krukru

2023년 6월 22일 목요일

WDM 테스트(디버깅) 환경 구성, Windows os 커널 디버깅

테스트 환경 구성 (kernel debugging 을 위해 vm 디버깅 환경 구성)
커널 디버깅을 위한 가상 os 준비 : vm(Windows 10 x64) 설치
커널 드라이버 로드를 위한 툴 준비 : osrloader 다운로드 (https://www.osronline.com/OsrDown.cfm/osrloaderv30.zip%5Ename=osrloaderv30.zip&id=157)
커널 디버거 환경 구성
VirtualKD-Redux Virtual Machine Monitor(Windows 10 지원 버전이기 때문에 반드시 버전 맞춰야 함) windbg 설치

커널 디버거 프린트 (kdprint) 활성화 : ed nt!Kd_DEFAULT_Mask 0xFFFFFFFF, 비활성화 ed nt!Kd_DEFAULT_Mask 0

테스트 스텝

vm 부팅 시 F8→ 드라이버 서명 적용 사용 안함 옵션으로 부팅
테스트 드라이버를 register→ start 하여 load 시킨다 (osrloader 툴 이용)

커널 디버깅 화면

Microsoft Visual Studio 빌드에러

에러

"Inf2Cat, signability test failed." Double click to see the tool output.

더블클릭 시

원인

Device Driver 프로젝트를 빌드 후 실제 설치를 하기 위해서는 Driver 서명과정을 거쳐야 하는데 Visual Studio 에서는 서명과정을 빌드 후에 자동으로 진행해 준다.
Inf2cat이라는 프로그램이 서명과정을 진행해 주는데 Driver를 생성한 날짜와 서명을 하는 날짜가 일치해야 한다.
기본값이 UTC (세계 협정 시각)를 사용하기 때문에 우리나라 시간 (UTC+9:00)과 일치하지 않아 Driver 빌드과정에서 에러가 나게 된다.

해결

프로젝트 속성 > 구성 속성 > Inf2Cat > Use Local Time > 예(Use Local Time)으로 변경

참고

[VS2015] "Inf2Cat, signability test failed." 에러 해결

Microsoft Visual Studio 빌드 에러[error MSB4018]

에러
error MSB4018: "SignTask" 작업에서 예기치 않은 오류가 발생했습니다.
해결
visual studio devenv.exe를 관리자권한으로 실행

참고
https://stackoverflow.com/questions/36223909/msbuild-error-msb4018the-signtask-task-failed-unexpectedly-in-vs2015

Microsoft Visual Studio 2019 빌드 에러[error 1297]

빌드 초기 발생 에러

에러
error 1297: Device driver does not install on any devices, use primitive driver if this is intended.
해결
Driver Files 하위에 자동으로 생성되는 .inf 파일을 열어서 아래와 같이 [Manufacturer] 섹션의 값들을 모두 삭제
From
[Manufacturer]
%ManufacturerName%=Standard,NT$ARCH$
To
[Manufacturer]

참고

https://github.com/microsoft/Windows-driver-samples/issues/573

Visual Studio 2019 드라이버 빌드하기

환경 구성

유의사항

- IDE --> SDK --> WDK 순서로 설치

- SDK와 WDK 설치 시 버전 일치

0. IDE (Microsoft Visual Studio Community 2019) 설치

1. 워크로드 > C++를 사용한 데스크톱 개발 선택

Windows 10 SDK(10.0.19041.0) 설치

[그림 1]

설치되면 [그림 1]과 같이 설치 세부 정보에서 확인 가능

2. WDK 설치

[그림 2]

동일한 버전의 WDK가 설치됨을 확인

3. IDE 에서 새프로젝트 생성

[그림 3]

새 프로젝트 만들기 선택

4. Empty WDM Driver 선택

[그림 4]

프로젝트 생성되면 소스파일에 main.c 추가 하고 DriverEntry() (드라이버의 시작 함수) 작성 후 빌드

2023년 5월 29일 월요일

Include guard

When developing a source code as a team, it is easy to include header file repeatedly.

Include guard prevents header files from being included redundantly.

// Checks if _SOMETHING IF DECLARED
#ifndef _SOMETHING_
  
// Defines _SOMETHING_ if above
// conditions fails
#define _SOMETHING_

// define SOMETHING

#endif // _SOMETHING_

Or, you could use #pragma once in front of header file before you define somthing.

The difference between of them are the following.

#ifndef

If the header files are being included several times, the compiler checks every time whether something is defined or not.

It worsk for every compiler because it is preprocessor directive, that is independent for device.

#pragma once

The file that declared "#pragma once" will be compiled only once, and will not be even read again. It is faster than #ifndef. But, It is compiler directive and works for certain compiler. And It supports on or over Visual C++ 5.0 version.

2023년 4월 6일 목요일

windbg 에서 프로세스의 IAT를 확인하는 방법

1. windbg 를 열어서 실행 중인 프로세스에 attach 함

2. !peb 명령을 통해 msedge.exe 프로세스의 컨텍스트로 맞춰짐을 확인

!peb 명령 원본 접기

0:020> !peb
PEB at 000000d361c70000
    InheritedAddressSpace:    No
    ReadImageFileExecOptions: No
    BeingDebugged:            Yes
    ImageBaseAddress:         00007ff65f7c0000
    NtGlobalFlag:             0
    NtGlobalFlag2:            0
    Ldr                       00007ffa7bebc4c0
    Ldr.Initialized:          Yes
    Ldr.InInitializationOrderModuleList: 000002bd70003d00 . 000002bd700314e0
    Ldr.InLoadOrderModuleList:           000002bd70003e70 . 000002bd700314c0
    Ldr.InMemoryOrderModuleList:         000002bd70003e80 . 000002bd700314d0
                    Base TimeStamp                     Module
            7ff65f7c0000 6424ce40 Mar 30 08:48:16 2023 C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            7ffa7bd50000 b5ced1c6 Aug 28 23:10:14 2066 C:\WINDOWS\SYSTEM32\ntdll.dll
            7ffa7baa0000 e35abded Nov 15 05:34:53 2090 C:\WINDOWS\System32\KERNEL32.DLL
            7ffa79990000 e7e53a4e Apr 14 23:59:26 2093 C:\WINDOWS\System32\KERNELBASE.dll
            7ffa3deb0000 6424ce40 Mar 30 08:48:16 2023 C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\msedge_elf.dll
            7ffa7aa10000 f9911b39 Sep 07 10:41:13 2102 C:\WINDOWS\System32\advapi32.dll
            7ffa7b7c0000 564f9f39 Nov 21 07:31:21 2015 C:\WINDOWS\System32\msvcrt.dll
            7ffa7b8c0000 40d0f379 Jun 17 10:27:21 2004 C:\WINDOWS\System32\sechost.dll
            7ffa7aac0000 a71cfb7a Nov 05 13:00:58 2058 C:\WINDOWS\System32\RPCRT4.dll
            7ffa78e20000 28e89a43 Oct 02 00:54:43 1991 C:\WINDOWS\SYSTEM32\CRYPTBASE.DLL
            7ffa79d10000 856685b0 Dec 03 04:17:04 2040 C:\WINDOWS\System32\bcryptPrimitives.dll
            7ffa261e0000 6424ce40 Mar 30 08:48:16 2023 C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\msedge.dll
            7ffa7b9c0000 61567b6b Oct 01 12:07:23 2021 C:\WINDOWS\System32\OLEAUT32.dll
            7ffa795d0000 39255ccf May 20 00:25:03 2000 C:\WINDOWS\System32\msvcp_win.dll
            7ffa794d0000 2bd748bf Apr 23 10:39:11 1993 C:\WINDOWS\System32\ucrtbase.dll
            7ffa79da0000 f4ecbc84 Mar 20 01:04:20 2100 C:\WINDOWS\System32\combase.dll
            7ffa6f190000 b8ca2d77 Mar 29 23:40:55 2068 C:\WINDOWS\SYSTEM32\WINMM.dll
            7ffa794a0000 87ca24c8 Mar 12 02:30:48 2042 C:\WINDOWS\System32\bcrypt.dll
            7ffa79670000 ce95420b Oct 30 19:44:27 2079 C:\WINDOWS\System32\crypt32.dll
            7ffa70850000 7c197411 Dec 24 02:14:57 2035 C:\WINDOWS\SYSTEM32\dbghelp.dll
            7ffa73e50000 5b7a74e4 Aug 20 16:59:32 2018 C:\WINDOWS\SYSTEM32\dhcpcsvc.dll
            7ffa3d8d0000 6424ce40 Mar 30 08:48:16 2023 C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\ffmpeg.dll
            7ffa788b0000 bcfc4371 Jun 22 16:49:05 2070 C:\WINDOWS\SYSTEM32\iphlpapi.dll
            7ffa78f20000 b127427f Mar 08 03:29:19 2064 C:\WINDOWS\SYSTEM32\ncrypt.dll
            7ffa78ee0000 1a7045f2 Jan 22 05:39:14 1984 C:\WINDOWS\SYSTEM32\NTASN1.dll
            7ffa6ea90000 7aec0e44 May 09 11:28:20 2035 C:\WINDOWS\SYSTEM32\secur32.dll
            7ffa49500000 d9e68c91 Nov 05 11:18:57 2085 C:\WINDOWS\SYSTEM32\uiautomationcore.dll
            7ffa73350000 3a69740d Jan 20 20:18:37 2001 C:\WINDOWS\SYSTEM32\PROPSYS.dll
            7ffa79310000 fa786637 Mar 01 21:14:47 2103 C:\WINDOWS\SYSTEM32\userenv.dll
            7ffa73d40000 14531102 Oct 21 23:56:02 1980 C:\WINDOWS\SYSTEM32\version.dll
            7ffa73950000 1883c6c8 Jan 13 16:01:28 1983 C:\WINDOWS\SYSTEM32\winhttp.dll
            7ffa64830000 e1088af6 Aug 21 12:31:02 2089 C:\WINDOWS\SYSTEM32\winspool.drv
            7ffa79c70000 ce6df005 Sep 30 23:56:05 2079 C:\WINDOWS\System32\wintrust.dll
            7ffa79040000 065c6e40 May 20 13:40:32 1973 C:\WINDOWS\SYSTEM32\MSASN1.dll
            7ffa7a990000 aff3315b Jul 18 11:18:03 2063 C:\WINDOWS\System32\ws2_32.dll
            7ffa68b20000 29a9e8ad Feb 25 15:56:45 1992 C:\WINDOWS\system32\dwrite.dll
    SubSystemData:     0000000000000000
    ProcessHeap:       000002bd6ff20000
    ProcessParameters: 000002bd700030b0
    CurrentDirectory:  'C:\Program Files (x86)\Microsoft\Edge\Application\111.0.1661.62\'
    WindowTitle:  'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
    ImageFile:    'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe'
    CommandLine:  '"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --lang=ko --js-flags=--ms-user-locale=ko_KR --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --time-ticks-at-unix-epoch=-1680681028510649 --launch-time-ticks=62746376945 --mojo-platform-channel-handle=9596 --field-trial-handle=1944,i,3789062115407176725,14247285865967555308,131072 /prefetch:1'
    DllPath:      '< Name not readable >'
    Environment:  000002bd700027f0
        CHROME_CRASHPAD_PIPE_NAME=\\.\pipe\crashpad_8048_VCEJDEIOERONYQBX
        LOCALAPPDATA=C:\Users\afirst.mihee\AppData\Local
        Path=C:\Program Files (x86)\Microsoft\Edge\Application;C:\Program Files\Common Files\Oracle\Java\javapath;C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\WINDOWS\System32\OpenSSH\;C:\Program Files\Git\cmd;C:\Program Files\Tesseract-OCR;C:\Users\afirst.mihee\AppData\Local\Programs\Python\Python311\Scripts\;C:\Users\afirst.mihee\AppData\Local\Programs\Python\Python311\;C:\Users\afirst.mihee\AppData\Local\Programs\Python\Python310\Scripts\;C:\Users\afirst.mihee\AppData\Local\Programs\Python\Python310\;C:\Users\afirst.mihee\AppData\Local\Microsoft\WindowsApps;C:\Users\afirst.mihee\AppData\Local\Programs\Microsoft VS Code\bin;C:\FFmpeg\bin;C:\Users\afirst.mihee\AppData\Local\GitHubDesktop\bin;C:\Users\afirst.mihee\AppData\Local\bin\NASM;C:\Python27;
        SystemDrive=C:
        SystemRoot=C:\WINDOWS
        TEMP=C:\Users\AFIRST~1.MIH\AppData\Local\Temp
        TMP=C:\Users\AFIRST~1.MIH\AppData\Local\Temp

3. !dh msedge.exe 로 프로세스 메모리 덤프를 출력

!dh msedge.exe
원본 접기

0:020> !dh msedge.exe

File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
    8664 machine (X64)
       E number of sections
6424CE40 time date stamp Thu Mar 30 08:48:16 2023

       0 file pointer to symbol table
       0 number of symbols
      F0 size of optional header
      22 characteristics
            Executable
            App can handle >2gb addresses

OPTIONAL HEADER VALUES
     20B magic #
   14.00 linker version
  2B3000 size of code
  127200 size of initialized data
       0 size of uninitialized data
  15EED0 address of entry point
    1000 base of code
         ----- new -----
00007ff65f7c0000 image base
    1000 section alignment
     200 file alignment
       2 subsystem (Windows GUI)
    5.02 operating system version
    0.00 image version
    5.02 subsystem version
  3F3000 size of image
     400 size of headers
  3E810C checksum
0000000000800000 size of stack reserve
0000000000001000 size of stack commit
0000000000100000 size of heap reserve
0000000000001000 size of heap commit
    C160  DLL characteristics
            High entropy VA supported
            Dynamic base
            NX compatible
            Guard
            Terminal server aware
  30EDD4 [      87] address [size] of Export Directory
  30EE5B [      50] address [size] of Import Directory
  360000 [   8F288] address [size] of Resource Directory
  33F000 [   14AFC] address [size] of Exception Directory
  3DBC00 [    27D0] address [size] of Security Directory
  3F0000 [    2FD8] address [size] of Base Relocation Directory
  30B5C0 [      54] address [size] of Debug Directory
       0 [       0] address [size] of Description Directory
       0 [       0] address [size] of Special Directory
  30B2F8 [      28] address [size] of Thread Storage Directory
  2B4170 [     138] address [size] of Load Configuration Directory
       0 [       0] address [size] of Bound Import Directory
  30F690 [     7E0] address [size] of Import Address Table Directory
  30DA18 [     1E0] address [size] of Delay Import Directory
       0 [       0] address [size] of COR20 Header Directory
       0 [       0] address [size] of Reserved Directory


SECTION HEADER #1
   .text name
  2B2EB4 virtual size
    1000 virtual address
  2B3000 size of raw data
     400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read

SECTION HEADER #2
  .rdata name
   6B6CC virtual size
  2B4000 virtual address
   6B800 size of raw data
  2B3400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only


Debug Directories(3)
	Type       Size     Address  Pointer
	cv           53      30b614   30aa14	Format: RSDS, guid, 1, D:\a\_work\e\src\out\Release_x64\initialexe\msedge.exe.pdb
	(    13)     598      30b668   30aa68
	(    20)       4      30bc00   30b000

SECTION HEADER #3
   .data name
   1E43C virtual size
  320000 virtual address
   10E00 size of raw data
  31EC00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #4
  .pdata name
   14AFC virtual size
  33F000 virtual address
   14C00 size of raw data
  32FA00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #5
  .00cfg name
      28 virtual size
  354000 virtual address
     200 size of raw data
  344600 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #6
   .gxfg name
    32C0 virtual size
  355000 virtual address
    3400 size of raw data
  344800 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #7
.retplne name
      94 virtual size
  359000 virtual address
     200 size of raw data
  347C00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #8
    .tls name
     181 virtual size
  35A000 virtual address
     200 size of raw data
  347E00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #9
 .voltbl name
      42 virtual size
  35B000 virtual address
     200 size of raw data
  348000 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
       0 flags
         (no align specified)

SECTION HEADER #A
CPADinfo name
      38 virtual size
  35C000 virtual address
     200 size of raw data
  348200 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
C0000040 flags
         Initialized Data
         (no align specified)
         Read Write

SECTION HEADER #B
 LZMADEC name
    11F1 virtual size
  35D000 virtual address
    1200 size of raw data
  348400 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
60000020 flags
         Code
         (no align specified)
         Execute Read

SECTION HEADER #C
  _RDATA name
      F4 virtual size
  35F000 virtual address
     200 size of raw data
  349600 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #D
   .rsrc name
   8F288 virtual size
  360000 virtual address
   8F400 size of raw data
  349800 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
40000040 flags
         Initialized Data
         (no align specified)
         Read Only

SECTION HEADER #E
  .reloc name
    2FD8 virtual size
  3F0000 virtual address
    3000 size of raw data
  3D8C00 file pointer to raw data
       0 file pointer to relocation table
       0 file pointer to line numbers
       0 number of relocations
       0 number of line numbers
42000040 flags
         Initialized Data
         Discardable
         (no align specified)
         Read Only

4. dps image base address + IAT Offset IAT Size/8

dps 7ff65f7c0000+30F690 L7E0/8

원본 접기

0:020> dps 7ff65f7c0000+30F690 L7E0/8
00007ff6`5facf690  00007ffa`3dfa4ee0 msedge_elf!GetInstallDetailsPayload
00007ff6`5facf698  00007ffa`3dfa3100 msedge_elf!IsBrowserProcess
00007ff6`5facf6a0  00007ffa`3dfa3110 msedge_elf!IsExtensionPointDisableSet
00007ff6`5facf6a8  00007ffa`3dfa2f80 msedge_elf!SignalChromeElf
00007ff6`5facf6b0  00007ffa`3dfa2f70 msedge_elf!SignalInitializeCrashReporting
00007ff6`5facf6b8  00000000`00000000
00007ff6`5facf6c0  00007ffa`7bd790a0 ntdll!RtlAcquireSRWLockExclusive
00007ff6`5facf6c8  00007ffa`7bac06c0 KERNEL32!AssignProcessToJobObject
00007ff6`5facf6d0  00007ffa`7bac1430 KERNEL32!CancelIoStub
00007ff6`5facf6d8  00007ffa`7bac50a0 KERNEL32!CloseHandle
00007ff6`5facf6e0  00007ffa`7babce60 KERNEL32!CompareStringWStub
00007ff6`5facf6e8  00007ffa`7bac1790 KERNEL32!ConnectNamedPipeStub
00007ff6`5facf6f0  00007ffa`7bac5990 KERNEL32!CopyFileW
00007ff6`5facf6f8  00007ffa`7bac52f0 KERNEL32!CreateDirectoryW
00007ff6`5facf700  00007ffa`7bac5120 KERNEL32!CreateEventW
00007ff6`5facf708  00007ffa`7bac5310 KERNEL32!CreateFileA
00007ff6`5facf710  00007ffa`7babd0a0 KERNEL32!CreateFileMappingWStub
00007ff6`5facf718  00007ffa`7bac5320 KERNEL32!CreateFileW
00007ff6`5facf720  00007ffa`7badb040 KERNEL32!CreateHardLinkWStub
00007ff6`5facf728  00007ffa`7babe110 KERNEL32!CreateIoCompletionPortStub
00007ff6`5facf730  00007ffa`7babe9b0 KERNEL32!CreateJobObjectW
00007ff6`5facf738  00007ffa`7bac5160 KERNEL32!CreateMutexW
00007ff6`5facf740  00007ffa`7bac0a30 KERNEL32!CreateNamedPipeWStub
00007ff6`5facf748  00007ffa`7babd320 KERNEL32!CreateProcessWStub
00007ff6`5facf750  00007ffa`7badb1e0 KERNEL32!CreateRemoteThreadStub
00007ff6`5facf758  00007ffa`7bac5180 KERNEL32!CreateSemaphoreW
00007ff6`5facf760  00007ffa`7babbd70 KERNEL32!CreateThreadStub
00007ff6`5facf768  00007ffa`7bac8260 KERNEL32!CreateToolhelp32Snapshot
00007ff6`5facf770  00007ffa`7badb290 KERNEL32!DebugBreakStub
00007ff6`5facf778  00007ffa`7bd60fc0 ntdll!RtlDeleteCriticalSection
00007ff6`5facf780  00007ffa`7bac5350 KERNEL32!DeleteFileW
00007ff6`5facf788  00007ffa`79a0d950 KERNELBASE!AfpAdminDisconnect
00007ff6`5facf790  00007ffa`7bac2720 KERNEL32!DisconnectNamedPipeStub
00007ff6`5facf798  00007ffa`7bac50b0 KERNEL32!DuplicateHandle
00007ff6`5facf7a0  00007ffa`7bdc1f40 ntdll!RtlEncodePointer
00007ff6`5facf7a8  00007ffa`7bd7faa0 ntdll!RtlEnterCriticalSection
00007ff6`5facf7b0  00007ffa`7badb4f0 KERNEL32!EnumSystemLocalesExStub
00007ff6`5facf7b8  00007ffa`7badb510 KERNEL32!EnumSystemLocalesWStub
00007ff6`5facf7c0  00007ffa`7babe860 KERNEL32!ExitProcessImplementation
00007ff6`5facf7c8  00007ffa`7bda4640 ntdll!RtlExitUserThread
00007ff6`5facf7d0  00007ffa`7babbf60 KERNEL32!ExpandEnvironmentStringsWStub
00007ff6`5facf7d8  00007ffa`7bac5810 KERNEL32!FileTimeToSystemTime
00007ff6`5facf7e0  00007ffa`7bac5380 KERNEL32!FindClose
00007ff6`5facf7e8  00007ffa`7bac53e0 KERNEL32!FindFirstFileExW
00007ff6`5facf7f0  00007ffa`7bac5450 KERNEL32!FindNextFileW
00007ff6`5facf7f8  00007ffa`7bac09f0 KERNEL32!FindResourceWStub
00007ff6`5facf800  00007ffa`7bac0990 KERNEL32!FlsAllocStub
00007ff6`5facf808  00007ffa`7bac12d0 KERNEL32!FlsFreeStub
00007ff6`5facf810  00007ffa`7bab8cb0 KERNEL32!FlsGetValueStub
00007ff6`5facf818  00007ffa`7babca90 KERNEL32!FlsSetValueStub
00007ff6`5facf820  00007ffa`7bac5480 KERNEL32!FlushFileBuffers
00007ff6`5facf828  00007ffa`7badb5f0 KERNEL32!FlushViewOfFileStub
00007ff6`5facf830  00007ffa`7bac2840 KERNEL32!FormatMessageAStub
00007ff6`5facf838  00007ffa`7babfe70 KERNEL32!FreeEnvironmentStringsWStub
00007ff6`5facf840  00007ffa`7babcf90 KERNEL32!FreeLibraryStub
00007ff6`5facf848  00007ffa`7bac17f0 KERNEL32!FreeLibraryAndExitThreadStub
00007ff6`5facf850  00007ffa`7babe820 KERNEL32!GetACPStub
00007ff6`5facf858  00007ffa`7babeaa0 KERNEL32!GetCPInfoStub
00007ff6`5facf860  00007ffa`7bac0600 KERNEL32!GetCommandLineAStub
00007ff6`5facf868  00007ffa`7babfb80 KERNEL32!GetCommandLineWStub
00007ff6`5facf870  00007ffa`7bac09b0 KERNEL32!GetComputerNameExWStub
00007ff6`5facf878  00007ffa`7bac5ab0 KERNEL32!GetConsoleMode
00007ff6`5facf880  00007ffa`7bac5ac0 KERNEL32!GetConsoleOutputCP
00007ff6`5facf888  00007ffa`7bac06f0 KERNEL32!GetCurrentDirectoryWStub
00007ff6`5facf890  00007ffa`7bac5040 KERNEL32!GetCurrentProcess
00007ff6`5facf898  00007ffa`7bac5050 KERNEL32!GetCurrentProcessId
00007ff6`5facf8a0  00007ffa`7bdf1d00 ntdll!RtlGetCurrentProcessorNumber
00007ff6`5facf8a8  00007ffa`7bab5e80 KERNEL32!GetCurrentThread
00007ff6`5facf8b0  00007ffa`7bab5b30 KERNEL32!GetCurrentThreadId
00007ff6`5facf8b8  00007ffa`7bac0e60 KERNEL32!GetDateFormatWStub
00007ff6`5facf8c0  00007ffa`7bac54e0 KERNEL32!GetDriveTypeW
00007ff6`5facf8c8  00007ffa`7babfe50 KERNEL32!GetEnvironmentStringsWStub
00007ff6`5facf8d0  00007ffa`7babbdf0 KERNEL32!GetEnvironmentVariableWStub
00007ff6`5facf8d8  00007ffa`7babd820 KERNEL32!GetExitCodeProcessImplementation
00007ff6`5facf8e0  00007ffa`7bac5510 KERNEL32!GetFileAttributesExW
00007ff6`5facf8e8  00007ffa`7bac5520 KERNEL32!GetFileAttributesW
00007ff6`5facf8f0  00007ffa`7bac5530 KERNEL32!GetFileInformationByHandle
00007ff6`5facf8f8  00007ffa`7babfe10 KERNEL32!GetFileInformationByHandleExStub
00007ff6`5facf900  00007ffa`7bac5550 KERNEL32!GetFileSizeEx
00007ff6`5facf908  00007ffa`7bac5560 KERNEL32!GetFileTime
00007ff6`5facf910  00007ffa`7bac5570 KERNEL32!GetFileType
00007ff6`5facf918  00007ffa`7bac55b0 KERNEL32!GetFullPathNameW
00007ff6`5facf920  00007ffa`7bab61d0 KERNEL32!GetLastErrorStub
00007ff6`5facf928  00007ffa`7babe7e0 KERNEL32!GetLocalTimeStub
00007ff6`5facf930  00007ffa`7bac05e0 KERNEL32!GetLocaleInfoWStub
00007ff6`5facf938  00007ffa`7bac1830 KERNEL32!GetLogicalProcessorInformationStub
00007ff6`5facf940  00007ffa`7baa68c0 KERNEL32!GetLongPathNameW
00007ff6`5facf948  00007ffa`7babe6e0 KERNEL32!GetModuleFileNameWStub
00007ff6`5facf950  00007ffa`7babf870 KERNEL32!GetModuleHandleAStub
00007ff6`5facf958  00007ffa`7babfdf0 KERNEL32!GetModuleHandleExWStub
00007ff6`5facf960  00007ffa`7babd8f0 KERNEL32!GetModuleHandleWStub
00007ff6`5facf968  00007ffa`7bb01fd0 KERNEL32!GetNamedPipeClientProcessId
00007ff6`5facf970  00007ffa`7bac0e40 KERNEL32!GetNativeSystemInfoStub
00007ff6`5facf978  00007ffa`7bac1a80 KERNEL32!GetOEMCPStub
00007ff6`5facf980  00007ffa`7babb690 KERNEL32!GetProcAddressStub
00007ff6`5facf988  00007ffa`7badb960 KERNEL32!GetProcessHandleCountStub
00007ff6`5facf990  00007ffa`7bab6190 KERNEL32!GetProcessHeapStub
00007ff6`5facf998  00007ffa`7badb980 KERNEL32!GetProcessHeapsStub
00007ff6`5facf9a0  00007ffa`7babd790 KERNEL32!GetProcessIdStub
00007ff6`5facf9a8  00007ffa`799f8a80 KERNELBASE!GetProcessMitigationPolicy
00007ff6`5facf9b0  00007ffa`7babb2a0 KERNEL32!GetProcessTimesStub
00007ff6`5facf9b8  00007ffa`7bac1910 KERNEL32!GetProductInfoStub
00007ff6`5facf9c0  00007ffa`7bab63b0 KERNEL32!GetQueuedCompletionStatusStub
00007ff6`5facf9c8  00007ffa`7babdff0 KERNEL32!GetStartupInfoWStub
00007ff6`5facf9d0  00007ffa`7babdc50 KERNEL32!GetStdHandleStub
00007ff6`5facf9d8  00007ffa`7babeaf0 KERNEL32!GetStringTypeWStub
00007ff6`5facf9e0  00007ffa`7bac1470 KERNEL32!GetSystemDefaultLCIDStub
00007ff6`5facf9e8  00007ffa`7babb5d0 KERNEL32!GetSystemDirectoryWStub
00007ff6`5facf9f0  00007ffa`7babe370 KERNEL32!GetSystemInfoStub
00007ff6`5facf9f8  00007ffa`7bab8350 KERNEL32!GetSystemTimeAsFileTimeStub
00007ff6`5facfa00  00007ffa`7bac5980 KERNEL32!GetSystemWow64DirectoryW
00007ff6`5facfa08  00007ffa`7bac5600 KERNEL32!GetTempPathW
00007ff6`5facfa10  00007ffa`7bac0d30 KERNEL32!GetThreadContextStub
00007ff6`5facfa18  00007ffa`7bac13d0 KERNEL32!GetThreadIdStub
00007ff6`5facfa20  00007ffa`7baba8c0 KERNEL32!GetThreadLocaleStub
00007ff6`5facfa28  00007ffa`7babc040 KERNEL32!GetThreadPriorityStub
00007ff6`5facfa30  00007ffa`7bab5c20 KERNEL32!GetTickCountKernel32
00007ff6`5facfa38  00007ffa`7bab6310 KERNEL32!GetTickCount64Kernel32
00007ff6`5facfa40  00007ffa`7babf980 KERNEL32!GetTimeFormatWStub
00007ff6`5facfa48  00007ffa`7bac10c0 KERNEL32!GetTimeZoneInformationStub
00007ff6`5facfa50  00007ffa`7bac0360 KERNEL32!GetUserDefaultLCIDStub
00007ff6`5facfa58  00007ffa`7badbb90 KERNEL32!GetUserDefaultLangIDStub
00007ff6`5facfa60  00007ffa`7babeb30 KERNEL32!GetUserDefaultLocaleNameStub
00007ff6`5facfa68  00007ffa`7bac12f0 KERNEL32!GetUserDefaultUILanguageStub
00007ff6`5facfa70  00007ffa`7babf9a0 KERNEL32!GetUserGeoID
00007ff6`5facfa78  00007ffa`7bac0140 KERNEL32!GetVersionExWStub
00007ff6`5facfa80  00007ffa`7bac3080 KERNEL32!GetWindowsDirectoryWStub
00007ff6`5facfa88  00007ffa`7bac1a60 KERNEL32!HeapDestroyStub
00007ff6`5facfa90  00007ffa`7bac0ba0 KERNEL32!HeapSetInformationStub
00007ff6`5facfa98  00007ffa`799ee0d0 KERNELBASE!InitOnceExecuteOnce
00007ff6`5facfaa0  00007ffa`7bdb1570 ntdll!RtlInitializeCriticalSection
00007ff6`5facfaa8  00007ffa`7bac51a0 KERNEL32!InitializeCriticalSectionAndSpinCount
00007ff6`5facfab0  00007ffa`79a07cd0 KERNELBASE!InitializeProcThreadAttributeList
00007ff6`5facfab8  00007ffa`7bdbeba0 ntdll!RtlInitializeSListHead
00007ff6`5facfac0  00007ffa`7bac0970 KERNEL32!IsDebuggerPresentStub
00007ff6`5facfac8  00007ffa`7babe300 KERNEL32!IsProcessorFeaturePresentStub
00007ff6`5facfad0  00007ffa`7bac0430 KERNEL32!IsValidCodePageStub
00007ff6`5facfad8  00007ffa`7bac0660 KERNEL32!IsValidLocaleStub
00007ff6`5facfae0  00007ffa`7babfe30 KERNEL32!IsWow64ProcessStub
00007ff6`5facfae8  00007ffa`7babf890 KERNEL32!K32GetModuleInformationStub
00007ff6`5facfaf0  00007ffa`7badbfd0 KERNEL32!K32GetPerformanceInfoStub
00007ff6`5facfaf8  00007ffa`7badc010 KERNEL32!K32GetProcessMemoryInfoStub
00007ff6`5facfb00  00007ffa`7badc090 KERNEL32!K32QueryWorkingSetExStub
00007ff6`5facfb08  00007ffa`7bab8c70 KERNEL32!LCMapStringWStub
00007ff6`5facfb10  00007ffa`7bd7f230 ntdll!RtlLeaveCriticalSection
00007ff6`5facfb18  00007ffa`7bac0380 KERNEL32!LoadLibraryExAStub
00007ff6`5facfb20  00007ffa`7babb590 KERNEL32!LoadLibraryExWStub
00007ff6`5facfb28  00007ffa`7bac06a0 KERNEL32!LoadLibraryWStub
00007ff6`5facfb30  00007ffa`7babbb30 KERNEL32!LoadResourceStub
00007ff6`5facfb38  00007ffa`7bab8330 KERNEL32!LocalFreeStub
00007ff6`5facfb40  00007ffa`7bac5680 KERNEL32!LockFileEx
00007ff6`5facfb48  00007ffa`7babbb90 KERNEL32!LockResourceStub
00007ff6`5facfb50  00007ffa`7babdfb0 KERNEL32!MapViewOfFileStub
00007ff6`5facfb58  00007ffa`7bac1450 KERNEL32!MoveFileExWStub
00007ff6`5facfb60  00007ffa`7bac3050 KERNEL32!MoveFileW
00007ff6`5facfb68  00007ffa`7bab5df0 KERNEL32!MultiByteToWideCharStub
00007ff6`5facfb70  00007ffa`7babb5b0 KERNEL32!OpenProcessStub
00007ff6`5facfb78  00007ffa`7bac4a90 KERNEL32!OutputDebugStringAStub
00007ff6`5facfb80  00007ffa`7badc280 KERNEL32!PeekNamedPipeStub
00007ff6`5facfb88  00007ffa`7babbb70 KERNEL32!PostQueuedCompletionStatusStub
00007ff6`5facfb90  00007ffa`79a0ea80 KERNELBASE!PrefetchVirtualMemory
00007ff6`5facfb98  00007ffa`7bac2e50 KERNEL32!Process32FirstW
00007ff6`5facfba0  00007ffa`7bac2bf0 KERNEL32!Process32NextW
00007ff6`5facfba8  00007ffa`7bac5690 KERNEL32!QueryDosDeviceW
00007ff6`5facfbb0  00007ffa`7babe010 KERNEL32!QueryInformationJobObject
00007ff6`5facfbb8  00007ffa`7bab61f0 KERNEL32!QueryPerformanceCounterStub
00007ff6`5facfbc0  00007ffa`7babb670 KERNEL32!QueryPerformanceFrequencyStub
00007ff6`5facfbc8  00007ffa`7baa10e0 KERNEL32!QueryThreadCycleTimeStub
00007ff6`5facfbd0  00007ffa`7bac0470 KERNEL32!RaiseExceptionStub
00007ff6`5facfbd8  00007ffa`7bac5b30 KERNEL32!ReadConsoleW
00007ff6`5facfbe0  00007ffa`7bac56a0 KERNEL32!ReadFile
00007ff6`5facfbe8  00007ffa`7babccb0 KERNEL32!ReadProcessMemoryStub
00007ff6`5facfbf0  00007ffa`7bab5ab0 KERNEL32!RegisterWaitForSingleObject
00007ff6`5facfbf8  00007ffa`7bd62c70 ntdll!RtlReleaseSRWLockExclusive
00007ff6`5facfc00  00007ffa`7bac5220 KERNEL32!ReleaseSemaphore
00007ff6`5facfc08  00007ffa`7bac56e0 KERNEL32!RemoveDirectoryW
00007ff6`5facfc10  00007ffa`7badcb40 KERNEL32!ReplaceFileWStub
00007ff6`5facfc18  00007ffa`7bac5230 KERNEL32!ResetEvent
00007ff6`5facfc20  00007ffa`7babe880 KERNEL32!ResumeThreadStub
00007ff6`5facfc28  00007ffa`7bac4e80 KERNEL32!RtlCaptureContext
00007ff6`5facfc30  00007ffa`7bac25f0 KERNEL32!RtlCaptureStackBackTraceStub
00007ff6`5facfc38  00007ffa`7babdab0 KERNEL32!RtlLookupFunctionEntryStub
00007ff6`5facfc40  00007ffa`7babdb80 KERNEL32!RtlPcToFileHeaderStub
00007ff6`5facfc48  00007ffa`7badcc50 KERNEL32!RtlUnwindStub
00007ff6`5facfc50  00007ffa`7bac01b0 KERNEL32!RtlUnwindExStub
00007ff6`5facfc58  00007ffa`7baa1010 KERNEL32!RtlVirtualUnwindStub
00007ff6`5facfc60  00007ffa`7bac5b50 KERNEL32!SetConsoleCtrlHandler
00007ff6`5facfc68  00007ffa`7bac1b20 KERNEL32!SetCurrentDirectoryWStub
00007ff6`5facfc70  00007ffa`79a959f0 KERNELBASE!SetDefaultDllDirectories
00007ff6`5facfc78  00007ffa`7bac56f0 KERNEL32!SetEndOfFile
00007ff6`5facfc80  00007ffa`7bac1180 KERNEL32!SetEnvironmentVariableWStub
00007ff6`5facfc88  00007ffa`7bac5240 KERNEL32!SetEvent
00007ff6`5facfc90  00007ffa`7bac5710 KERNEL32!SetFileAttributesW
00007ff6`5facfc98  00007ffa`7bac5730 KERNEL32!SetFilePointer
00007ff6`5facfca0  00007ffa`7bac5740 KERNEL32!SetFilePointerEx
00007ff6`5facfca8  00007ffa`7bac50d0 KERNEL32!SetHandleInformation
00007ff6`5facfcb0  00007ffa`7babdec0 KERNEL32!SetInformationJobObject
00007ff6`5facfcb8  00007ffa`7bab6290 KERNEL32!SetLastErrorStub
00007ff6`5facfcc0  00007ffa`7bac2700 KERNEL32!SetNamedPipeHandleStateStub
00007ff6`5facfcc8  00007ffa`79a0c9e0 KERNELBASE!SetProcessMitigationPolicy
00007ff6`5facfcd0  00007ffa`7bac0ec0 KERNEL32!SetProcessShutdownParametersStub
00007ff6`5facfcd8  00007ffa`7bac09d0 KERNEL32!SetStdHandleStub
00007ff6`5facfce0  00007ffa`7babf8b0 KERNEL32!SetThreadAffinityMask
00007ff6`5facfce8  00007ffa`7bac5090 KERNEL32!SetThreadInformation
00007ff6`5facfcf0  00007ffa`7babbdc0 KERNEL32!SetThreadPriorityStub
00007ff6`5facfcf8  00007ffa`3e08c460 msedge_elf!crash_reporter::CrashReporterClient::AboutToRestart
00007ff6`5facfd00  00007ffa`7babbbb0 KERNEL32!SizeofResourceStub
00007ff6`5facfd08  00007ffa`7babb570 KERNEL32!SleepStub
00007ff6`5facfd10  00007ffa`799fdc40 KERNELBASE!SleepConditionVariableSRW
00007ff6`5facfd18  00007ffa`7bac5260 KERNEL32!SleepEx
00007ff6`5facfd20  00007ffa`7bac0f40 KERNEL32!SuspendThreadStub
00007ff6`5facfd28  00007ffa`7bac2970 KERNEL32!SystemTimeToTzSpecificLocalTimeStub
00007ff6`5facfd30  00007ffa`7bac1850 KERNEL32!TerminateJobObject
00007ff6`5facfd38  00007ffa`7bac0f20 KERNEL32!TerminateProcessStub
00007ff6`5facfd40  00007ffa`7babcff0 KERNEL32!TlsAllocStub
00007ff6`5facfd48  00007ffa`7babdb40 KERNEL32!TlsFreeStub
00007ff6`5facfd50  00007ffa`7bab5b20 KERNEL32!TlsGetValueStub
00007ff6`5facfd58  00007ffa`7bab6170 KERNEL32!TlsSetValueStub
00007ff6`5facfd60  00007ffa`7badd020 KERNEL32!TransactNamedPipeStub
00007ff6`5facfd68  00007ffa`7bdd1f60 ntdll!RtlTryAcquireSRWLockExclusive
00007ff6`5facfd70  00007ffa`7badd060 KERNEL32!UnhandledExceptionFilterStub
00007ff6`5facfd78  00007ffa`7bac5780 KERNEL32!UnlockFileEx
00007ff6`5facfd80  00007ffa`7babe7c0 KERNEL32!UnmapViewOfFileStub
00007ff6`5facfd88  00007ffa`7bab3770 KERNEL32!UnregisterWait
00007ff6`5facfd90  00007ffa`7bac1930 KERNEL32!UnregisterWaitExStub
00007ff6`5facfd98  00007ffa`79a04720 KERNELBASE!UpdateProcThreadAttribute
00007ff6`5facfda0  00007ffa`7bdc0650 ntdll!VerSetConditionMask
00007ff6`5facfda8  00007ffa`7bab8c20 KERNEL32!VerifyVersionInfoW
00007ff6`5facfdb0  00007ffa`7bab8cd0 KERNEL32!VirtualAllocStub
00007ff6`5facfdb8  00007ffa`7badd0e0 KERNEL32!VirtualAllocExStub
00007ff6`5facfdc0  00007ffa`7baba900 KERNEL32!VirtualFreeStub
00007ff6`5facfdc8  00007ffa`7badd100 KERNEL32!VirtualFreeExStub
00007ff6`5facfdd0  00007ffa`7babc430 KERNEL32!VirtualProtectStub
00007ff6`5facfdd8  00007ffa`7badd120 KERNEL32!VirtualProtectExStub
00007ff6`5facfde0  00007ffa`7babc960 KERNEL32!VirtualQueryStub
00007ff6`5facfde8  00007ffa`7babd7b0 KERNEL32!VirtualQueryExStub
00007ff6`5facfdf0  00007ffa`7bac5270 KERNEL32!WaitForMultipleObjects
00007ff6`5facfdf8  00007ffa`7bac5290 KERNEL32!WaitForSingleObject
00007ff6`5facfe00  00007ffa`7bac52a0 KERNEL32!WaitForSingleObjectEx
00007ff6`5facfe08  00007ffa`7badd160 KERNEL32!WaitNamedPipeWStub
00007ff6`5facfe10  00007ffa`7bda5420 ntdll!RtlWakeAllConditionVariable
00007ff6`5facfe18  00007ffa`7bda4ab0 ntdll!RtlWakeConditionVariable
00007ff6`5facfe20  00007ffa`7bab6110 KERNEL32!WideCharToMultiByteStub
00007ff6`5facfe28  00007ffa`7badd2c0 KERNEL32!Wow64GetThreadContextStub
00007ff6`5facfe30  00007ffa`7bac5b80 KERNEL32!WriteConsoleW
00007ff6`5facfe38  00007ffa`7bac5790 KERNEL32!WriteFile
00007ff6`5facfe40  00007ffa`7badd340 KERNEL32!WriteProcessMemoryStub
00007ff6`5facfe48  00007ffa`7bddc7e0 ntdll!_C_specific_handler
00007ff6`5facfe50  00007ffa`7babb280 KERNEL32!lstrlenAStub
00007ff6`5facfe58  00000000`00000000
00007ff6`5facfe60  00007ffa`7bd8ba40 ntdll!RtlInitUnicodeString
00007ff6`5facfe68  00000000`00000000