crtCorExitProcess` | `10001a06` | `___crtCorExitProcess` |
|
|
| `___crtExitProcess` | `10001a31` | `___crtExitProcess` |
|
|
| `__init_pointers` | `10001a5b` | `__init_pointers` |
|
|
| `__initterm_e` | `10001a8e` | `__initterm_e` |
|
|
| `__cinit` | `10001ab2` | `__cinit` |
|
|
| `doexit` | `10001b49` | `doexit` |
|
|
| `_doexit` | `10001b49` | `doexit` |
|
|
| `__exit` | `10001c89` | `__exit` |
|
|
| `__cexit` | `10001c9f` | `__cexit` |
|
|
| `__amsg_exit` | `10001cae` | `__amsg_exit` |
|
|
| `__ioinit` | `10001ccc` | `__ioinit` |
|
|
| `__ioterm` | `10001f11` | `__ioterm` |
|
|
| `__setenvp` | `10001f64` | `__setenvp` |
|
|
| `parse_cmdline` | `10002040` | `parse_cmdline` |
|
|
| `_parse_cmdline` | `10002040` | `parse_cmdline` |
|
|
| `__setargv` | `100021da` | `__setargv` |
|
|
| `___crtGetEnvironmentStringsA` | `10002295` | `___crtGetEnvironmentStringsA` |
|
|
| `__RTC_Initialize` | `1000232c` | `__RTC_Initialize` |
|
|
| `__heap_init` | `10002378` | `__heap_init` |
|
|
| `__heap_term` | `10002396` | `__heap_term` |
|
|
| `__SEH_prolog4` | `100023b0` | `__SEH_prolog4` |
|
|
| `__SEH_epilog4` | `100023f5` | `__SEH_epilog4` |
|
|
| `__except_handler4` | `10002410` | `__except_handler4` |
|
|
| `__XcptFilter` | `1000259f` | `__XcptFilter` |
|
|
| `___CppXcptFilter` | `100026e9` | `___CppXcptFilter` |
|
|
| `___security_init_cookie` | `10002709` | `___security_init_cookie` |
|
|
| `__mtinitlocks` | `100027a4` | `__mtinitlocks` |
|
|
| `__mtdeletelocks` | `100027ee` | `__mtdeletelocks` |
|
|
| `__mtinitlocknum` | `1000285c` | `__mtinitlocknum` |
|
|
| `__lock` | `1000291e` | `__lock` |
|
|
| `___addlocaleref` | `10002951` | `___addlocaleref` |
|
|
| `___removelocaleref` | `100029e0` | `___removelocaleref` |
|
|
| `___freetlocinfo` | `10002a79` | `___freetlocinfo` |
|
|
| `__updatetlocinfoEx_nolock` | `10002bc4` | `__updatetlocinfoEx_nolock` |
|
|
| `___updatetlocinfo` | `10002c11` | `___updatetlocinfo` |
|
|
| `CPtoLCID` | `10002c8a` | `CPtoLCID` |
|
|
| `?CPtoLCID@@YAHH@Z` | `10002c8a` | `CPtoLCID` |
|
|
| `setSBCS` | `10002cb9` | `setSBCS` |
|
|
| `?setSBCS@@YAXPAUthreadmbcinfostruct@@@Z` | `10002cb9` | `setSBCS` |
|
|
| `setSBUpLow` | `10002d1d` | `setSBUpLow` |
|
|
| `?setSBUpLow@@YAXPAUthreadmbcinfostruct@@@Z` | `10002d1d` | `setSBUpLow` |
|
|
| `___updatetmbcinfo` | `10002ead` | `___updatetmbcinfo` |
|
|
| `??0_LocaleUpdate@@QAE@PAUlocaleinfo_struct@@@Z` | `10002f51` | `_LocaleUpdate` |
|
|
| `getSystemCP` | `10002fd8` | `getSystemCP` |
|
|
| `?getSystemCP@@YAHH@Z` | `10002fd8` | `getSystemCP` |
|
|
| `__setmbcp_nolock` | `10003054` | `__setmbcp_nolock` |
|
|
| `__setmbcp` | `1000323d` | `__setmbcp` |
|
|
| `___initmbctable` | `100033d7` | `___initmbctable` |
|
|
| `__get_errno_from_oserr` | `100033f5` | `__get_errno_from_oserr` |
|
|
| `__errno` | `10003437` | `__errno` |
|
|
| `_malloc` | `1000344a` | `_malloc` |
|
|
| `__calloc_impl` | `100034de` | `__calloc_impl` |
|
|
| `_realloc` | `10003560` | `_realloc` |
|
|
| `__initp_misc_winsig` | `10003657` | `__initp_misc_winsig` |
|
|
| `siglookup` | `10003675` | `siglookup` |
|
|
| `_siglookup` | `10003675` | `siglookup` |
|
|
| `_raise` | `100036b9` | `_raise` |
|
|
| `__call_reportfault` | `10003889` | `__call_reportfault` |
|
|
| `__invoke_watson` | `100039b2` | `__invoke_watson` |
|
|
| `__invalid_parameter` | `100039d7` | `__invalid_parameter` |
|
|
| `__callnewh` | `10003a23` | `__callnewh` |
|
|
| `__onexit_nolock` | `10003a4b` | `__onexit_nolock` |
|
|
| `__onexit` | `10003b32` | `__onexit` |
|
|
| `_atexit` | `10003b6e` | `_atexit` |
|
|
| `__initp_misc_cfltcvt_tab` | `10003b85` | `__initp_misc_cfltcvt_tab` |
|
|
| `__ValidateImageBase` | `10003bb0` | `__ValidateImageBase` |
|
|
| `__FindPESection` | `10003bf0` | `__FindPESection` |
|
|
| `__IsNonwritableInCurrentImage` | `10003c40` | `__IsNonwritableInCurrentImage` |
|
|
| `__GET_RTERRMSG` | `10003cfc` | `__GET_RTERRMSG` |
|
|
| `__NMSG_WRITE` | `10003d22` | `__NMSG_WRITE` |
|
|
| `__FF_MSGBANNER` | `10003ed1` | `__FF_MSGBANNER` |
|
|
| `_strcpy_s` | `10003f0a` | `_strcpy_s` |
|
|
| `_strlen` | `10003f70` | `_strlen` |
|
|
| `x_ismbbtype_l` | `10003ffb` | `x_ismbbtype_l` |
|
|
| `?x_ismbbtype_l@@YAHPAUlocaleinfo_struct@@IHH@Z` | `10003ffb` | `x_ismbbtype_l` |
|
|
| `__ismbblead` | `1000404e` | `__ismbblead` |
|
|
| `__security_check_cookie` | `10004066` | `__security_check_cookie` |
|
|
| `@__security_check_cookie@4` | `10004066` | `__security_check_cookie` |
|
|
| `__local_unwind4` | `10004080` | `__local_unwind4` |
|
|
| `_EH4_CallFilterFunc` | `10004172` | `_EH4_CallFilterFunc` |
|
|
| `@_EH4_CallFilterFunc@8` | `10004172` | `_EH4_CallFilterFunc` |
|
|
| `_EH4_TransferToHandler` | `10004189` | `_EH4_TransferToHandler` |
|
|
| `@_EH4_TransferToHandler@8` | `10004189` | `_EH4_TransferToHandler` |
|
|
| `_EH4_GlobalUnwind2` | `100041a2` | `_EH4_GlobalUnwind2` |
|
|
| `@_EH4_GlobalUnwind2@8` | `100041a2` | `_EH4_GlobalUnwind2` |
|
|
| `_EH4_LocalUnwind` | `100041bb` | `_EH4_LocalUnwind` |
|
|
| `@_EH4_LocalUnwind@16` | `100041bb` | `_EH4_LocalUnwind` |
|
|
| `___free_lc_time` | `100041d2` | `___free_lc_time` |
|
|
| `___free_lconv_num` | `10004549` | `___free_lconv_num` |
|
|
| `___free_lconv_mon` | `100045b2` | `___free_lconv_mon` |
|
|
| `_memset` | `100046b0` | `_memset` |
|
|
| `__freea` | `1000472a` | `__freea` |
|
|
| `__crtLCMapStringA_stat` | `1000474a` | `__crtLCMapStringA_stat` |
|
|
| `?__crtLCMapStringA_stat@@YAHPAUlocaleinfo_struct@@KKPBDHPADHHH@Z` | `1000474a` | `__crtLCMapStringA_stat` |
|
|
| `___crtLCMapStringA` | `10004931` | `___crtLCMapStringA` |
|
|
| `__crtGetStringTypeA_stat` | `10004977` | `__crtGetStringTypeA_stat` |
|
|
| `?__crtGetStringTypeA_stat@@YAHPAUlocaleinfo_struct@@KPBDHPAGHHH@Z` | `10004977` | `__crtGetStringTypeA_stat` |
|
|
| `___crtGetStringTypeA` | `10004a5e` | `___crtGetStringTypeA` |
|
|
| `__msize` | `10004a9e` | `__msize` |
|
|
| `_abort` | `10004ad1` | `_abort` |
|
|
| `FID_conflict:_memcpy` | `10004b10` | `FID_conflict:_memcpy` |
|
|
| `_memmove` | `10004b10` | `FID_conflict:_memcpy` |
|
|
| `_memcpy` | `10004b10` | `FID_conflict:_memcpy` |
|
|
| `___crtMessageBoxW` | `10004e82` | `___crtMessageBoxW` |
|
|
| `_wcscat_s` | `10004fee` | `_wcscat_s` |
|
|
| `_wcsncpy_s` | `10005063` | `_wcsncpy_s` |
|
|
| `_wcslen` | `10005130` | `_wcslen` |
|
|
| `_wcscpy_s` | `1000514b` | `_wcscpy_s` |
|
|
| `__set_error_mode` | `100051ae` | `__set_error_mode` |
|
|
| `___report_gsfailure` | `100051ed` | `___report_gsfailure` |
|
|
| `__global_unwind2` | `10005300` | `__global_unwind2` |
|
|
| `__local_unwind2` | `10005365` | `__local_unwind2` |
|
|
| `__NLG_Notify` | `10005415` | `__NLG_Notify` |
|
|
| `__VEC_memzero` | `10005437` | `__VEC_memzero` |
|
|
| `__alloca_probe_16` | `10005510` | `__alloca_probe_16` |
|
|
| `__alloca_probe_8` | `10005526` | `__alloca_probe_8` |
|
|
| `__alloca_probe` | `10005640` | `__alloca_probe` |
|
|
| `__chkstk` | `10005640` | `__alloca_probe` |
|
|
| `RtlUnwind` | `1000566c` | `RtlUnwind` |
|
|
| `Rsrc_Version_1_409` | `1000c0a0` | `` |
|
|
| `Rsrc_Manifest_2_409` | `1000c46c` | `` |
|
|
| `ExceptionList` | `ffdff000` | `` |
|
|
| `StackBase` | `ffdff004` | `` |
|
|
| `StackLimit` | `ffdff008` | `` |
|
|
| `SubSystemTib` | `ffdff00c` | `` |
|
|
| `FiberData` | `ffdff010` | `` |
|
|
| `ArbitraryUserPointer` | `ffdff014` | `` |
|
|
| `Self` | `ffdff018` | `` |
|
|
| `EnvironmentPointer` | `ffdff01c` | `` |
|
|
| `ClientId` | `ffdff020` | `` |
|
|
| `ActiveRpcHandle` | `ffdff028` | `` |
|
|
| `ThreadLocalStoragePointer` | `ffdff02c` | `` |
|
|
| `ProcessEnvironmentBlock` | `ffdff030` | `` |
|
|
| `LastErrorValue` | `ffdff034` | `` |
|
|
| `CountOfOwnedCriticalSections` | `ffdff038` | `` |
|
|
| `CsrClientThread` | `ffdff03c` | `` |
|
|
| `Win32ThreadInfo` | `ffdff040` | `` |
|
|
| `User32Reserved` | `ffdff044` | `` |
|
|
| `UserReserved` | `ffdff0ac` | `` |
|
|
| `WOW32Reserved` | `ffdff0c0` | `` |
|
|
| `CurrentLocale` | `ffdff0c4` | `` |
|
|
| `FpSoftwareStatusRegister` | `ffdff0c8` | `` |
|
|
| `SystemReserved1` | `ffdff0cc` | `` |
|
|
| `ExceptionCode` | `ffdff1a4` | `` |
|
|
| `ActivationContextStackPointer` | `ffdff1a8` | `` |
|
|
| `SpareBytes` | `ffdff1ac` | `` |
|
|
| `TxFsContext` | `ffdff1d0` | `` |
|
|
| `GdiTebBatch` | `ffdff1d4` | `` |
|
|
| `RealClientId` | `ffdff6b4` | `` |
|
|
| `GdiCachedProcessHandle` | `ffdff6bc` | `` |
|
|
| `GdiClientPID` | `ffdff6c0` | `` |
|
|
| `GdiCLientTID` | `ffdff6c4` | `` |
|
|
| `GdiThreadLocalInfo` | `ffdff6c8` | `` |
|
|
| `Win32ClientInfo` | `ffdff6cc` | `` |
|
|
| `glDispatchTable` | `ffdff7c4` | `` |
|
|
| `glReserved1` | `ffdffb68` | `` |
|
|
| `glReserved2` | `ffdffbdc` | `` |
|
|
| `glSectionInfo` | `ffdffbe0` | `` |
|
|
| `glSection` | `ffdffbe4` | `` |
|
|
| `glTable` | `ffdffbe8` | `` |
|
|
| `glCurrentRC` | `ffdffbec` | `` |
|
|
| `glContext` | `ffdffbf0` | `` |
|
|
| `LastStatusValue` | `ffdffbf4` | `` |
|
|
| `StaticUnicodeBuffer` | `ffdffc00` | `` |
|
|
| `DeallocationStack` | `ffdffe0c` | `` |
|
|
| `TlsSlots` | `ffdffe10` | `` |
|
|
| `TlsLinks.Flink` | `ffdfff10` | `` |
|
|
| `TlsLinks.Blink` | `ffdfff14` | `` |
|
|
| `Vdm` | `ffdfff18` | `` |
|
|
| `ReservedForNtRpc` | `ffdfff1c` | `` |
|
|
| `DbgSsReserved` | `ffdfff20` | `` |
|
|
| `HardErrorMode` | `ffdfff28` | `` |
|
|
| `Instrumentation` | `ffdfff2c` | `` |
|
|
| `ActivityId` | `ffdfff50` | `` |
|
|
| `SubProcessTag` | `ffdfff60` | `` |
|
|
| `EtwLocalData` | `ffdfff64` | `` |
|
|
| `EtwTraceData` | `ffdfff68` | `` |
|
|
| `WinSockData` | `ffdfff6c` | `` |
|
|
| `GdiBatchCount` | `ffdfff70` | `` |
|
|
| `IdealProcessorValue` | `ffdfff74` | `` |
|
|
| `GuaranteedStackBytes` | `ffdfff78` | `` |
|
|
| `ReservedForPerf` | `ffdfff7c` | `` |
|
|
| `ReservedForOle` | `ffdfff80` | `` |
|
|
| `WaitingOnLoaderLock` | `ffdfff84` | `` |
|
|
| `SavedPriorityState` | `ffdfff88` | `` |
|
|
| `SoftPatchPtr1` | `ffdfff8c` | `` |
|
|
| `ThreadPoolData` | `ffdfff90` | `` |
|
|
| `TlsExpansionSlots` | `ffdfff94` | `` |
|
|
| `MuiGeneration` | `ffdfff98` | `` |
|
|
| `IsImpersonating` | `ffdfff9c` | `` |
|
|
| `NlsCache` | `ffdfffa0` | `` |
|
|
| `pShimData` | `ffdfffa4` | `` |
|
|
| `HeapVirtualAffinity` | `ffdfffa8` | `` |
|
|
| `CurrentTransactionHandle` | `ffdfffac` | `` |
|
|
| `ActiveFrame` | `ffdfffb0` | `` |
|
|
| `FlsData` | `ffdfffb4` | `` |
|
|
| `PreferredLanguages` | `ffdfffb8` | `` |
|
|
| `UserPrefLanguages` | `ffdfffbc` | `` |
|
|
| `MergedPrefLanguages` | `ffdfffc0` | `` |
|
|
| `MuiImpersonation` | `ffdfffc4` | `` |
|
|
| `CrossTebFlags` | `ffdfffc8` | `` |
|
|
| `SameTebFlags` | `ffdfffca` | `` |
|
|
| `TxnScopeEnterCallback` | `ffdfffcc` | `` |
|
|
| `TxnScopeExitCallback` | `ffdfffd0` | `` |
|
|
| `TxnScopeContext` | `ffdfffd4` | `` |
|
|
| `LockCount` | `ffdfffd8` | `` |
|
|
| `ResourceRetValue` | `ffdfffe0` | `` |
|
|
|
|
## Interesting Strings and Referencing Functions
|
|
|
|
| Address | String | Referencing Functions |
|
|
| ---: | --- | --- |
|
|
| `10007538` | `INmxSvcCallback` | `` |
|
|
| `10007548` | `INmxNotify` | `` |
|
|
| `10007554` | `INmxService` | `` |
|
|
| `10007560` | `INmxStatus` | `` |
|
|
| `1000756c` | `INmxSvcStatistics` | `` |
|
|
| `10007580` | `INmxService2` | `` |
|
|
| `100097f6` | `NdrDllGetClassObject` | `` |
|
|
| `1000980e` | `NdrDllCanUnloadNow` | `` |
|
|
| `10009824` | `NdrCStdStubBuffer_Release` | `` |
|
|
| `10009840` | `NdrDllRegisterProxy` | `` |
|
|
| `10009856` | `NdrDllUnregisterProxy` | `` |
|
|
| `100099d2` | `NdrOleFree` | `` |
|
|
| `100099e0` | `NdrOleAllocate` | `` |
|
|
| `100099f0` | `RPCRT4.dll` | `` |
|
|
| `10009e80` | `NmxSvcPS.dll` | `` |
|
|
| `1000c1d0` | `NmxSvc_v0032` | `` |
|
|
| `1000c214` | `NmxSvcps Module` | `` |
|
|
| `1000c40c` | `NmxSvcps.dll` | `` |
|
|
|
|
## Interesting API Callers
|
|
|
|
| Caller | Entry | Call Targets |
|
|
| --- | ---: | --- |
|
|
| `DllGetClassObject` | `10001000` | `NdrDllGetClassObject` |
|
|
| `DllCanUnloadNow` | `10001040` | `NdrDllCanUnloadNow` |
|
|
| `FUN_10001050` | `10001050` | `NdrCStdStubBuffer_Release` |
|
|
| `DllRegisterServer` | `100010a0` | `NdrDllRegisterProxy` |
|
|
| `DllUnregisterServer` | `100010e0` | `NdrDllUnregisterProxy` |
|
|
| `setSBCS` | `10002cb9` | `_memset` |
|
|
| `setSBUpLow` | `10002d1d` | `_memset` |
|
|
| `__setmbcp_nolock` | `10003054` | `_memset` |
|
|
| `__call_reportfault` | `10003889` | `_memset` |
|
|
| `__crtGetStringTypeA_stat` | `10004977` | `_memset` |
|
|
|