-
NtGdiGetDIBitsInternal
case 53 seems interesting. case 53 DOUBLE FETCH: cr3 0x120c9d000, syscall 0x1087 eip 0xfffff961a3a46f87, user_address 0x1f978d80030, user_data 0x28, modrm 0x0, pc 0xfffff961a3a46fac eip 0xfffff961a3a47370, user_address 0x1f978d80030, user_data 0x28, modrm 0x11, pc 0xfffff961a3a47386 NtGdiGetDIBitsInternal 1c0046f90 4c 89 a4 MOV qword ptr [RSP + local_88],R12 24 a0 00 00 00 1c0046f98 48...
-
double fetch, case 32 - case 62
DOUBLE FETCH: cr3 0xa9774000, syscall 0x12dd eip 0xfffff961a3dc59e0, user_address 0x13ee9902a60, user_data 0x0, modrm 0x1, pc 0xfffff961a3dc5a1c eip 0xfffff961a3a9b389, user_address 0x13ee9902a60, user_data 0x0, modrm 0x0, pc 0xfffff961a3a9b417 0xfffff961a3dc5a1c - 0xfffff961a3a9b417 = 32A605 1c0035a1c − 1c002c417 = 9605 win32kbase.sys 1c00359ed 48 0f 43 CMOVNC RDX,qword ptr [W32UserProbeAddress] = ?? 15 cb ea...
-
double fetch, case 5, case 6 .. case 31
case 5 DOUBLE FETCH: cr3 0xb7261000, syscall 0x88 eip 0xfffff80179c9f8e1, user_address 0x40f3efdbe8, user_data 0x1000, modrm 0x1, pc 0xfffff80179c9f99e eip 0xfffff80179c9f8e1, user_address 0x40f3efdbe8, user_data 0x1000, modrm 0x1, pc 0xfffff80179c9f9bc LAB_14041599e XREF[1]: 140415afd(j) --> 14041599e 48 8b 01 MOV RAX,qword ptr [param_1] 1404159a1 48 89 84 MOV qword ptr [RSP + local_c8],RAX...