Windows 如何从对导入地址表的调用中找出函数名？

我反汇编了advapi32.dll中的一个函数（特别是RegOpenKeyEx）。我看到两个FF 15呼叫进入IAT：

call dword [0x77dd13ec]

及

使用

dumpbin

我转储了DLL的导入，它表示导入地址表从77DD124C开始。但0x77dd13ec未出现在日志中。1A0的相对地址也不会出现在其中的任何位置。显然，显示的地址与IAT中的地址没有任何关系

在不编写和运行实际调用API的测试程序的情况下，是否有可能知道这些调用点链接到哪些函数？找到它的方法是什么

---

我相信链接器生成了这些调用指令，这些指令一定知道它链接到哪个函数。

听起来好像你已经接近了

使用dumpbin将为您提供模块导入的模块列表，并列出从这些模块导入的函数。每个导入函数对应一个十六进制数。似乎您可能将该数字误认为是IAT起始处的偏移地址，函数地址存储在该起始处。实际上，它只是Windows加载程序的一个提示号。当Windows加载程序绑定函数时，它会使用二进制搜索在模块的导出表中查找函数名。dumpbin输出中的这个数字只是一个提示，说明从哪里开始寻找以减少加载时间

现在我们已经澄清了这一点，如何确定

0x77dd13ec

指向的是什么？

看起来它确实指向了IAT。我在这里看到的advapi32.dll版本的IAT大小为0x668，因此到IAT的偏移量为0x1A0似乎是合理的。如果查看存储在

0x77dd13ec

中的值，它将是一个指向要调用的函数的地址

现在您知道了函数的地址，我们如何知道函数是什么？

要手动执行此操作，我们将查看哪些模块占用内存中的空间。例如，假设

0x77dd13ec

处的值为

0x7D6103E4

。我可以从Process Explorer或Visual Studio（或任何您喜欢的工具）中看到，ntdll.dll加载在

0x7D60000

，大小为

0xF0000

，因此它指向ntdll.dll。然后，我可以减去模块的基址以获得相对地址（

0x7D6103E4

-

0x7d60000

=

0x103E4

）。然后我可以查看ntdll.dll的导出表（我更喜欢depends.exe），并看到ntdll.dll在

0x103E4

处导出一个名为

\u allmul

-瞧

一种更简单的方法是使用调试器（例如）附加到进程，然后直接转到地址

0x77dd13ec

。它为您实现了上述功能

将OllyDbg指向advapi32.dll IAT的输出示例（在我的系统上，advapi32.dll IAT从

0x7D1E1000

开始）：

我知道你发布这个问题已经有几个月了，但我希望这仍然能帮助你，或者其他人搜索这个问题。我知道，这类信息很难获得

call dword [0x77dd15d4]

7D1E1000 >7D6103E4  ntdll._allmul
7D1E1004 >7D632AB1  ntdll.wcsncmp
7D1E1008 >7D62EA4C  ntdll.RtlUnicodeStringToInteger
7D1E100C >7D6220DC  ntdll.RtlAllocateHandle
7D1E1010 >7D622131  ntdll.RtlIsValidIndexHandle
7D1E1014 >7D6220A3  ntdll.RtlFreeHandle
7D1E1018 >7D61D2CA  ntdll.ZwCompareTokens
7D1E101C >7D623653  ntdll.RtlEnumerateGenericTableWithoutSplaying
7D1E1020 >7D639E88  ntdll.RtlIsGenericTableEmpty
7D1E1024 >7D6295D3  ntdll.RtlExpandEnvironmentStrings_U
7D1E1028 >7D639D8D  ntdll.RtlDuplicateUnicodeString
7D1E102C >7D62F24B  ntdll.wcsstr
7D1E1030 >7D629EB3  ntdll.RtlCreateUnicodeString
7D1E1034 >7D61CA29  ntdll.ZwQueryInformationProcess
7D1E1038 >7D61C9E1  ntdll.ZwQueryKey
7D1E103C >7D6370C3  ntdll.RtlStringFromGUID
7D1E1040 >7D61CA89  ntdll.ZwCreateKey
7D1E1044 >7D61D0D2  ntdll.ZwSetValueKey
7D1E1048 >7D63A062  ntdll.RtlDeleteElementGenericTable
7D1E104C >7D63C644  ntdll.RtlInsertElementGenericTable
7D1E1050 >7D62F2B5  ntdll.RtlInitializeHandleTable
7D1E1054 >7D62F1FE  ntdll.RtlDestroyHandleTable
7D1E1058 >7D62E9A6  ntdll.RtlIntegerToUnicodeString
7D1E105C >7D622B16  ntdll.RtlAppendUnicodeToString
7D1E1060 >7D623046  ntdll.RtlFormatCurrentUserKeyPath
7D1E1064 >7D61D582  ntdll.ZwDeleteKey
7D1E1068 >7D61CC81  ntdll.ZwEnumerateKey
7D1E106C >7D6217C3  ntdll._wcsicmp
7D1E1070 >7D63A633  ntdll.RtlInitializeGenericTable
7D1E1074 >7D62F228  ntdll.RtlNumberGenericTableElements
7D1E1078 >7D639EB6  ntdll.RtlLookupElementGenericTable
7D1E107C >7D67407B  ntdll.RtlQueryRegistryValues
7D1E1080 >7D63C67E  ntdll.RtlGUIDFromString
7D1E1084 >7D61F825  ntdll.RtlUpcaseUnicodeChar
7D1E1088 >7D61CEAA  ntdll.ZwQueryVolumeInformationFile
7D1E108C >7D622201  ntdll.RtlPrefixUnicodeString
7D1E1090 >7D61DCD2  ntdll.ZwQuerySymbolicLinkObject
7D1E1094 >7D61DA1A  ntdll.ZwOpenSymbolicLinkObject
7D1E1098 >7D624493  ntdll.RtlDetermineDosPathNameType_U
7D1E109C >7D61C969  ntdll.ZwQueryInformationFile
7D1E10A0 >7D62488B  ntdll.RtlGetFullPathName_U
7D1E10A4 >7D638D8D  ntdll.RtlMakeSelfRelativeSD
7D1E10A8 >7D640A0B  ntdll.mbstowcs
7D1E10AC >7D68E909  ntdll.EtwControlTraceW
7D1E10B0 >7D63EC19  ntdll.wcscmp
7D1E10B4 >7D610557  ntdll._aulldiv
7D1E10B8 >7D61025B  ntdll._alldiv
7D1E10BC >7D61C921  ntdll.ZwSetEvent
7D1E10C0 >7D61CE92  ntdll.ZwCreateEvent
7D1E10C4 >7D6899B1  ntdll._vsnprintf
7D1E10C8 >7D6382AF  ntdll.RtlDestroyHeap
7D1E10CC >7D62E099  ntdll.RtlCreateHeap
7D1E10D0 >7D61CA11  ntdll.ZwAllocateVirtualMemory
7D1E10D4 >7D678DA8  ntdll.RtlFlushSecureMemoryCache
7D1E10D8 >7D61CAA1  ntdll.ZwFreeVirtualMemory
7D1E10DC >7D68C846  ntdll.EtwControlTraceA
7D1E10E0 >7D68F0C1  ntdll.EtwNotificationRegistrationW
7D1E10E4 >7D61CC69  ntdll.ZwQueryPerformanceCounter
7D1E10E8 >7D61D05A  ntdll.ZwWaitForMultipleObjects
7D1E10EC >7D68F25A  ntdll.EtwpGetTraceBuffer
7D1E10F0 >7D61D0BA  ntdll.ZwPowerInformation
7D1E10F4 >7D62E986  ntdll.EtwpSetHWConfigFunction
7D1E10F8 >7D620C55  ntdll.RtlInitAnsiStringEx
7D1E10FC >7D624DF3  ntdll.RtlUnicodeToMultiByteN
7D1E1100 >7D61D92A  ntdll.ZwNotifyChangeKey
7D1E1104 >7D61D072  ntdll.ZwSetInformationObject
7D1E1108 >7D61CD71  ntdll.ZwDuplicateObject
7D1E110C >7D689576  ntdll._itow
7D1E1110 >7D61E032  ntdll.ZwSetInformationKey
7D1E1114 >7D61D5B2  ntdll.ZwDeleteValueKey
7D1E1118 >7D61C999  ntdll.ZwEnumerateValueKey
7D1E111C >7D610BF7  ntdll.memcpy
7D1E1120 >7D61127D  ntdll.memset
7D1E1124 >7D63EC51  ntdll.RtlTimeToSecondsSince1970
7D1E1128 >7D62176A  ntdll._stricmp
7D1E112C >7D62EE3E  ntdll.RtlUnwind
7D1E1130 >7D61CB19  ntdll.ZwQueryVirtualMemory
7D1E1134 >7D627988  ntdll.RtlGetNtProductType
7D1E1138 >7D61D042  ntdll.ZwQuerySystemTime
7D1E113C >7D67BB16  ntdll.RtlRandom
7D1E1140 >7D623334  ntdll.RtlCompareUnicodeString
7D1E1144 >7D61F844  ntdll.RtlInitUnicodeStringEx
7D1E1148 >7D670B47  ntdll.RtlxUnicodeStringToOemSize
7D1E114C >7D6224B9  ntdll.RtlAppendUnicodeStringToString
7D1E1150 >7D61C831  ntdll.ZwWaitForSingleObject
7D1E1154 >7D611A29  ntdll.RtlCompareMemory
7D1E1158 >7D61C879  ntdll.ZwDeviceIoControlFile
7D1E115C >7D622ADD  ntdll.wcsrchr
7D1E1160 >7D61C981  ntdll.ZwOpenKey
7D1E1164 >7D61C9F9  ntdll.ZwQueryValueKey
7D1E1168 >7D6225AD  ntdll.RtlCopyLuid
7D1E116C >7D6218B0  ntdll.RtlImageNtHeader
7D1E1170 >7D637046  ntdll.swprintf
7D1E1174 >7D6895D1  ntdll._ultow
7D1E1178 >7D6A0098  OFFSET ntdll.NlsMbCodePageTag
7D1E117C >7D670B6C  ntdll.RtlxOemStringToUnicodeSize
7D1E1180 >7D6209AC  ntdll.RtlMultiByteToUnicodeN
7D1E1184 >7D61EF3A  ntdll.strstr
7D1E1188 >7D61EFCF  ntdll.strchr
7D1E118C >7D689922  ntdll.tolower
7D1E1190 >7D6288A8  ntdll._wcsnicmp
7D1E1194 >7D621A06  ntdll.wcsncpy
7D1E1198 >7D632433  ntdll.wcstoul
7D1E119C >7D63ED14  ntdll._wcstoui64
7D1E11A0 >7D62F5F9  ntdll.iswctype
7D1E11A4 >7D622D60  ntdll.RtlConvertSidToUnicodeString
7D1E11A8 >7D669ABF  ntdll.DbgPrint
7D1E11AC >7D62E8E2  ntdll.RtlOpenCurrentUser
7D1E11B0 >7D61F96E  ntdll.RtlFreeUnicodeString
7D1E11B4 >7D629251  ntdll.RtlCreateUnicodeStringFromAsciiz
7D1E11B8 >7D61CCE1  ntdll.ZwQuerySystemInformation
7D1E11BC >7D64098C  ntdll.atol
7D1E11C0 >7D610418  ntdll._chkstk
7D1E11C4 >7D61CBF1  ntdll.ZwTerminateProcess
7D1E11C8 >7D66DBDF  ntdll.RtlAdjustPrivilege
7D1E11CC >7D61CA71  ntdll.ZwSetInformationProcess
7D1E11D0 >7D621D5E  ntdll.wcschr
7D1E11D4 >7D61169A  ntdll.strncpy
7D1E11D8 >7D670C42  ntdll.RtlUpcaseUnicodeStringToOemString
7D1E11DC >7D61F18C  ntdll.RtlEnterCriticalSection
7D1E11E0 >7D61F1D7  ntdll.RtlLeaveCriticalSection
7D1E11E4 >7D610045  ntdll.RtlInitString
7D1E11E8 >7D62A64E  ntdll.RtlIsTextUnicode
7D1E11EC >7D66E883  ntdll.RtlSetSecurityDescriptorRMControl
7D1E11F0 >7D66E821  ntdll.RtlGetSecurityDescriptorRMControl
7D1E11F4 >7D66D905  ntdll.RtlSelfRelativeToAbsoluteSD2
7D1E11F8 >7D61D642  ntdll.ZwFilterToken
7D1E11FC >7D61D74A  ntdll.ZwImpersonateAnonymousToken
7D1E1200 >7D610F3D  ntdll.memmove
7D1E1204 >7D624F14  ntdll.RtlUnicodeStringToAnsiString
7D1E1208 >7D620CB7  ntdll.RtlUnicodeToMultiByteSize
7D1E120C >7D622FE1  ntdll.RtlCopyUnicodeString
7D1E1210 >7D61C909  ntdll.ZwSetInformationThread
7D1E1214 >7D66E018  ntdll.RtlImpersonateSelf
7D1E1218 >7D61CD29  ntdll.ZwFsControlFile
7D1E121C >7D61DCA2  ntdll.ZwQuerySecurityObject
7D1E1220 >7D639057  ntdll.RtlOemStringToUnicodeString
7D1E1224 >7D624938  ntdll.RtlDosPathNameToRelativeNtPathName_U
7D1E1228 >7D61CC99  ntdll.ZwOpenFile
7D1E122C >7D624473  ntdll.RtlReleaseRelativeName
7D1E1230 >7D61E0F2  ntdll.ZwSetSecurityObject
7D1E1234 >7D61C939  ntdll.ZwClose
7D1E1238 >7D66D984  ntdll.RtlSelfRelativeToAbsoluteSD
7D1E123C >7D638D66  ntdll.RtlAbsoluteToSelfRelativeSD
7D1E1240 >7D63DBA5  ntdll.RtlDeleteSecurityObject
7D1E1244 >7D660F20  ntdll.RtlQuerySecurityObject
7D1E1248 >7D660EF7  ntdll.RtlSetSecurityObjectEx
7D1E124C >7D660ECF  ntdll.RtlSetSecurityObject
7D1E1250 >7D660E95  ntdll.RtlNewSecurityObjectWithMultipleInheritance
7D1E1254 >7D63D435  ntdll.RtlNewSecurityObjectEx
7D1E1258 >7D661730  ntdll.RtlConvertToAutoInheritSecurityObject
7D1E125C >7D660EA5  ntdll.RtlNewSecurityObject
7D1E1260 >7D6333BA  ntdll.RtlGetGroupSecurityDescriptor
7D1E1264 >7D637A22  ntdll.RtlSetGroupSecurityDescriptor
7D1E1268 >7D6301B1  ntdll.RtlGetOwnerSecurityDescriptor
7D1E126C >7D6379D8  ntdll.RtlSetOwnerSecurityDescriptor
7D1E1270 >7D633385  ntdll.RtlGetSaclSecurityDescriptor
7D1E1274 >7D66DEBE  ntdll.RtlSetSaclSecurityDescriptor
7D1E1278 >7D62B269  ntdll.RtlGetDaclSecurityDescriptor
7D1E127C >7D6375FF  ntdll.RtlSetDaclSecurityDescriptor
7D1E1280 >7D66DE7F  ntdll.RtlSetControlSecurityDescriptor
7D1E1284 >7D624CFD  ntdll.RtlGetControlSecurityDescriptor
7D1E1288 >7D6332F1  ntdll.RtlLengthSecurityDescriptor
7D1E128C >7D633236  ntdll.RtlValidSecurityDescriptor
7D1E1290 >7D6375D1  ntdll.RtlCreateSecurityDescriptor
7D1E1294 >7D637515  ntdll.RtlFirstFreeAce
7D1E1298 >7D670405  ntdll.RtlAddAuditAccessObjectAce
7D1E129C >7D6703B7  ntdll.RtlAddAccessDeniedObjectAce
7D1E12A0 >7D67036A  ntdll.RtlAddAccessAllowedObjectAce
7D1E12A4 >7D670332  ntdll.RtlAddAuditAccessAceEx
7D1E12A8 >7D6702FB  ntdll.RtlAddAuditAccessAce
7D1E12AC >7D6702D7  ntdll.RtlAddAccessDeniedAceEx
7D1E12B0 >7D6702B4  ntdll.RtlAddAccessDeniedAce
7D1E12B4 >7D6390DF  ntdll.RtlAddAccessAllowedAceEx
7D1E12B8 >7D637785  ntdll.RtlAddAccessAllowedAce
7D1E12BC >7D6301F3  ntdll.RtlGetAce
7D1E12C0 >7D64283B  ntdll.RtlDeleteAce
7D1E12C4 >7D66FF8E  ntdll.RtlAddAce
7D1E12C8 >7D66FE7A  ntdll.RtlSetInformationAcl
7D1E12CC >7D66FF02  ntdll.RtlQueryInformationAcl
7D1E12D0 >7D637733  ntdll.RtlCreateAcl
7D1E12D4 >7D637550  ntdll.RtlValidAcl
7D1E12D8 >7D63D23D  ntdll.RtlMapGenericMask
7D1E12DC >7D66DF40  ntdll.RtlAreAnyAccessesGranted
7D1E12E0 >7D66DF24  ntdll.RtlAreAllAccessesGranted
7D1E12E4 >7D628858  ntdll.RtlCopySid
7D1E12E8 >7D62888C  ntdll.RtlLengthSid
7D1E12EC >7D62970C  ntdll.RtlSubAuthorityCountSid
7D1E12F0 >7D621862  ntdll.RtlSubAuthoritySid
7D1E12F4 >7D66DC96  ntdll.RtlIdentifierAuthoritySid
7D1E12F8 >7D637A6C  ntdll.RtlAllocateAndInitializeSid
7D1E12FC >7D6380CB  ntdll.RtlFreeSid
7D1E1300 >7D621830  ntdll.RtlInitializeSid
7D1E1304 >7D6377A8  ntdll.RtlLengthRequiredSid
7D1E1308 >7D63D1ED  ntdll.RtlEqualPrefixSid
7D1E130C >7D62187A  ntdll.RtlEqualSid
7D1E1310 >7D622B95  ntdll.RtlValidSid
7D1E1314 >7D61DAAA  ntdll.ZwPrivilegedServiceAuditAlarm
7D1E1318 >7D61D59A  ntdll.ZwDeleteObjectAuditAlarm
7D1E131C >7D61CD59  ntdll.ZwCloseObjectAuditAlarm
7D1E1320 >7D61DA92  ntdll.ZwPrivilegeObjectAuditAlarm
7D1E1324 >7D61D9D2  ntdll.ZwOpenObjectAuditAlarm
7D1E1328 >7D61D192  ntdll.ZwAccessCheckByTypeResultListAndAuditAlarmByHandle
7D1E132C >7D61D17A  ntdll.ZwAccessCheckByTypeResultListAndAuditAlarm
7D1E1330 >7D61D02A  ntdll.ZwAccessCheckByTypeAndAuditAlarm
7D1E1334 >7D61CBA9  ntdll.ZwAccessCheckAndAuditAlarm
7D1E1338 >7D61DA7A  ntdll.ZwPrivilegeCheck
7D1E133C >7D61D1DA  ntdll.ZwAdjustGroupsToken
7D1E1340 >7D61CDE9  ntdll.ZwAdjustPrivilegesToken
7D1E1344 >7D61E04A  ntdll.ZwSetInformationToken
7D1E1348 >7D61CAE9  ntdll.ZwQueryInformationToken
7D1E134C >7D61CB31  ntdll.ZwOpenThreadToken
7D1E1350 >7D61D9EA  ntdll.ZwOpenProcessToken
7D1E1354 >7D61D162  ntdll.ZwAccessCheckByTypeResultList
7D1E1358 >7D61D14A  ntdll.ZwAccessCheckByType
7D1E135C >7D61D132  ntdll.ZwAccessCheck
7D1E1360 >7D61D222  ntdll.ZwAllocateLocallyUniqueId
7D1E1364 >7D61CE01  ntdll.ZwDuplicateToken
7D1E1368 >7D6331AD  ntdll._vsnwprintf
7D1E136C >7D61007D  ntdll.RtlInitAnsiString
7D1E1370 >7D620B10  ntdll.RtlAnsiStringToUnicodeString
7D1E1374 >7D61F96E  ntdll.RtlFreeUnicodeString
7D1E1378 >7D6100B5  ntdll.RtlInitUnicodeString
7D1E137C >7D624821  ntdll.RtlDosPathNameToNtPathName_U
7D1E1380 >7D61F4CB  ntdll.RtlFreeHeap
7D1E1384 >7D61F7E6  ntdll.wcslen
7D1E1388 >7D61F686  ntdll.RtlAllocateHeap
7D1E138C >7D622AB9  ntdll.wcscpy
7D1E1390 >7D628909  ntdll.wcscat
7D1E1394 >7D6202F5  ntdll.RtlNtStatusToDosError
7D1E1398 >7D621199  ntdll.RtlDeleteCriticalSection
7D1E139C >7D68A275  ntdll.wcstombs
7D1E13A0 >7D621CAF  ntdll.RtlInitializeCriticalSection
7D1E13A4 >7D621CC8  ntdll.RtlEqualUnicodeString
7D1E13A8 >7D620341  ntdll.RtlNtStatusToDosErrorNoTeb
7D1E13AC >7D61D672  ntdll.ZwFlushKey
7D1E13B0 >7D66E6D8  ntdll.RtlValidRelativeSecurityDescriptor
7D1E13B4 >7D61D7F2  ntdll.ZwLoadKey
7D1E13B8 >7D61E2EA  ntdll.ZwUnloadKey
7D1E13BC >7D61DDC2  ntdll.ZwReplaceKey
7D1E13C0 >7D61D942  ntdll.ZwNotifyChangeMultipleKeys
7D1E13C4 >7D61DC12  ntdll.ZwQueryMultipleValueKey
7D1E13C8 >7D61DE6A  ntdll.ZwRestoreKey
7D1E13CC >7D61DE9A  ntdll.ZwSaveKey
7D1E13D0 >7D61DECA  ntdll.ZwSaveMergedKeys
7D1E13D4 >7D61CFCA  ntdll.ZwCreateFile
7D1E13D8 >7D61DEB2  ntdll.ZwSaveKeyEx
7D1E13DC >7D68D071  ntdll.EtwTraceEvent
7D1E13E0 >7D68E3B1  ntdll.EtwStartTraceW
7D1E13E4 >7D68F015  ntdll.EtwQueryTraceW
7D1E13E8 >7D627827  ntdll.RtlGetVersion
7D1E13EC >7D61CB49  ntdll.ZwQueryInformationThread
7D1E13F0 >7D61C861  ntdll.ZwReadFile
7D1E13F4 >7D61C891  ntdll.ZwWriteFile
7D1E13F8 >7D610418  ntdll._chkstk
7D1E13FC >7D62368B  ntdll.RtlReAllocateHeap
7D1E1400  00000000
7D1E1404 >7D52A507  kernel32.OutputDebugStringW
7D1E1408 >7D4D9099  kernel32.LocalFree
7D1E140C >7D4D90FD  kernel32.LocalAlloc
7D1E1410 >7D4E1F1C  kernel32.LocalReAlloc
7D1E1414 >7D4D93AD  kernel32.WideCharToMultiByte
7D1E1418 >7D4D8F75  kernel32.lstrlenW
7D1E141C >7D4D920B  kernel32.MultiByteToWideChar
7D1E1420 >7D4E0DF9  kernel32.lstrlenA
7D1E1424 >7D4E3B5F  kernel32.AreFileApisANSI
7D1E1428 >7D4D9179  kernel32.IsBadWritePtr
7D1E142C >7D4D8E1B  kernel32.CloseHandle
7D1E1430 >7D61F4BC  ntdll.RtlGetLastWin32Error
7D1E1434 >7D4DAC0B  kernel32.GetProcAddress
7D1E1438 >7D4D0DC0  kernel32.LoadLibraryA
7D1E143C >7D4E456B  kernel32.GetComputerNameW
7D1E1440 >7D4E2669  kernel32.OpenProcess
7D1E1444 >7D4E22E6  kernel32.ResumeThread
7D1E1448 >7D4D0845  kernel32.ReadFile
7D1E144C >7D4DA92D  kernel32.WriteFile
7D1E1450 >7D4D8FB9  kernel32.GetCurrentProcessId
7D1E1454 >7D530BCD  kernel32.WaitNamedPipeW
7D1E1458 >7D4D99C0  kernel32.CreateFileW
7D1E145C >7D4E257D  kernel32.lstrcpynW
7D1E1460 >7D50629E  kernel32.CopyFileW
7D1E1464 >7D4DE779  kernel32.FindFirstFileExW
7D1E1468 >7D4DC7A4  kernel32.FindNextFileW
7D1E146C >7D4DA41F  kernel32.SetErrorMode
7D1E1470 >7D4D0B09  kernel32.LoadLibraryExW
7D1E1474 >7D4E24D7  kernel32.lstrcpyW
7D1E1478 >7D4E26C7  kernel32.GetFileTime
7D1E147C >7D4D0F40  kernel32.GetSystemTime
7D1E1480 >7D4DF884  kernel32.GetModuleFileNameW
7D1E1484 >7D504CEC  kernel32.GetPrivateProfileIntW
7D1E1488 >7D4E28E9  kernel32.GetSystemWindowsDirectoryW
7D1E148C >7D4DDCD3  kernel32.GetUserDefaultUILanguage
7D1E1490 >7D4E2288  kernel32.RaiseException
7D1E1494 >7D4D1314  kernel32.ReadProcessMemory
7D1E1498 >7D4F501C  kernel32.GetProfileIntA
7D1E149C >7D501563  kernel32.GetProfileStringA
7D1E14A0 >7D4F7CF0  kernel32.GetComputerNameA
7D1E14A4 >7D4DC623  kernel32.CreateMutexW
7D1E14A8 >7D4F8CCE  kernel32.GetComputerNameExW
7D1E14AC >7D4DF56F  kernel32.CreateThread
7D1E14B0 >7D504E16  kernel32.SetNamedPipeHandleState
7D1E14B4 >7D4E7B6E  kernel32.IsWow64Process
7D1E14B8 >7D4E3C55  kernel32.OpenEventW
7D1E14BC >7D4EA383  kernel32.GetModuleHandleExW
7D1E14C0 >7D4E2A39  kernel32.GetSystemDirectoryW
7D1E14C4 >7D53182C  kernel32.GetLogicalDriveStringsW
7D1E14C8 >7D4D961D  kernel32.GetDriveTypeW
7D1E14CC >7D4F794C  kernel32.GetDiskFreeSpaceW
7D1E14D0 >7D4F7A90  kernel32.GetDiskFreeSpaceExW
7D1E14D4 >7D4E099E  kernel32.GetVolumeInformationW
7D1E14D8 >7D4EA660  kernel32.GlobalMemoryStatusEx
7D1E14DC >7D4E07D2  kernel32.GetSystemInfo
7D1E14E0 >7D54720F  kernel32.EnumUILanguagesW
7D1E14E4 >7D4E2942  kernel32.GetWindowsDirectoryW
7D1E14E8 >7D4DEBA3  kernel32.FindFirstFileW
7D1E14EC >7D4DEA39  kernel32.FindClose
7D1E14F0 >7D4D91E9  kernel32.ResetEvent
7D1E14F4 >7D4D8EBE  kernel32.SetEvent
7D1E14F8 >7D4D0A5C  kernel32.CreateFileA
7D1E14FC >7D52CA61  kernel32.GetOverlappedResult
7D1E1500 >7D4F9D53  kernel32.GetVolumePathNameW
7D1E1504 >7D4E23C1  kernel32.FindResourceExW
7D1E1508 >7D4D1704  kernel32.ReleaseMutex
7D1E150C >7D4DA77B  kernel32.CompareFileTime
7D1E1510 >7D4DCBAB  kernel32.OpenMutexW
7D1E1514 >7D4D8BFB  kernel32.WaitForSingleObject
7D1E1518 >7D4E408F  kernel32.GetLongPathNameW
7D1E151C >7D4DA700  kernel32.GetFileSizeEx
7D1E1520 >7D4DA63A  kernel32.CreateFileMappingW
7D1E1524 >7D4DFC37  kernel32.GetModuleHandleW
7D1E1528 >7D4E0974  kernel32.FormatMessageW
7D1E152C >7D4E1C74  kernel32.GetLocalTime
7D1E1530 >7D61F4A2  ntdll.RtlSetLastWin32Error
7D1E1534 >7D4DC8F9  kernel32.DeleteFileW
7D1E1538 >7D4E3768  kernel32.MoveFileW
7D1E153C >7D4E1471  kernel32.ExpandEnvironmentStringsW
7D1E1540 >7D4D14E0  kernel32.Sleep
7D1E1544 >7D4DA340  kernel32.lstrcmpW
7D1E1548 >7D4E7BAF  kernel32.GetCommandLineW
7D1E154C >7D4E0EA8  kernel32.lstrcmpiW
7D1E1550 >7D621199  ntdll.RtlDeleteCriticalSection
7D1E1554 >7D4D067D  kernel32.DeviceIoControl
7D1E1558 >7D4DFEC0  kernel32.GetVersionExA
7D1E155C >7D4D8834  kernel32.InterlockedExchange
7D1E1560 >7D4DA498  kernel32.CreateEventW
7D1E1564 >7D51249B  kernel32.SetUnhandledExceptionFilter
7D1E1568 >7D535509  kernel32.UnhandledExceptionFilter
7D1E156C >7D4D1004  kernel32.TerminateProcess
7D1E1570 >7D4D0FBA  kernel32.GetSystemTimeAsFileTime
7D1E1574 >7D4DC6E5  kernel32.QueryPerformanceCounter
7D1E1578 >7D4D8848  kernel32.InterlockedCompareExchange
7D1E157C >7D54D025  kernel32.DelayLoadFailureHook
7D1E1580 >7D4DD79D  kernel32.GetCurrentProcess
7D1E1584 >7D53243F  kernel32.GetPriorityClass
7D1E1588 >7D4D9586  kernel32.GetFileAttributesW
7D1E158C >7D4DA3DB  kernel32.GetFullPathNameW
7D1E1590 >7D4D8D8B  kernel32.GetCurrentThreadId
7D1E1594 >7D4D168E  kernel32.GetTickCount
7D1E1598 >7D4D0E7C  kernel32.SleepEx
7D1E159C >7D61F18C  ntdll.RtlEnterCriticalSection
7D1E15A0 >7D4E2496  kernel32.LoadLibraryW
7D1E15A4 >7D61F1D7  ntdll.RtlLeaveCriticalSection
7D1E15A8 >7D4E2511  kernel32.FreeLibrary
7D1E15AC >7D4D8E09  kernel32.GetProcessHeap
7D1E15B0 >7D61F686  ntdll.RtlAllocateHeap
7D1E15B4 >7D61F4CB  ntdll.RtlFreeHeap
7D1E15B8 >7D502818  kernel32.ExpandEnvironmentStringsA
7D1E15BC >7D4F62BD  kernel32.OpenFile
7D1E15C0 >7D4DA73F  kernel32.GetFileSize
7D1E15C4 >7D4E38B9  kernel32._lclose
7D1E15C8 >7D4E014E  kernel32.SearchPathW
7D1E15CC >7D4E5F72  kernel32.GetFileAttributesExW
7D1E15D0 >7D4DA517  kernel32.CreateFileMappingA
7D1E15D4 >7D4DA5FE  kernel32.MapViewOfFile
7D1E15D8 >7D4DA7BB  kernel32.SetFilePointer
7D1E15DC >7D4DA5D2  kernel32.UnmapViewOfFile
7D1E15E0 >7D4E16E9  kernel32.FindResourceA
7D1E15E4 >7D4E0D9E  kernel32.LoadResource
7D1E15E8 >7D4E1D19  kernel32.SizeofResource
7D1E15EC >7D4D8820  kernel32.InterlockedDecrement
7D1E15F0 >7D4D880C  kernel32.InterlockedIncrement
7D1E15F4 >7D4DAC73  kernel32.GetModuleHandleA
7D1E15F8 >7D4EB4CA  kernel32.CreateProcessInternalA
7D1E15FC >7D4D8DAC  kernel32.GetCurrentThread
7D1E1600 >7D4ECE40  kernel32.CreateProcessInternalW
7D1E1604  00000000
7D1E1608 >7DA503A2  RPCRT4.UuidFromStringW
7D1E160C >7DA39929  RPCRT4.RpcStringFreeW
7D1E1610 >7DA79D70  RPCRT4.UuidToStringW
7D1E1614 >7DA44925  RPCRT4.RpcRaiseException
7D1E1618 >7DA722E5  RPCRT4.RpcBindingSetAuthInfoExA
7D1E161C >7DA35D48  RPCRT4.RpcBindingFree
7D1E1620 >7DA39EB4  RPCRT4.RpcBindingFromStringBindingW
7D1E1624 >7DA39CBD  RPCRT4.RpcStringBindingComposeW
7D1E1628 >7DA43060  RPCRT4.RpcBindingSetAuthInfoExW
7D1E162C >7DAC0005  RPCRT4.NdrClientCall2
7D1E1630 >7DA7DE50  RPCRT4.RpcStringBindingParseW
7D1E1634 >7DA6F145  RPCRT4.I_RpcMapWin32Status
7D1E1638 >7DA6B28D  RPCRT4.RpcBindingToStringBindingW
7D1E163C >7DA390D8  RPCRT4.NDRCContextBinding
7D1E1640 >7DA660AD  RPCRT4.RpcRevertToSelf
7D1E1644 >7DA4CDF9  RPCRT4.RpcImpersonateClient
7D1E1648 >7DA660BA  RPCRT4.I_RpcBindingIsClientLocal
7D1E164C >7DA44F23  RPCRT4.I_RpcExceptionFilter
7D1E1650 >7DA4285B  RPCRT4.RpcSsDestroyClientContext
7D1E1654 >7DA66C54  RPCRT4.RpcBindingSetAuthInfoW
7D1E1658 >7DA726FB  RPCRT4.RpcBindingSetAuthInfoA
7D1E165C >7DA66880  RPCRT4.RpcEpResolveBinding
7D1E1660 >7DA667AB  RPCRT4.I_RpcSNCHOption
7D1E1664  00000000