diff --git a/README.md b/README.md index f45bdf0..6e6dff3 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,523 @@ # ida-find-.data-ptr A simple ida python script to find .data ptr - +## Run ``find_data_ptr.py`` ![image1](https://user-images.githubusercontent.com/13917777/236432757-892a014c-f5d4-4883-9b2c-42cea73d2d03.png) +## Run ``find_data_ptr_guard_dispatch_icall.py`` +```asm +.data ptr with _guard_dispatch_icall: off_140C00A00 + Function HvlGetSharedPageVa (called at: 0x140236507) +.data ptr with _guard_dispatch_icall: HalPerformEndOfInterruptAtController + Function HalPerformEndOfInterrupt (called at: 0x140274485) + Function HalpInterruptResetThisProcessor (called at: 0x1404b652c) +.data ptr with _guard_dispatch_icall: off_140C009E0 + Function EtwGetKernelTraceTimestamp (called at: 0x14043ddea) + Function KiExecuteAllDpcs (called at: 0x140472afd) + Function EtwpReserveTraceBuffer (called at: 0x140472fe5) + Function EtwGetKernelTraceTimestampSilo (called at: 0x140481ad3) + Function EtwpGetLoggerTimeStamp (called at: 0x140489670) + Function EtwpInitializeTimeStamp (called at: 0x1407f4d34) +.data ptr with _guard_dispatch_icall: HalpProfileInterface + Function HalpProcessorPrepareForIdle (called at: 0x14043e59c) + Function HalpProcessorResumeFromIdle (called at: 0x14043e5e4) + Function HalpSetProfileSourceInterval (called at: 0x140369c5b) + Function HalpRestartProfiling (called at: 0x140383323) + Function HalpTimerInitializeProfiling (called at: 0x1403a52ad) + Function HalSetProfileInterval (called at: 0x1404b878a) + Function HalStartProfileInterrupt (called at: 0x1404b87c6) + Function HalStopProfileInterrupt (called at: 0x1404b87f1) + Function HalpAllocatePmcCounterSet (called at: 0x1404b894d) + Function HalpAllocatePmcCounterSet (called at: 0x1404b8983) + Function HalpAllocatePmcCounterSet (called at: 0x1404b89cd) + Function HalpFreePmcCounterSet (called at: 0x1404b8d07) + Function HalpPerfInterrupt (called at: 0x1404b8f61) + Function HalpPerfInterrupt (called at: 0x1404b8f87) + Function KiStopProfileTarget (called at: 0x140515f41) + Function HalpSetSystemInformation (called at: 0x14080f1e1) + Function HalpSetSystemInformation (called at: 0x14080f20d) + Function HalpQueryProfileInformation (called at: 0x140757447) + Function HalAllocateHardwareCounters (called at: 0x1408602d0) + Function HalFreeHardwareCounters (called at: 0x140860360) + Function HalFreeHardwareCounters (called at: 0x140860360) + Function HalpCompleteInitializeProfiling (called at: 0x140996c28) + Function HalpInitializeProfiling (called at: 0x140996c88) +.data ptr with _guard_dispatch_icall: off_140C00890 + Function KiSetClockTickRate (called at: 0x14027b1cd) + Function KePrepareClockTimerForIdle (called at: 0x14027b4a6) + Function KiRestoreClockTickRate (called at: 0x14027b7a4) + Function KeInitializeClock (called at: 0x140a86322) +.data ptr with _guard_dispatch_icall: HalpPlatformFlags + Function HalpDpPostReplace (called at: 0x1409a4776) +.data ptr with _guard_dispatch_icall: HalpSystemHardwareLock + Function HalpAcquireCmosSpinLock (called at: 0x140446b6a) +.data ptr with _guard_dispatch_icall: PpmPerfCoreParkingMask + Function PpmParkReportMask (called at: 0x140446f65) +.data ptr with _guard_dispatch_icall: off_140C00868 + Function KiIntSteerSetDestination (called at: 0x14029f0c2) +.data ptr with _guard_dispatch_icall: dword_140C020C0 + Function CmSaveMergedKeys (called at: 0x140878f05) +.data ptr with _guard_dispatch_icall: HalIommuDispatch + Function ExFreeSvmAsid (called at: 0x140450106) + Function HalpIommuInterruptRoutine (called at: 0x1404c5f1f) + Function IommuProcessPageRequestQueue (called at: 0x1404d32a2) + Function IommuProcessPageRequestQueue (called at: 0x1404d3440) + Function IommuProcessPageRequestQueue (called at: 0x1404d3554) + Function IommuProcessPageRequestQueue (called at: 0x1404d36aa) + Function IommupHvInterruptRoutine (called at: 0x1404d406c) + Function ExFlushTb (called at: 0x1405b0a36) + Function ExShareAddressSpaceWithDevice (called at: 0x1405b0e48) + Function ExShareAddressSpaceWithDevice (called at: 0x1405b0f51) + Function ExShareAddressSpaceWithDevice (called at: 0x1405b1487) + Function ExShareAddressSpaceWithDevice (called at: 0x1405b14b4) + Function ExSvmBeginDeviceReset (called at: 0x1405b18b0) + Function ExSvmDevicePowerCallback (called at: 0x1405b1ae6) + Function ExSvmFinalizeDeviceReset (called at: 0x1405b1cd2) + Function ExpPrepareNewSvmDevice (called at: 0x1405b2488) + Function ExpPrepareNewSvmDevice (called at: 0x1405b251e) + Function ExpSvmDereferenceDevice (called at: 0x1405b283e) + Function ExpSvmWorkerThread (called at: 0x1405b2dbc) + Function HalpIommuInitSystem (called at: 0x14099705e) + Function HalpIommuInitSystem (called at: 0x140997076) + Function InitBootProcessor (called at: 0x140a37c95) + Function ExpInitializeSvm (called at: 0x140a6da40) +.data ptr with _guard_dispatch_icall: off_140C007D8 + Function HalpTimerClockIpiRoutine (called at: 0x140326389) + Function HalpTimerClockInterrupt (called at: 0x14032f0a7) + Function HalpTimerAlwaysOnClockInterrupt (called at: 0x1404ce7a4) + Function EtwpReserveWithPmcCounters (called at: 0x1405a2ef3) +.data ptr with _guard_dispatch_icall: off_140C008C0 + Function HalpTimerClockIpiRoutine (called at: 0x1403263ce) + Function KeClockInterruptNotify (called at: 0x140326517) + Function HalpTimerClockInterrupt (called at: 0x14032f0f1) + Function HalpTimerAlwaysOnClockInterrupt (called at: 0x1404ce757) + Function NtSetSystemInformation (called at: 0x14069ace1) + Function PopWriteHiberPages (called at: 0x14098d894) + Function PopRequestWrite (called at: 0x1409902ed) +.data ptr with _guard_dispatch_icall: off_140C00740 + Function PpmIdleExecuteTransition (called at: 0x1403279d3) +.data ptr with _guard_dispatch_icall: off_140C00888 + Function PpmIdleExecuteTransition (called at: 0x140327b4a) + Function KeResumeClockTimerFromIdle (called at: 0x140329bf2) + Function KeSuspendClockTimer (called at: 0x14038154b) + Function KeSuspendClockTimerSafe (called at: 0x14050d8d5) + Function KeSuspendClockTimerSafe (called at: 0x14050d971) + Function KeInitializeClock (called at: 0x140a862e9) +.data ptr with _guard_dispatch_icall: off_140C00750 + Function PpmIdleExecuteTransition (called at: 0x1403288dd) +.data ptr with _guard_dispatch_icall: off_140C009A8 + Function PpmIdleExecuteTransition (called at: 0x140328926) + Function HalpRestartProfiling (called at: 0x140383354) + Function HalpPerfInterrupt (called at: 0x1404b8f95) +.data ptr with _guard_dispatch_icall: off_140C00898 + Function KeResumeClockTimerFromIdle (called at: 0x140329a42) + Function KeResumeClockTimerFromIdle (called at: 0x1404875e2) + Function KeResumeClockTimerFromIdle (called at: 0x140487689) +.data ptr with _guard_dispatch_icall: off_140C00880 + Function KeResumeClockTimerFromIdle (called at: 0x140329be1) + Function KeResumeClockTimerFromIdle (called at: 0x140487720) + Function KiResumeClockTimer (called at: 0x140380c8b) + Function KeInitializeClock (called at: 0x140a862fc) +.data ptr with _guard_dispatch_icall: off_140C00968 + Function KiGetNextTimerExpirationDueTime (called at: 0x14032a481) +.data ptr with _guard_dispatch_icall: off_140C00A70 + Function KiSetIntervalWorker (called at: 0x14036a1a5) + Function EtwSetPerformanceTraceInformation (called at: 0x140934a38) + Function EtwSetPerformanceTraceInformation (called at: 0x140934b66) + Function EtwpLoadMicroarchitecturalProfileSource (called at: 0x14093687e) + Function VslpIumPhase0Initialize (called at: 0x140a8d5d7) + Function VslpIumPhase0Initialize (called at: 0x140a8d5ee) +.data ptr with _guard_dispatch_icall: off_140C00780 + Function HalDisableInterrupt (called at: 0x14045a851) + Function HalEnableInterrupt (called at: 0x14045ac6b) + Function KiIntSteerConnect (called at: 0x140375165) + Function KiIsInterruptTypeSecondary (called at: 0x14045af1e) + Function HalpUnmaskInterrupt (called at: 0x14049748b) + Function HalpMaskInterrupt (called at: 0x1404a3845) + Function HalpInterruptRequestInterrupt (called at: 0x1404b6736) + Function HalpInterruptRequestSecondaryInterrupt (called at: 0x1404cb068) + Function IopConnectInterrupt (called at: 0x1407444b6) + Function IopConnectInterruptFullySpecified (called at: 0x1407adc0d) + Function IopAllocatePassiveInterruptBlock (called at: 0x14089d91a) +.data ptr with _guard_dispatch_icall: off_140C008E0 + Function KeConnectInterrupt (called at: 0x14045aa49) +.data ptr with _guard_dispatch_icall: off_140C00778 + Function KeConnectInterrupt (called at: 0x14045aa75) + Function KeUnmaskInterrupt (called at: 0x1403890d1) + Function IopPassiveInterruptWorker (called at: 0x140506efe) + Function KiUnmaskSecondaryInterruptInternal (called at: 0x14051343d) +.data ptr with _guard_dispatch_icall: off_140C00768 + Function KiIntSteerConnect (called at: 0x14045acfd) +.data ptr with _guard_dispatch_icall: off_140C00878 + Function KiResumeClockTimer (called at: 0x140380c9a) + Function KeInitializeClock (called at: 0x140a8630a) +.data ptr with _guard_dispatch_icall: off_140C007F0 + Function HalpSetResumeTime (called at: 0x1404944df) + Function AnFwDisplayBackgroundUpdate (called at: 0x1409f313d) + Function AnFwpBackgroundUpdateTimer (called at: 0x1409f41d1) + Function GetBootSystemTime (called at: 0x140a6d6fa) +.data ptr with _guard_dispatch_icall: off_140C005C8 + Function HalTranslateBusAddress (called at: 0x1403a207f) +.data ptr with _guard_dispatch_icall: off_140C00948 + Function HalpPowerStateCallback (called at: 0x1403a351e) + Function PopTransitionSystemPowerStateEx (called at: 0x14098e330) +.data ptr with _guard_dispatch_icall: off_140C00618 + Function KiMaskInterruptInternal (called at: 0x1403a38eb) +.data ptr with _guard_dispatch_icall: off_140C00770 + Function KiMaskInterruptInternal (called at: 0x1403a392d) + Function IoProcessPassiveInterrupts (called at: 0x140506825) + Function KiMaskSecondaryInterruptInternal (called at: 0x1405130d3) +.data ptr with _guard_dispatch_icall: qword_140C00720 + Function HvlEnlightenProcessor (called at: 0x1404a3ed5) + Function HvlEnlightenProcessor (called at: 0x1404a3f69) + Function HvlpTryConfigureInterface (called at: 0x140457659) + Function HvlpInitializeBootProcessor (called at: 0x1404ec9ca) + Function HvlpPhase0Enlightenments (called at: 0x1404f4167) +.data ptr with _guard_dispatch_icall: qword_140C00718 + Function HvlpTryConfigureInterface (called at: 0x1404575dd) + Function HvlpInitializeBootProcessor (called at: 0x1404ec936) + Function HvlpInitializeBootProcessor (called at: 0x1404ec97a) + Function HvlpSetupBootProcessorEarlyHypercallPages (called at: 0x1404ed7d7) + Function HvlpPhase0Enlightenments (called at: 0x1404f4129) +.data ptr with _guard_dispatch_icall: off_140C00A68 + Function HvlStartBootLogicalProcessors (called at: 0x14045770f) + Function MiInitializeLargePageColorSizes (called at: 0x1403aedb5) + Function EtwpAddLogHeader (called at: 0x140638015) + Function ExpQuerySystemInformation (called at: 0x1406f2ed0) + Function ExpQuerySystemInformation (called at: 0x1406f2f2a) + Function ExpQuerySystemInformation (called at: 0x14083ba7a) + Function ExpQuerySystemInformation (called at: 0x14083c2cd) + Function ExpQuerySystemInformation (called at: 0x14083c357) + Function ExpQuerySystemInformation (called at: 0x14083c3f6) + Function KeQueryIntervalProfile (called at: 0x14071826d) + Function EtwQueryPerformanceTraceInformation (called at: 0x140933ef7) + Function EtwSetPerformanceTraceInformation (called at: 0x1409349a4) + Function EtwpLogPmcCounterRundown (called at: 0x140939ac7) + Function EtwpSampledProfileRunDown (called at: 0x14093ab05) + Function EtwpCoverageSamplerStart (called at: 0x140942ff5) + Function ExpProfileCreate (called at: 0x140955f30) + Function BapdRecordFirmwareBootStats (called at: 0x14099683b) + Function BapdRecordFirmwareBootStats (called at: 0x140996888) + Function PopDiagTraceFirmwareS3Stats (called at: 0x1409ae54c) + Function KiIntSteerInit (called at: 0x140a3e5f1) + Function MiInitNucleus (called at: 0x140a42559) + Function PipDmgInitPhaseZero (called at: 0x140a48eef) + Function EtwpInitialize (called at: 0x140a6027d) + Function KeNumaInitialize (called at: 0x140a6f6f6) + Function PoFxRegisterDebugger (called at: 0x140a6fac9) + Function PoFxRegisterDebugger (called at: 0x140a8915d) + Function MiInitializeChannelRangesTemporary (called at: 0x140a898c2) + Function VslpIumPhase0Initialize (called at: 0x140a8d486) + Function BgkInitialize (called at: 0x140a94c3e) +.data ptr with _guard_dispatch_icall: qword_140C00630 + Function HalpUsbLegacyScanBusForHandoff (called at: 0x1403b5eee) + Function HalpUsbLegacyScanBusForHandoff (called at: 0x1403b5f78) + Function x86BiosGetPciBusData (called at: 0x1403ca4d5) + Function HalpUsbLegacyStopOhciInterrupt (called at: 0x1404d126b) + Function HalpUsbLegacyStopUhciInterrupt (called at: 0x1404d13c7) + Function HalpUsbLegacyStopUhciInterrupt (called at: 0x1404d140d) + Function HalpStopLegacyUsbInterruptsInternal (called at: 0x1409a561f) + Function KdpSysReadBusData (called at: 0x1409b5ec3) +.data ptr with _guard_dispatch_icall: PcDmaDispatch + Function HalpDmaInitializeControllers (called at: 0x1403b7813) + Function HalpDmaInitializeControllers (called at: 0x1403b7813) +.data ptr with _guard_dispatch_icall: off_140C006A8 + Function PpmInstallNewIdleStates (called at: 0x1403c04b6) + Function PpmRemoveIdleStates (called at: 0x140560fb0) +.data ptr with _guard_dispatch_icall: off_140C00648 + Function HalGetVectorInput (called at: 0x1403c6245) +.data ptr with _guard_dispatch_icall: off_140C00700 + Function HvlDebuggerSupportInitialize (called at: 0x1404afb6f) +.data ptr with _guard_dispatch_icall: off_140C005F8 + Function HvlDebuggerSupportInitialize (called at: 0x1404afd4c) + Function HeadlessInit (called at: 0x140a89da9) +.data ptr with _guard_dispatch_icall: off_140C006B8 + Function HalpCreateMcaMemoryErrorRecord (called at: 0x1404b3d3e) + Function HalpCreateMcaProcessorErrorRecord (called at: 0x1404b3f41) + Function HalpCreateNMIErrorRecord (called at: 0x1404b78f6) +.data ptr with _guard_dispatch_icall: off_140C007C8 + Function HalpGetMcaExtendedLogStatusBlock (called at: 0x1404b40ff) + Function HalpMcaInitializeErrorSection (called at: 0x1404b4614) + Function HvlpQueryApicIdAndNumaNode (called at: 0x1404ecb8e) +.data ptr with _guard_dispatch_icall: off_140C00640 + Function HalGetInterruptVector (called at: 0x1404b51ef) +.data ptr with _guard_dispatch_icall: HalpMcaEnabled + Function HalpMcaSetProcessorConfig (called at: 0x140995158) +.data ptr with _guard_dispatch_icall: off_140C00950 + Function HalReturnToFirmware (called at: 0x1404b81a1) +.data ptr with _guard_dispatch_icall: qword_140C00638 + Function x86BiosSetPciBusData (called at: 0x1404b9365) + Function HalpUsbLegacyStopUhciInterrupt (called at: 0x1404d13a8) + Function HalpUsbLegacyStopUhciInterrupt (called at: 0x1404d1432) + Function KdpSysWriteBusData (called at: 0x1409b5f2b) +.data ptr with _guard_dispatch_icall: HalpMoveMemory + Function HalpDmaSyncMapBuffers (called at: 0x1404c23b2) + Function HalpDmaSyncMapBuffersWithEmergencyResources (called at: 0x1404c2655) +.data ptr with _guard_dispatch_icall: off_140C00810 + Function HalpInterruptRequestSecondaryInterrupt (called at: 0x1404cb0d9) +.data ptr with _guard_dispatch_icall: off_140C007A0 + Function HvlPrepareForRootCrashdump (called at: 0x1404ef7d9) + Function HvlSkCrashdumpCallbackRoutine (called at: 0x1404f27ca) + Function PopSaveHiberContext (called at: 0x14099ff29) +.data ptr with _guard_dispatch_icall: off_140C00698 + Function HvlPrepareForRootCrashdump (called at: 0x1404ef7ea) + Function HvlCrashdumpCallbackRoutine (called at: 0x1404f25f5) + Function HvlSkCrashdumpCallbackRoutine (called at: 0x1404f27db) + Function KeBugCheck2 (called at: 0x140510ccd) +.data ptr with _guard_dispatch_icall: qword_140C00A30 + Function HvlpHandleIommuFaultMessage (called at: 0x1404f2e67) +.data ptr with _guard_dispatch_icall: off_140C00940 + Function IoInitializeBugCheckProgress (called at: 0x1404fbd04) + Function PopCheckpointSystemSleep (called at: 0x14099fc4c) +.data ptr with _guard_dispatch_icall: off_140C008D8 + Function IoWriteCrashDump (called at: 0x1404fcb75) + Function NtSetSystemInformation (called at: 0x14069acbe) +.data ptr with _guard_dispatch_icall: off_140C00848 + Function IopWriteTriageDumpToFirmware (called at: 0x1404fe7c0) +.data ptr with _guard_dispatch_icall: off_140C00738 + Function KdPowerTransitionEx (called at: 0x14050a88a) + Function KdPowerTransitionEx (called at: 0x14050a8b9) + Function KeFreezeExecution (called at: 0x14051727a) + Function KeThawExecution (called at: 0x140517624) + Function KiFreezeTargetExecution (called at: 0x140517986) + Function KiFreezeTargetExecution (called at: 0x140517a79) +.data ptr with _guard_dispatch_icall: off_140C00990 + Function KiClearLastBranchRecordStack (called at: 0x14050c15b) +.data ptr with _guard_dispatch_icall: off_140C00978 + Function KiProcessNMI (called at: 0x14050c4eb) + Function KiProcessNMI (called at: 0x14050c584) +.data ptr with _guard_dispatch_icall: off_140C00928 + Function KeConvertAuxiliaryCounterToPerformanceCounter (called at: 0x14050db4b) + Function NtConvertBetweenAuxiliaryCounterAndPerformanceCounter (called at: 0x14095641b) + Function NtConvertBetweenAuxiliaryCounterAndPerformanceCounter (called at: 0x14095645f) +.data ptr with _guard_dispatch_icall: off_140C00920 + Function KeConvertPerformanceCounterToAuxiliaryCounter (called at: 0x14050db6b) + Function NtConvertBetweenAuxiliaryCounterAndPerformanceCounter (called at: 0x14095641b) + Function NtConvertBetweenAuxiliaryCounterAndPerformanceCounter (called at: 0x14095645f) +.data ptr with _guard_dispatch_icall: off_140C00930 + Function KeQueryAuxiliaryCounterFrequency (called at: 0x14050defb) + Function NtQueryAuxiliaryCounterFrequency (called at: 0x14095661c) + Function NtQueryAuxiliaryCounterFrequency (called at: 0x14095663a) +.data ptr with _guard_dispatch_icall: off_140C008E8 + Function KeQueryWakeSource (called at: 0x14050e145) +.data ptr with _guard_dispatch_icall: off_140C008A8 + Function KeBugCheck2 (called at: 0x14051088b) + Function KeBugCheck2 (called at: 0x1405112b6) + Function KdpSendWaitContinue (called at: 0x1409b5a55) +.data ptr with _guard_dispatch_icall: off_140C008C8 + Function KeBugCheck2 (called at: 0x140510c9a) + Function NtSetSystemInformation (called at: 0x14069ace1) + Function PopInvokeSystemStateHandler (called at: 0x14099f8b2) + Function PopSaveHiberContext (called at: 0x1409a037c) + Function KdEnterDebugger (called at: 0x1409b409f) +.data ptr with _guard_dispatch_icall: KiNmiInProgress + Function KeBugCheck2 (called at: 0x140510ccd) +.data ptr with _guard_dispatch_icall: off_140C007A8 + Function KeBugCheck2 (called at: 0x140511262) + Function PopHiberCheckResume (called at: 0x1409a1cdc) +.data ptr with _guard_dispatch_icall: off_140C008B8 + Function KeBugCheck2 (called at: 0x140511284) + Function NtSetSystemInformation (called at: 0x14069ace1) + Function PopInvokeSystemStateHandler (called at: 0x14098f01a) + Function KdExitDebugger (called at: 0x1409b4211) +.data ptr with _guard_dispatch_icall: off_140C005D8 + Function KeBugCheck2 (called at: 0x140511315) + Function KiBugCheckDebugBreak (called at: 0x140511917) + Function PopShutdownHandler (called at: 0x1409ae985) +.data ptr with _guard_dispatch_icall: qword_140C049A8 + Function KseHookExAllocatePoolWithTag (called at: 0x140520c44) +.data ptr with _guard_dispatch_icall: qword_140C03158 + Function KseDsCallbackHookAddDevice (called at: 0x140520cc1) + Function KseDsCallbackHookDriverStartIo (called at: 0x140520d8e) + Function KseDsCallbackHookDriverUnload (called at: 0x140520de3) + Function KseDsCallbackHookIrpDeviceControlFunction (called at: 0x140520e42) + Function KseDsCallbackHookIrpFunction (called at: 0x140520ec2) + Function KseDsCallbackHookIrpPnpFunction (called at: 0x140520f6f) + Function KseDsCallbackHookIrpPnpFunction (called at: 0x140520f82) + Function KseDsCallbackHookIrpPowerFunction (called at: 0x14052102e) + Function KseDsCallbackHookIrpPowerFunction (called at: 0x140521041) +.data ptr with _guard_dispatch_icall: qword_140C04CE8 + Function KseDsHookExAllocatePool (called at: 0x1405211bb) +.data ptr with _guard_dispatch_icall: qword_140C04CA8 + Function KseDsHookExAllocatePoolWithTag (called at: 0x140521223) +.data ptr with _guard_dispatch_icall: qword_140C04D08 + Function KseDsHookExFreePool (called at: 0x140521280) +.data ptr with _guard_dispatch_icall: qword_140C04CC8 + Function KseDsHookExFreePoolWithTag (called at: 0x1405212c6) +.data ptr with _guard_dispatch_icall: qword_140C04C68 + Function KseDsHookIoCreateDevice (called at: 0x140521339) +.data ptr with _guard_dispatch_icall: qword_140C04D48 + Function KseHookMmGetVirtualForPhysical (called at: 0x1405222d2) +.data ptr with _guard_dispatch_icall: qword_140C04D68 + Function KseHookMmMapIoSpace (called at: 0x140522312) +.data ptr with _guard_dispatch_icall: qword_140C009F8 + Function PopPowerButtonWorkCallback (called at: 0x140572429) +.data ptr with _guard_dispatch_icall: dword_140C0523C + Function VfQueryDispatchTable (called at: 0x14059a4cd) +.data ptr with _guard_dispatch_icall: VfXdvDispatchTable + Function VfQueryDispatchTable (called at: 0x14059a4cd) +.data ptr with _guard_dispatch_icall: off_140C00988 + Function EtwpTraceLastBranchRecord (called at: 0x1405a9c16) +.data ptr with _guard_dispatch_icall: off_140C009D8 + Function WheapGenericErrSrcRecover (called at: 0x1405b67eb) +.data ptr with _guard_dispatch_icall: off_140C05300 + Function SpiInit (called at: 0x1405c49e1) + Function SpiInit (called at: 0x1405c49f9) + Function SpiInit (called at: 0x1405c4a08) + Function SpiInit (called at: 0x1405c4a82) + Function SpiInit (called at: 0x1405c4a93) + Function SpiSend16 (called at: 0x1405c4ec3) + Function SpiSend16 (called at: 0x1405c4eda) + Function UsifGetByte (called at: 0x1405c4f28) + Function UsifGetByte (called at: 0x1405c4f42) + Function UsifPutByte (called at: 0x1405c4fc0) + Function UsifPutByte (called at: 0x1405c4fd9) + Function UsifRxReady (called at: 0x1405c503c) + Function ReadRegisterWithIndex32 (called at: 0x1405c515b) +.data ptr with _guard_dispatch_icall: off_140C05308 + Function SpiInit (called at: 0x1405c4a1e) + Function SpiInit (called at: 0x1405c4a33) + Function SpiInit (called at: 0x1405c4a47) + Function SpiInit (called at: 0x1405c4a59) + Function SpiInit (called at: 0x1405c4a6b) + Function SpiInit (called at: 0x1405c4ab1) + Function SpiSend16 (called at: 0x1405c4ea1) + Function SpiSend16 (called at: 0x1405c4eb3) + Function UsifPutByte (called at: 0x1405c4ff8) + Function WriteRegisterWithIndex32 (called at: 0x1405c53af) +.data ptr with _guard_dispatch_icall: off_140C052C0 + Function ReadPortWithIndex16 (called at: 0x1405c509b) +.data ptr with _guard_dispatch_icall: off_140C052D0 + Function ReadPortWithIndex32 (called at: 0x1405c50cb) +.data ptr with _guard_dispatch_icall: UartHardwareAccess + Function ReadPortWithIndex8 (called at: 0x1405c50fb) +.data ptr with _guard_dispatch_icall: off_140C052F0 + Function ReadRegisterWithIndex16 (called at: 0x1405c512b) +.data ptr with _guard_dispatch_icall: off_140C05310 + Function ReadRegisterWithIndex64 (called at: 0x1405c518b) +.data ptr with _guard_dispatch_icall: off_140C052E0 + Function ReadRegisterWithIndex8 (called at: 0x1405c51bb) +.data ptr with _guard_dispatch_icall: off_140C052C8 + Function WritePortWithIndex16 (called at: 0x1405c52ef) +.data ptr with _guard_dispatch_icall: off_140C052D8 + Function WritePortWithIndex32 (called at: 0x1405c531f) +.data ptr with _guard_dispatch_icall: off_140C052B8 + Function WritePortWithIndex8 (called at: 0x1405c534e) +.data ptr with _guard_dispatch_icall: off_140C052F8 + Function WriteRegisterWithIndex16 (called at: 0x1405c537f) +.data ptr with _guard_dispatch_icall: off_140C05318 + Function WriteRegisterWithIndex64 (called at: 0x1405c53df) +.data ptr with _guard_dispatch_icall: off_140C052E8 + Function WriteRegisterWithIndex8 (called at: 0x1405c540e) +.data ptr with _guard_dispatch_icall: off_140C007E0 + Function EtwpFreeLoggerContext (called at: 0x1407d072a) + Function EtwpUpdatePmcCounters (called at: 0x140936d28) +.data ptr with _guard_dispatch_icall: off_140C009B8 + Function EtwpFreeLoggerContext (called at: 0x1407d078a) +.data ptr with _guard_dispatch_icall: off_140C008D0 + Function ExpQuerySystemInformation (called at: 0x14083b727) + Function PoInitSystem (called at: 0x140a3c905) +.data ptr with _guard_dispatch_icall: off_140C009C0 + Function PiDmaGuardProcessPostRemove (called at: 0x1408165b5) +.data ptr with _guard_dispatch_icall: off_140C009C8 + Function PipProcessStartPhase1 (called at: 0x14081690a) +.data ptr with _guard_dispatch_icall: off_140C00908 + Function IoGetDmaAdapter (called at: 0x140747f65) + Function IoGetDmaAdapter (called at: 0x140747fa2) +.data ptr with _guard_dispatch_icall: off_140C00A38 + Function PipDmgSaveDeviceDmarPolicy (called at: 0x140750886) + Function HalpDmaAllocateChildAdapterV3 (called at: 0x1407a50f3) +.data ptr with _guard_dispatch_icall: off_140C005A8 + Function PopAllocateHiberContext (called at: 0x14075b687) + Function PopMarkComponentsBootPhase (called at: 0x1409a20f1) +.data ptr with _guard_dispatch_icall: off_140C00AF8 + Function CmpAcceptBoot (called at: 0x140770f4e) + Function PopGracefulShutdown (called at: 0x1409ad331) +.data ptr with _guard_dispatch_icall: off_140C00860 + Function KeInitializeTimerTable (called at: 0x140819391) + Function PopInitPlatformSettings (called at: 0x140a6d346) +.data ptr with _guard_dispatch_icall: off_140C009A0 + Function EtwpInitializeLastBranchTracing (called at: 0x1407b63e2) +.data ptr with _guard_dispatch_icall: off_140C009D0 + Function IoGetIommuInterface (called at: 0x1407b6907) +.data ptr with _guard_dispatch_icall: off_140C005D0 + Function HalAssignSlotResources (called at: 0x14086017a) +.data ptr with _guard_dispatch_icall: off_140C00980 + Function IopEnumerateEnvironmentVariablesHal (called at: 0x14089629b) +.data ptr with _guard_dispatch_icall: off_140C00678 + Function PnprReplaceStart (called at: 0x1408aaabe) +.data ptr with _guard_dispatch_icall: qword_140C04DE8 + Function KseHookQueryValueKey (called at: 0x1408bda16) +.data ptr with _guard_dispatch_icall: AlpcpLogCallbackListHead + Function AlpcpInvokeLogCallbacks (called at: 0x1408bf97d) + Function AlpcpInvokeLogCallbacks (called at: 0x1408bf97d) +.data ptr with _guard_dispatch_icall: unk_140C031C8 + Function PopPolicyDeviceRemove (called at: 0x1408ed50d) +.data ptr with _guard_dispatch_icall: off_140C007D0 + Function EtwpUpdatePmcCounters (called at: 0x140936ce8) +.data ptr with _guard_dispatch_icall: off_140C00870 + Function EtwpClockSourceRunDown (called at: 0x1409396c7) + Function KeInitializeClock (called at: 0x140a6984f) +.data ptr with _guard_dispatch_icall: off_140C009B0 + Function EtwpUpdateLastBranchTracingConfiguration (called at: 0x140943f5f) +.data ptr with _guard_dispatch_icall: off_140C005C0 + Function PopTransitionSystemPowerStateEx (called at: 0x14098e1c3) + Function PopTransitionSystemPowerStateEx (called at: 0x14098e40d) +.data ptr with _guard_dispatch_icall: off_140C006A0 + Function PopInvokeSystemStateHandler (called at: 0x14098f224) + Function PopInvokeSystemStateHandler (called at: 0x14099f971) +.data ptr with _guard_dispatch_icall: off_140C00858 + Function PopRestoreHiberContext (called at: 0x14098f82f) + Function PopRestoreHiberContext (called at: 0x14099fcb6) +.data ptr with _guard_dispatch_icall: off_140C00850 + Function PopSaveHiberContext (called at: 0x14098fb00) +.data ptr with _guard_dispatch_icall: off_140C007C0 + Function HalpAcpiPostSleep (called at: 0x1409a0bdd) + Function HaliLocateHiberRanges (called at: 0x1409a1244) + Function PopHiberCheckResume (called at: 0x140993fb6) +.data ptr with _guard_dispatch_icall: off_140C006C0 + Function HalpAcpiPostSleep (called at: 0x1409a0c97) + Function PopHiberCheckResume (called at: 0x140993f8d) +.data ptr with _guard_dispatch_icall: off_140C00800 + Function HaliLocateHiberRanges (called at: 0x1409a1244) +.data ptr with _guard_dispatch_icall: off_140C00838 + Function PopHiberCheckResume (called at: 0x140993f69) + Function PopHiberCheckResume (called at: 0x140993f9c) +.data ptr with _guard_dispatch_icall: off_140C00688 + Function PnprEndMirroring (called at: 0x1409a9ae1) + Function PnprInitiateReplaceOperation (called at: 0x1409a9dc2) + Function PnprQuiesceProcessors (called at: 0x1409aad77) + Function PnprQuiesceProcessors (called at: 0x1409aaee3) + Function PnprWakeProcessors (called at: 0x1409ab205) +.data ptr with _guard_dispatch_icall: off_140C00690 + Function PnprInitiateReplaceOperation (called at: 0x1409a9ef5) +.data ptr with _guard_dispatch_icall: off_140C006E8 + Function PnprQuiesceProcessorDpc (called at: 0x1409aa8d2) +.data ptr with _guard_dispatch_icall: off_140C00680 + Function PnprQuiesceProcessorDpc (called at: 0x1409aa8ec) +.data ptr with _guard_dispatch_icall: off_140C006F0 + Function PnprQuiesceProcessorDpc (called at: 0x1409aaa94) +.data ptr with _guard_dispatch_icall: off_140C006D8 + Function PnprQuiesceProcessors (called at: 0x1409aacbf) +.data ptr with _guard_dispatch_icall: off_140C006B0 + Function PnprWakeProcessors (called at: 0x1409ab1e1) + Function KiInitializeDynamicProcessorDpc (called at: 0x1409ab8b5) + Function KeStartAllProcessors (called at: 0x140a3ef05) +.data ptr with _guard_dispatch_icall: off_140C006E0 + Function PnprWakeProcessors (called at: 0x1409ab256) +.data ptr with _guard_dispatch_icall: off_140C00910 + Function VfGetDmaAdapter (called at: 0x1409c8f03) +.data ptr with _guard_dispatch_icall: off_140C008B0 + Function InitBootProcessor (called at: 0x140a37c95) +.data ptr with _guard_dispatch_icall: off_140C00AC0 + Function IoInitSystemPreDrivers (called at: 0x140a3b901) +.data ptr with _guard_dispatch_icall: KiNumaQueryNodeCapacity + Function KiPerformGroupConfiguration (called at: 0x140a3f1c7) +.data ptr with _guard_dispatch_icall: KiNumaQueryNodeDistance + Function KiPerformGroupConfiguration (called at: 0x140a3f2aa) +.data ptr with _guard_dispatch_icall: HalpExtensionImports + Function HalpExtInitExtensions (called at: 0x140a86c5f) +``` ## Some discussions on UnknownCheats https://www.unknowncheats.me/forum/general-programming-and-reversing/582086-simple-ida-python-script-data-ptr.html