windbg使用 已经命令 详细(0315)更新

加载文件符号:

srv*D:\WinDDK\7600.16385.1\symbols*http://msdl.microsoft.com/download/symbols

输入命令
重新加载符号
.reload

dt _eprocess 进程结构体查看

!dml_proc 枚举进程

dd 地址 查看内存 四个字节(双字节)显示
db 地址 查看内存 单字节显示

g 运行

~查看线程
0:001> ~

0 Id: 1a70.18ec Suspend: 1 Teb: 7efdd000 Unfrozen
. 1 Id: 1a70.aa8 Suspend: 1 Teb: 7efda000 Unfrozen

查看peb 结构
dt nt!_peb
0:001> dt nt!_peb
ntdll!_PEB
+0x000 InheritedAddressSpace : UChar
+0x001 ReadImageFileExecOptions : UChar
+0x002 BeingDebugged : UChar
+0x003 BitField : UChar
+0x003 ImageUsesLargePages : Pos 0, 1 Bit
+0x003 IsProtectedProcess : Pos 1, 1 Bit
+0x003 IsLegacyProcess : Pos 2, 1 Bit
+0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit
+0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit
+0x003 SpareBits : Pos 5, 3 Bits
+0x004 Mutant : Ptr32 Void
+0x008 ImageBaseAddress : Ptr32 Void
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
+0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS
+0x014 SubSystemData : Ptr32 Void
+0x018 ProcessHeap : Ptr32 Void
+0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION
+0x020 AtlThunkSListPtr : Ptr32 Void
+0x024 IFEOKey : Ptr32 Void
+0x028 CrossProcessFlags : Uint4B
+0x028 ProcessInJob : Pos 0, 1 Bit
+0x028 ProcessInitializing : Pos 1, 1 Bit
+0x028 ProcessUsingVEH : Pos 2, 1 Bit
+0x028 ProcessUsingVCH : Pos 3, 1 Bit
+0x028 ProcessUsingFTH : Pos 4, 1 Bit
+0x028 ReservedBits0 : Pos 5, 27 Bits
+0x02c KernelCallbackTable : Ptr32 Void
+0x02c UserSharedInfoPtr : Ptr32 Void
+0x030 SystemReserved : [1] Uint4B
+0x034 AtlThunkSListPtr32 : Uint4B
+0x038 ApiSetMap : Ptr32 Void
+0x03c TlsExpansionCounter : Uint4B
+0x040 TlsBitmap : Ptr32 Void
+0x044 TlsBitmapBits : [2] Uint4B
+0x04c ReadOnlySharedMemoryBase : Ptr32 Void
+0x050 HotpatchInformation : Ptr32 Void
+0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void
+0x058 AnsiCodePageData : Ptr32 Void
+0x05c OemCodePageData : Ptr32 Void
+0x060 UnicodeCaseTableData : Ptr32 Void
+0x064 NumberOfProcessors : Uint4B
+0x068 NtGlobalFlag : Uint4B
+0x070 CriticalSectionTimeout : _LARGE_INTEGER
+0x078 HeapSegmentReserve : Uint4B
+0x07c HeapSegmentCommit : Uint4B
+0x080 HeapDeCommitTotalFreeThreshold : Uint4B
+0x084 HeapDeCommitFreeBlockThreshold : Uint4B
+0x088 NumberOfHeaps : Uint4B
+0x08c MaximumNumberOfHeaps : Uint4B
+0x090 ProcessHeaps : Ptr32 Ptr32 Void
+0x094 GdiSharedHandleTable : Ptr32 Void
+0x098 ProcessStarterHelper : Ptr32 Void
+0x09c GdiDCAttributeList : Uint4B
+0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION
+0x0a4 OSMajorVersion : Uint4B
+0x0a8 OSMinorVersion : Uint4B
+0x0ac OSBuildNumber : Uint2B
+0x0ae OSCSDVersion : Uint2B
+0x0b0 OSPlatformId : Uint4B
+0x0b4 ImageSubsystem : Uint4B
+0x0b8 ImageSubsystemMajorVersion : Uint4B
+0x0bc ImageSubsystemMinorVersion : Uint4B
+0x0c0 ActiveProcessAffinityMask : Uint4B
+0x0c4 GdiHandleBuffer : [34] Uint4B
+0x14c PostProcessInitRoutine : Ptr32 void
+0x150 TlsExpansionBitmap : Ptr32 Void
+0x154 TlsExpansionBitmapBits : [32] Uint4B
+0x1d4 SessionId : Uint4B
+0x1d8 AppCompatFlags : _ULARGE_INTEGER
+0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER
+0x1e8 pShimData : Ptr32 Void
+0x1ec AppCompatInfo : Ptr32 Void
+0x1f0 CSDVersion : _UNICODE_STRING
+0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA
+0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP
+0x208 MinimumStackCommit : Uint4B
+0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO
+0x210 FlsListHead : _LIST_ENTRY
+0x218 FlsBitmap : Ptr32 Void
+0x21c FlsBitmapBits : [4] Uint4B
+0x22c FlsHighIndex : Uint4B
+0x230 WerRegistrationData : Ptr32 Void
+0x234 WerShipAssertPtr : Ptr32 Void
+0x238 pContextData : Ptr32 Void
+0x23c pImageHeaderHash : Ptr32 Void
+0x240 TracingFlags : Uint4B
+0x240 HeapTracingEnabled : Pos 0, 1 Bit
+0x240 CritSecTracingEnabled : Pos 1, 1 Bit
+0x240 SpareTracingBits : Pos 2, 30 Bits

!peb 查看结果 返回 的
0:001> !peb
PEB at 7efde000
InheritedAddressSpace: No
ReadImageFileExecOptions: No
BeingDebugged: Yes
ImageBaseAddress: 00240000
Ldr 77570200
Ldr.Initialized: Yes
Ldr.InInitializationOrderModuleList: 00aa3bd8 . 00ac7b40
Ldr.InLoadOrderModuleList: 00aa3b48 . 00ac7b30
Ldr.InMemoryOrderModuleList: 00aa3b50 . 00ac7b38
Base TimeStamp Module
240000 58c252c9 Mar 10 15:16:25 2017 C:\Users\huang\Desktop\BypassUAC.exe
77470000 57fd02d3 Oct 11 23:18:43 2016 C:\Windows\SysWOW64\ntdll.dll
74fc0000 57fd0378 Oct 11 23:21:28 2016 C:\Windows\syswow64\kernel32.dll
761c0000 57fd0379 Oct 11 23:21:29 2016 C:\Windows\syswow64\KERNELBASE.dll
75c40000 58249e1c Nov 11 00:19:40 2016 C:\Windows\syswow64\USER32.dll
75560000 581f576e Nov 07 00:16:46 2016 C:\Windows\syswow64\GDI32.dll
77440000 581a034f Nov 02 23:16:31 2016 C:\Windows\syswow64\LPK.dll
75200000 58121b44 Oct 27 23:20:36 2016 C:\Windows\syswow64\USP10.dll
750d0000 4eeaf722 Dec 16 15:45:38 2011 C:\Windows\syswow64\msvcrt.dll
75a30000 57fd02b4 Oct 11 23:18:12 2016 C:\Windows\syswow64\ADVAPI32.dll
75330000 4a5bdb04 Jul 14 09:10:28 2009 C:\Windows\SysWOW64\sechost.dll
75380000 586e85b5 Jan 06 01:43:17 2017 C:\Windows\syswow64\RPCRT4.dll
74f60000 586e85b5 Jan 06 01:43:17 2017 C:\Windows\syswow64\SspiCli.dll
74f50000 586e8007 Jan 06 01:19:03 2017 C:\Windows\syswow64\CRYPTBASE.dll
6bce0000 4a5bdaa0 Jul 14 09:08:48 2009 C:\Windows\system32\MSIMG32.dll
6eaf0000 4ce7ba4b Nov 20 20:08:43 2010 C:\Windows\system32\WINSPOOL.DRV
763f0000 57c450f4 Aug 29 23:12:52 2016 C:\Windows\syswow64\SHELL32.dll
75600000 4ce7b9e2 Nov 20 20:06:58 2010 C:\Windows\syswow64\SHLWAPI.dll
6f610000 553a8345 Apr 25 01:54:13 2015 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
6dc40000 4a5bdb3c Jul 14 09:11:24 2009 C:\Windows\system32\UxTheme.dll
76290000 4ce7b96f Nov 20 20:05:03 2010 C:\Windows\syswow64\ole32.dll
75780000 57f7bb82 Oct 07 23:13:06 2016 C:\Windows\syswow64\OLEAUT32.dll
74df0000 4a5bdace Jul 14 09:09:34 2009 C:\Windows\system32\oledlg.dll
74300000 57d714cd Sep 13 04:49:17 2016 C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.23545_none_5c06d189a00e2c29\gdiplus.dll
736e0000 4e587028 Aug 27 12:18:48 2011 C:\Windows\system32\OLEACC.dll
75be0000 4ce7ba53 Nov 20 20:08:51 2010 C:\Windows\syswow64\IMM32.dll
756b0000 57fd0304 Oct 11 23:19:32 2016 C:\Windows\syswow64\MSCTF.dll
745c0000 4ce7ba42 Nov 20 20:08:34 2010 C:\Windows\system32\WINMM.dll
6b9f0000 4a5bda07 Jul 14 09:06:15 2009 C:\Windows\system32\dwmapi.dll
SubSystemData: 00000000
ProcessHeap: 00aa0000
ProcessParameters: 00aa1c08
CurrentDirectory: ‘C:\Users\huang\Desktop\’
WindowTitle: ‘C:\Users\huang\Desktop\BypassUAC.exe’
ImageFile: ‘C:\Users\huang\Desktop\BypassUAC.exe’
CommandLine: ‘“C:\Users\huang\Desktop\BypassUAC.exe” ’
DllPath: ‘C:\Users\huang\Desktop;;C:\Windows\system32;C:\Windows\system;C:\Windows;.;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\010 Editor;C:\Program Files\IDM Computer Solutions\UltraEdit;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools;C:\Program Files (x86)\Microsoft Visual Studio\VC98\bin’
Environment: 00aa07f0
#envTSLOGsss756=52925808
=::=::\
ALLUSERSPROFILE=C:\ProgramData
APPDATA=C:\Users\huang\AppData\Roaming
CommonProgramFiles=C:\Program Files (x86)\Common Files
CommonProgramFiles(x86)=C:\Program Files (x86)\Common Files
CommonProgramW6432=C:\Program Files\Common Files
COMPUTERNAME=HUANG-PC
ComSpec=C:\Windows\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Users\huang
include=C:\Program Files (x86)\Microsoft Visual Studio\VC98\atl\include;C:\Program Files (x86)\Microsoft Visual Studio\VC98\mfc\include;C:\Program Files (x86)\Microsoft Visual Studio\VC98\include
lib=C:\Program Files (x86)\Microsoft Visual Studio\VC98\mfc\lib;C:\Program Files (x86)\Microsoft Visual Studio\VC98\lib
LOCALAPPDATA=C:\Users\huang\AppData\Local
LOGONSERVER=\HUANG-PC
MSDevDir=C:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98
NUMBER_OF_PROCESSORS=4
OS=Windows_NT
Path=C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Kits\8.1\Windows Performance Toolkit\;C:\Program Files\Microsoft SQL Server\110\Tools\Binn\;C:\Program Files (x86)\Microsoft SDKs\TypeScript\1.0\;C:\Program Files\010 Editor;C:\Program Files\IDM Computer Solutions\UltraEdit;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools\WinNT;C:\Program Files (x86)\Microsoft Visual Studio\Common\MSDev98\Bin;C:\Program Files (x86)\Microsoft Visual Studio\Common\Tools;C:\Program Files (x86)\Microsoft Visual Studio\VC98\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_ARCHITEW6432=AMD64
PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\ProgramData
ProgramFiles=C:\Program Files (x86)
ProgramFiles(x86)=C:\Program Files (x86)
ProgramW6432=C:\Program Files
PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
PUBLIC=C:\Users\Public
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Users\huang\AppData\Local\Temp
TMP=C:\Users\huang\AppData\Local\Temp
USERDOMAIN=huang-PC
USERNAME=huang
USERPROFILE=C:\Users\huang
VS100COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\Tools\
VS110COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 11.0\Common7\Tools\
VS120COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\Tools\
VS140COMNTOOLS=C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools\
windir=C:\Windows
windows_tracing_flags=3
windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log

查看teb结构
0:001> dt nt!_teb
ntdll!_TEB
+0x000 NtTib : _NT_TIB
+0x01c EnvironmentPointer : Ptr32 Void
+0x020 ClientId : _CLIENT_ID
+0x028 ActiveRpcHandle : Ptr32 Void
+0x02c ThreadLocalStoragePointer : Ptr32 Void
+0x030 ProcessEnvironmentBlock : Ptr32 _PEB
+0x034 LastErrorValue : Uint4B
+0x038 CountOfOwnedCriticalSections : Uint4B
+0x03c CsrClientThread : Ptr32 Void
+0x040 Win32ThreadInfo : Ptr32 Void
+0x044 User32Reserved : [26] Uint4B
+0x0ac UserReserved : [5] Uint4B
+0x0c0 WOW32Reserved : Ptr32 Void
+0x0c4 CurrentLocale : Uint4B
+0x0c8 FpSoftwareStatusRegister : Uint4B
+0x0cc SystemReserved1 : [54] Ptr32 Void
+0x1a4 ExceptionCode : Int4B
+0x1a8 ActivationContextStackPointer : Ptr32 _ACTIVATION_CONTEXT_STACK
+0x1ac SpareBytes : [36] UChar
+0x1d0 TxFsContext : Uint4B
+0x1d4 GdiTebBatch : _GDI_TEB_BATCH
+0x6b4 RealClientId : _CLIENT_ID
+0x6bc GdiCachedProcessHandle : Ptr32 Void
+0x6c0 GdiClientPID : Uint4B
+0x6c4 GdiClientTID : Uint4B
+0x6c8 GdiThreadLocalInfo : Ptr32 Void
+0x6cc Win32ClientInfo : [62] Uint4B
+0x7c4 glDispatchTable : [233] Ptr32 Void
+0xb68 glReserved1 : [29] Uint4B
+0xbdc glReserved2 : Ptr32 Void
+0xbe0 glSectionInfo : Ptr32 Void
+0xbe4 glSection : Ptr32 Void
+0xbe8 glTable : Ptr32 Void
+0xbec glCurrentRC : Ptr32 Void
+0xbf0 glContext : Ptr32 Void
+0xbf4 LastStatusValue : Uint4B
+0xbf8 StaticUnicodeString : _UNICODE_STRING
+0xc00 StaticUnicodeBuffer : [261] Wchar
+0xe0c DeallocationStack : Ptr32 Void
+0xe10 TlsSlots : [64] Ptr32 Void
+0xf10 TlsLinks : _LIST_ENTRY
+0xf18 Vdm : Ptr32 Void
+0xf1c ReservedForNtRpc : Ptr32 Void
+0xf20 DbgSsReserved : [2] Ptr32 Void
+0xf28 HardErrorMode : Uint4B
+0xf2c Instrumentation : [9] Ptr32 Void
+0xf50 ActivityId : _GUID
+0xf60 SubProcessTag : Ptr32 Void
+0xf64 EtwLocalData : Ptr32 Void
+0xf68 EtwTraceData : Ptr32 Void
+0xf6c WinSockData : Ptr32 Void
+0xf70 GdiBatchCount : Uint4B
+0xf74 CurrentIdealProcessor : _PROCESSOR_NUMBER
+0xf74 IdealProcessorValue : Uint4B
+0xf74 ReservedPad0 : UChar
+0xf75 ReservedPad1 : UChar
+0xf76 ReservedPad2 : UChar
+0xf77 IdealProcessor : UChar
+0xf78 GuaranteedStackBytes : Uint4B
+0xf7c ReservedForPerf : Ptr32 Void
+0xf80 ReservedForOle : Ptr32 Void
+0xf84 WaitingOnLoaderLock : Uint4B
+0xf88 SavedPriorityState : Ptr32 Void
+0xf8c SoftPatchPtr1 : Uint4B
+0xf90 ThreadPoolData : Ptr32 Void
+0xf94 TlsExpansionSlots : Ptr32 Ptr32 Void
+0xf98 MuiGeneration : Uint4B
+0xf9c IsImpersonating : Uint4B
+0xfa0 NlsCache : Ptr32 Void
+0xfa4 pShimData : Ptr32 Void
+0xfa8 HeapVirtualAffinity : Uint4B
+0xfac CurrentTransactionHandle : Ptr32 Void
+0xfb0 ActiveFrame : Ptr32 _TEB_ACTIVE_FRAME
+0xfb4 FlsData : Ptr32 Void
+0xfb8 PreferredLanguages : Ptr32 Void
+0xfbc UserPrefLanguages : Ptr32 Void
+0xfc0 MergedPrefLanguages : Ptr32 Void
+0xfc4 MuiImpersonation : Uint4B
+0xfc8 CrossTebFlags : Uint2B
+0xfc8 SpareCrossTebBits : Pos 0, 16 Bits
+0xfca SameTebFlags : Uint2B
+0xfca SafeThunkCall : Pos 0, 1 Bit
+0xfca InDebugPrint : Pos 1, 1 Bit
+0xfca HasFiberData : Pos 2, 1 Bit
+0xfca SkipThreadAttach : Pos 3, 1 Bit
+0xfca WerInShipAssertCode : Pos 4, 1 Bit
+0xfca RanProcessInit : Pos 5, 1 Bit
+0xfca ClonedThread : Pos 6, 1 Bit
+0xfca SuppressDebugMsg : Pos 7, 1 Bit
+0xfca DisableUserStackWalk : Pos 8, 1 Bit
+0xfca RtlExceptionAttached : Pos 9, 1 Bit
+0xfca InitialThread : Pos 10, 1 Bit
+0xfca SpareSameTebBits : Pos 11, 5 Bits
+0xfcc TxnScopeEnterCallback : Ptr32 Void
+0xfd0 TxnScopeExitCallback : Ptr32 Void
+0xfd4 TxnScopeContext : Ptr32 Void
+0xfd8 LockCount : Uint4B
+0xfdc SpareUlong0 : Uint4B
+0xfe0 ResourceRetValue : Ptr32 Void

查看teb 结果
0:001> !teb
TEB at 7efda000
ExceptionList: 0229f9b0
StackBase: 022a0000
StackLimit: 0229c000
SubSystemTib: 00000000
FiberData: 00001e00
ArbitraryUserPointer: 00000000
Self: 7efda000
EnvironmentPointer: 00000000
ClientId: 00001a70 . 00000aa8
RpcHandle: 00000000
Tls Storage: 00000000
PEB Address: 7efde000
LastErrorValue: 0
LastStatusValue: 0
Count Owned Locks: 0
HardErrorMode: 0

格式化
0:000> .formats 5
Evaluate expression:
Hex: 00000005
Decimal: 5
Octal: 00000000005
Binary: 00000000 00000000 00000000 00000101
Chars: ….
Time: Thu Jan 01 08:00:05 1970
Float: low 7.00649e-045 high 0
Double: 2.47033e-323

lm 列举模块

0:000> lm
start end module name
00240000 00575000 BypassUAC (deferred)
6bce0000 6bce5000 MSIMG32 (deferred)
6dc40000 6dcc0000 UxTheme (deferred)
6eaf0000 6eb41000 WINSPOOL (deferred)
6f610000 6f7ae000 COMCTL32 (deferred)
736e0000 7371c000 OLEACC (deferred)
74300000 74491000 gdiplus (deferred)
745c0000 745f2000 WINMM (deferred)
74df0000 74e0c000 oledlg (deferred)
74f50000 74f5c000 CRYPTBASE (deferred)
74f60000 74fc0000 SspiCli (deferred)
74fc0000 750d0000 kernel32 (deferred)
750d0000 7517c000 msvcrt (deferred)
75200000 7529d000 USP10 (deferred)
75330000 75349000 sechost (deferred)
75380000 75470000 RPCRT4 (deferred)
75560000 755f0000 GDI32 (deferred)
75600000 75657000 SHLWAPI (deferred)
756b0000 7577d000 MSCTF (deferred)
75780000 75811000 OLEAUT32 (deferred)
75a30000 75ad1000 ADVAPI32 (deferred)
75be0000 75c40000 IMM32 (deferred)
75c40000 75d40000 USER32 (deferred)
761c0000 76207000 KERNELBASE (deferred)
76290000 763ec000 ole32 (deferred)
763f0000 7703c000 SHELL32 (deferred)
77440000 7744a000 LPK (deferred)
77470000 775f0000 ntdll (pdb symbols) d:\symbols\wntdll.pdb\924BB3AFBED1421AA24F35EC54CDDE032\wntdll.pdb

查看dll 所以到处函数

x ntdll！*
x user！*
0:000> x user32!*
75c6e46f USER32!GetClassInfoExA ()
75c61399 USER32!NtUserInvalidateRect ()
75c7b90a USER32!_ClientCopyDDEIn2 ()
75cb3ea8 USER32!SvSpontUnadvise ()
75c72371 USER32!ImeWndProcA ()
75c99dcf USER32!ShowStartGlass ()
75cc0fbc USER32!pfnWowGetProcModule =
75c81154 USER32!NtUserMapVirtualKeyEx ()
75c500b8 USER32!_imp___allmul =
75c9f57a USER32!__fnOUTLPRECT ()
75ca18c4 USER32!TabbedTextOutA ()
75c50438 USER32!_imp__GlobalHandle =
75c50468 USER32!_imp__FindResourceExA =
75cb7c91 USER32!NtUserSetInformationThread ()
75c6fc25 USER32!ECGetControlBrush ()
75c6b527 USER32!CreateMDIChild ()
75c504a4 USER32!_imp__InterlockedIncrement =
75c5acb3 USER32!InitUserApiHook ()
75c73a6e USER32!LBSetCItemFullMax ()
75cba9ed USER32!_imp_load__PowerGetActiveScheme ()
75c9fb46 USER32!__ClientLoadImage ()
75c500b0 USER32!_imp___allshr =
75cb86e7 USER32!NtUserLockWindowStation ()
75c6c816 USER32!ArrangeIconicWindows ()
75c50340 USER32!_imp__SetLayoutWidth =
75c5cecc USER32!_DllMainCRTStartupForGS2 ()
75c50150 USER32!_imp__RtlSetLastWin32Error =
75c50140 USER32!_imp___wtoi =
75ca8ac4 USER32!szEXECHELP =
75cb95ab USER32!MirrorWindowRect ()
75cb8e9d USER32!NtUserUpdatePerUserSystemParameters ()