-
Notifications
You must be signed in to change notification settings - Fork 24
refexe
Park Seong Bin edited this page Jul 13, 2019
·
1 revision
The refstr command is identical to the external function search support that ollydbg or x64dbg supports.
0:000> !refexe 0007ff7`bfe610f3
00007ff7'bfe61f41 ff 15 d1 ab 01 00 call qword ptr [rip + 0x1abd1] ; 0x7ff7bfe7cb18, test!_pDestructExceptionObject
00007ff7'bfe615cc ff 15 46 fa 00 00 call qword ptr [rip + 0xfa46] ; 0x7ff85cb71010, KERNEL32!RtlVirtualUnwindStub
00007ff7'bfe6163c ff 15 d6 f9 00 00 call qword ptr [rip + 0xf9d6] ; 0x7ff85cb71010, KERNEL32!RtlVirtualUnwindStub
00007ff7'bfe61ab8 ff 15 5a f5 00 00 call qword ptr [rip + 0xf55a] ; 0x7ff85cb71010, KERNEL32!RtlVirtualUnwindStub
00007ff7'bfe65aac ff 15 66 b5 00 00 call qword ptr [rip + 0xb566] ; 0x7ff85cb71010, KERNEL32!RtlVirtualUnwindStub
00007ff7'bfe66107 48 ff 25 ba af 00 00 jmp qword ptr [rip + 0xafba] ; 0x7ff85cb85250, KERNEL32!TlsGetValueStub
00007ff7'bfe61936 ff 15 1c f7 00 00 call qword ptr [rip + 0xf71c] ; 0x7ff85cb85260, KERNEL32!GetCurrentThreadId
00007ff7'bfe654e6 ff 15 5c bc 00 00 call qword ptr [rip + 0xbc5c] ; 0x7ff85cb85280, KERNEL32!HeapFreeStub
00007ff7'bfe6477d ff 15 95 c9 00 00 call qword ptr [rip + 0xc995] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe647bf ff 15 53 c9 00 00 call qword ptr [rip + 0xc953] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe66e65 ff 15 ad a2 00 00 call qword ptr [rip + 0xa2ad] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe69763 ff 15 af 79 00 00 call qword ptr [rip + 0x79af] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe6979d ff 15 75 79 00 00 call qword ptr [rip + 0x7975] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe6b373 ff 15 9f 5d 00 00 call qword ptr [rip + 0x5d9f] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe6b756 ff 15 bc 59 00 00 call qword ptr [rip + 0x59bc] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe6bee8 ff 15 2a 52 00 00 call qword ptr [rip + 0x522a] ; 0x7ff85cb85500, KERNEL32!WideCharToMultiByteStub
00007ff7'bfe624a7 ff 15 e3 eb 00 00 call qword ptr [rip + 0xebe3] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe654f8 ff 15 92 bb 00 00 call qword ptr [rip + 0xbb92] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe65de5 ff 15 a5 b2 00 00 call qword ptr [rip + 0xb2a5] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe66e88 ff 15 02 a2 00 00 call qword ptr [rip + 0xa202] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe675b2 ff 15 d8 9a 00 00 call qword ptr [rip + 0x9ad8] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe67726 ff 15 64 99 00 00 call qword ptr [rip + 0x9964] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6b16a ff 15 20 5f 00 00 call qword ptr [rip + 0x5f20] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6b41d ff 15 6d 5c 00 00 call qword ptr [rip + 0x5c6d] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6b520 ff 15 6a 5b 00 00 call qword ptr [rip + 0x5b6a] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6b63b ff 15 4f 5a 00 00 call qword ptr [rip + 0x5a4f] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6b7ab ff 15 df 58 00 00 call qword ptr [rip + 0x58df] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6ba62 ff 15 28 56 00 00 call qword ptr [rip + 0x5628] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6bb22 ff 15 68 55 00 00 call qword ptr [rip + 0x5568] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6e501 ff 15 89 2b 00 00 call qword ptr [rip + 0x2b89] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe6e6d2 ff 15 b8 29 00 00 call qword ptr [rip + 0x29b8] ; 0x7ff85cb857e0, KERNEL32!GetLastErrorStub
00007ff7'bfe626a9 ff 15 21 ea 00 00 call qword ptr [rip + 0xea21] ; 0x7ff85cb85800, KERNEL32!TlsSetValueStub
00007ff7'bfe66150 ff 15 7a af 00 00 call qword ptr [rip + 0xaf7a] ; 0x7ff85cb85800, KERNEL32!TlsSetValueStub
00007ff7'bfe66cbe ff 15 4c a4 00 00 call qword ptr [rip + 0xa44c] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe66d06 ff 15 04 a4 00 00 call qword ptr [rip + 0xa404] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6a3a7 ff 15 63 6d 00 00 call qword ptr [rip + 0x6d63] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6a470 ff 15 9a 6c 00 00 call qword ptr [rip + 0x6c9a] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6bc93 ff 15 77 54 00 00 call qword ptr [rip + 0x5477] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6bd58 ff 15 b2 53 00 00 call qword ptr [rip + 0x53b2] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6f20f ff 15 fb 1e 00 00 call qword ptr [rip + 0x1efb] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6f2d4 ff 15 36 1e 00 00 call qword ptr [rip + 0x1e36] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6f2fb ff 15 0f 1e 00 00 call qword ptr [rip + 0x1e0f] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6f3b9 ff 15 51 1d 00 00 call qword ptr [rip + 0x1d51] ; 0x7ff85cb85810, KERNEL32!MultiByteToWideCharStub
00007ff7'bfe6a990 ff 15 32 68 00 00 call qword ptr [rip + 0x6832] ; 0x7ff85cb85880, KERNEL32!GetProcessHeapStub
00007ff7'bfe67651 ff 15 41 9a 00 00 call qword ptr [rip + 0x9a41] ; 0x7ff85cb858a0, KERNEL32!SetLastErrorStub
00007ff7'bfe67667 ff 15 2b 9a 00 00 call qword ptr [rip + 0x9a2b] ; 0x7ff85cb858a0, KERNEL32!SetLastErrorStub
00007ff7'bfe67752 ff 15 40 99 00 00 call qword ptr [rip + 0x9940] ; 0x7ff85cb858a0, KERNEL32!SetLastErrorStub
00007ff7'bfe677e0 ff 15 b2 98 00 00 call qword ptr [rip + 0x98b2] ; 0x7ff85cb858a0, KERNEL32!SetLastErrorStub
00007ff7'bfe61952 ff 15 f0 f6 00 00 call qword ptr [rip + 0xf6f0] ; 0x7ff85cb86580, KERNEL32!QueryPerformanceCounterStub
00007ff7'bfe66289 ff 15 d1 ae 00 00 call qword ptr [rip + 0xaed1] ; 0x7ff85cb883a0, KERNEL32!LCMapStringWStub
00007ff7'bfe61928 ff 15 32 f7 00 00 call qword ptr [rip + 0xf732] ; 0x7ff85cb88500, KERNEL32!GetSystemTimeAsFileTimeStub
00007ff7'bfe6252b ff 15 b7 eb 00 00 call qword ptr [rip + 0xebb7] ; 0x7ff85cb89d60, KERNEL32!GetProcAddressStub
00007ff7'bfe64c06 ff 15 dc c4 00 00 call qword ptr [rip + 0xc4dc] ; 0x7ff85cb89d60, KERNEL32!GetProcAddressStub
00007ff7'bfe65e8c ff 15 56 b2 00 00 call qword ptr [rip + 0xb256] ; 0x7ff85cb89d60, KERNEL32!GetProcAddressStub
00007ff7'bfe62494 ff 15 56 ec 00 00 call qword ptr [rip + 0xec56] ; 0x7ff85cb8a050, KERNEL32!LoadLibraryExWStub
00007ff7'bfe624ba ff 15 30 ec 00 00 call qword ptr [rip + 0xec30] ; 0x7ff85cb8a050, KERNEL32!LoadLibraryExWStub
00007ff7'bfe65dd7 ff 15 13 b3 00 00 call qword ptr [rip + 0xb313] ; 0x7ff85cb8a050, KERNEL32!LoadLibraryExWStub
00007ff7'bfe65e27 ff 15 c3 b2 00 00 call qword ptr [rip + 0xb2c3] ; 0x7ff85cb8a050, KERNEL32!LoadLibraryExWStub
00007ff7'bfe6601d ff 15 35 b1 00 00 call qword ptr [rip + 0xb135] ; 0x7ff85cb8a520, KERNEL32!CompareStringWStub
00007ff7'bfe610ed ff 15 0d ff 00 00 call qword ptr [rip + 0xff0d] ; 0x7ff85cb8b660, KERNEL32!SleepStub
00007ff7'bfe625f3 ff 15 c7 ea 00 00 call qword ptr [rip + 0xeac7] ; 0x7ff85cb8c010, KERNEL32!TlsAllocStub
00007ff7'bfe66079 48 ff 25 40 b0 00 00 jmp qword ptr [rip + 0xb040] ; 0x7ff85cb8c010, KERNEL32!TlsAllocStub
00007ff7'bfe61b66 ff 15 14 f5 00 00 call qword ptr [rip + 0xf514] ; 0x7ff85cb8c160, KERNEL32!GetModuleHandleWStub
00007ff7'bfe64aeb ff 15 8f c5 00 00 call qword ptr [rip + 0xc58f] ; 0x7ff85cb8c160, KERNEL32!GetModuleHandleWStub
00007ff7'bfe624f7 ff 15 e3 eb 00 00 call qword ptr [rip + 0xebe3] ; 0x7ff85cb8c270, KERNEL32!FreeLibraryStub
00007ff7'bfe627a2 ff 15 38 e9 00 00 call qword ptr [rip + 0xe938] ; 0x7ff85cb8c270, KERNEL32!FreeLibraryStub
00007ff7'bfe64c23 ff 15 b7 c4 00 00 call qword ptr [rip + 0xc4b7] ; 0x7ff85cb8c270, KERNEL32!FreeLibraryStub
00007ff7'bfe65e60 ff 15 7a b2 00 00 call qword ptr [rip + 0xb27a] ; 0x7ff85cb8c270, KERNEL32!FreeLibraryStub
00007ff7'bfe6634b ff 15 8f ad 00 00 call qword ptr [rip + 0xad8f] ; 0x7ff85cb8c270, KERNEL32!FreeLibraryStub
00007ff7'bfe62647 ff 15 8b ea 00 00 call qword ptr [rip + 0xea8b] ; 0x7ff85cb8c870, KERNEL32!TlsFreeStub
00007ff7'bfe660bf 48 ff 25 12 b0 00 00 jmp qword ptr [rip + 0xb012] ; 0x7ff85cb8c870, KERNEL32!TlsFreeStub
00007ff7'bfe66876 ff 15 7c a8 00 00 call qword ptr [rip + 0xa87c] ; 0x7ff85cb8c890, KERNEL32!GetStdHandleStub
00007ff7'bfe61595 ff 15 75 fa 00 00 call qword ptr [rip + 0xfa75] ; 0x7ff85cb8c8a0, KERNEL32!RtlLookupFunctionEntryStub
00007ff7'bfe61605 ff 15 05 fa 00 00 call qword ptr [rip + 0xfa05] ; 0x7ff85cb8c8a0, KERNEL32!RtlLookupFunctionEntryStub
00007ff7'bfe61a77 ff 15 93 f5 00 00 call qword ptr [rip + 0xf593] ; 0x7ff85cb8c8a0, KERNEL32!RtlLookupFunctionEntryStub
00007ff7'bfe65a71 ff 15 99 b5 00 00 call qword ptr [rip + 0xb599] ; 0x7ff85cb8c8a0, KERNEL32!RtlLookupFunctionEntryStub
00007ff7'bfe7010e ff 25 2c 0f 00 00 jmp qword ptr [rip + 0xf2c] ; 0x7ff85cb8cd20, KERNEL32!IsProcessorFeaturePresentStub
00007ff7'bfe66738 ff 15 3a a9 00 00 call qword ptr [rip + 0xa93a] ; 0x7ff85cb8cd30, KERNEL32!GetStartupInfoWStub
00007ff7'bfe68e09 ff 15 31 83 00 00 call qword ptr [rip + 0x8331] ; 0x7ff85cb8cee0, KERNEL32!GetACPStub
00007ff7'bfe68f0e ff 15 84 82 00 00 call qword ptr [rip + 0x8284] ; 0x7ff85cb8cef0, KERNEL32!GetCPInfoStub
00007ff7'bfe69443 ff 15 4f 7d 00 00 call qword ptr [rip + 0x7d4f] ; 0x7ff85cb8cef0, KERNEL32!GetCPInfoStub
00007ff7'bfe6f18a ff 15 08 20 00 00 call qword ptr [rip + 0x2008] ; 0x7ff85cb8cef0, KERNEL32!GetCPInfoStub
00007ff7'bfe64455 ff 15 ad cc 00 00 call qword ptr [rip + 0xccad] ; 0x7ff85cb8d380, KERNEL32!GetModuleFileNameAStub
00007ff7'bfe69a9e ff 15 0c 77 00 00 call qword ptr [rip + 0x770c] ; 0x7ff85cb8d3c0, KERNEL32!SetEnvironmentVariableAStub
00007ff7'bfe6a48a ff 15 30 6d 00 00 call qword ptr [rip + 0x6d30] ; 0x7ff85cb8d3d0, KERNEL32!GetStringTypeWStub
00007ff7'bfe64bcb ff 15 4f c5 00 00 call qword ptr [rip + 0xc54f] ; 0x7ff85cb8d620, KERNEL32!ExitProcessImplementation
00007ff7'bfe69701 ff 15 99 7a 00 00 call qword ptr [rip + 0x7a99] ; 0x7ff85cb8d920, KERNEL32!GetEnvironmentStringsWStub
00007ff7'bfe697c7 ff 15 db 79 00 00 call qword ptr [rip + 0x79db] ; 0x7ff85cb8d930, KERNEL32!FreeEnvironmentStringsWStub
00007ff7'bfe64d05 ff 15 2d c4 00 00 call qword ptr [rip + 0xc42d] ; 0x7ff85cb8e420, KERNEL32!GetCommandLineWStub
00007ff7'bfe6942e ff 15 54 7d 00 00 call qword ptr [rip + 0x7d54] ; 0x7ff85cb8e430, KERNEL32!IsValidCodePageStub
00007ff7'bfe64cf8 ff 15 32 c4 00 00 call qword ptr [rip + 0xc432] ; 0x7ff85cb8e460, KERNEL32!GetCommandLineAStub
00007ff7'bfe6ff66 ff 15 ac 12 00 00 call qword ptr [rip + 0x12ac] ; 0x7ff85cb8e490, KERNEL32!RaiseExceptionStub
00007ff7'bfe61f7f ff 15 03 f1 00 00 call qword ptr [rip + 0xf103] ; 0x7ff85cb8e670, KERNEL32!RtlUnwindExStub
00007ff7'bfe70114 ff 25 6e 0f 00 00 jmp qword ptr [rip + 0xf6e] ; 0x7ff85cb8e670, KERNEL32!RtlUnwindExStub
00007ff7'bfe64bf0 ff 15 32 c5 00 00 call qword ptr [rip + 0xc532] ; 0x7ff85cb8e680, KERNEL32!GetModuleHandleExWStub
00007ff7'bfe613c3 ff 15 5f fc 00 00 call qword ptr [rip + 0xfc5f] ; 0x7ff85cb8ec10, KERNEL32!SetUnhandledExceptionFilterStub
00007ff7'bfe61b2d ff 15 f5 f4 00 00 call qword ptr [rip + 0xf4f5] ; 0x7ff85cb8ec10, KERNEL32!SetUnhandledExceptionFilterStub
00007ff7'bfe61bbb 48 ff 25 66 f4 00 00 jmp qword ptr [rip + 0xf466] ; 0x7ff85cb8ec10, KERNEL32!SetUnhandledExceptionFilterStub
00007ff7'bfe65aef ff 15 33 b5 00 00 call qword ptr [rip + 0xb533] ; 0x7ff85cb8ec10, KERNEL32!SetUnhandledExceptionFilterStub
00007ff7'bfe61b0c ff 15 5e f5 00 00 call qword ptr [rip + 0xf55e] ; 0x7ff85cb8ed40, KERNEL32!IsDebuggerPresentStub
00007ff7'bfe65ae5 ff 15 85 b5 00 00 call qword ptr [rip + 0xb585] ; 0x7ff85cb8ed40, KERNEL32!IsDebuggerPresentStub
00007ff7'bfe69f46 ff 15 6c 72 00 00 call qword ptr [rip + 0x726c] ; 0x7ff85cb8ef10, KERNEL32!SetStdHandleStub
00007ff7'bfe613e5 48 ff 25 4c fc 00 00 jmp qword ptr [rip + 0xfc4c] ; 0x7ff85cb8f8a0, KERNEL32!TerminateProcessStub
00007ff7'bfe64bbc ff 15 76 c4 00 00 call qword ptr [rip + 0xc476] ; 0x7ff85cb8f8a0, KERNEL32!TerminateProcessStub
00007ff7'bfe65c53 48 ff 25 de b3 00 00 jmp qword ptr [rip + 0xb3de] ; 0x7ff85cb8f8a0, KERNEL32!TerminateProcessStub
00007ff7'bfe68df2 ff 15 98 83 00 00 call qword ptr [rip + 0x8398] ; 0x7ff85cb8fd50, KERNEL32!GetOEMCPStub
00007ff7'bfe6157d ff 15 85 fa 00 00 call qword ptr [rip + 0xfa85] ; 0x7ff85cb91e60, KERNEL32!RtlCaptureContext
00007ff7'bfe615eb ff 15 17 fa 00 00 call qword ptr [rip + 0xfa17] ; 0x7ff85cb91e60, KERNEL32!RtlCaptureContext
00007ff7'bfe61a5d ff 15 a5 f5 00 00 call qword ptr [rip + 0xf5a5] ; 0x7ff85cb91e60, KERNEL32!RtlCaptureContext
00007ff7'bfe65a59 ff 15 a9 b5 00 00 call qword ptr [rip + 0xb5a9] ; 0x7ff85cb91e60, KERNEL32!RtlCaptureContext
00007ff7'bfe613d2 ff 15 58 fc 00 00 call qword ptr [rip + 0xfc58] ; 0x7ff85cb92020, KERNEL32!GetCurrentProcess
00007ff7'bfe64bb1 ff 15 79 c4 00 00 call qword ptr [rip + 0xc479] ; 0x7ff85cb92020, KERNEL32!GetCurrentProcess
00007ff7'bfe65c41 ff 15 e9 b3 00 00 call qword ptr [rip + 0xb3e9] ; 0x7ff85cb92020, KERNEL32!GetCurrentProcess
00007ff7'bfe61942 ff 15 08 f7 00 00 call qword ptr [rip + 0xf708] ; 0x7ff85cb92030, KERNEL32!GetCurrentProcessId
00007ff7'bfe6e4f7 ff 15 fb 2c 00 00 call qword ptr [rip + 0x2cfb] ; 0x7ff85cb92080, KERNEL32!CloseHandle
00007ff7'bfe6f525 ff 15 cd 1c 00 00 call qword ptr [rip + 0x1ccd] ; 0x7ff85cb92080, KERNEL32!CloseHandle
00007ff7'bfe6271c ff 15 96 e9 00 00 call qword ptr [rip + 0xe996] ; 0x7ff85cb92180, KERNEL32!InitializeCriticalSectionAndSpinCount
00007ff7'bfe661af ff 15 03 af 00 00 call qword ptr [rip + 0xaf03] ; 0x7ff85cb92180, KERNEL32!InitializeCriticalSectionAndSpinCount
00007ff7'bfe6f4fd ff 15 0d 1d 00 00 call qword ptr [rip + 0x1d0d] ; 0x7ff85cb92300, KERNEL32!CreateFileW
00007ff7'bfe68b46 ff 15 24 86 00 00 call qword ptr [rip + 0x8624] ; 0x7ff85cb92360, KERNEL32!FindClose
00007ff7'bfe68b1c ff 15 56 86 00 00 call qword ptr [rip + 0x8656] ; 0x7ff85cb923b0, KERNEL32!FindFirstFileExA
00007ff7'bfe68bb9 ff 15 c1 85 00 00 call qword ptr [rip + 0x85c1] ; 0x7ff85cb92410, KERNEL32!FindNextFileA
00007ff7'bfe6b156 ff 15 74 60 00 00 call qword ptr [rip + 0x6074] ; 0x7ff85cb92460, KERNEL32!FlushFileBuffers
00007ff7'bfe667a3 ff 15 bf a9 00 00 call qword ptr [rip + 0xa9bf] ; 0x7ff85cb92550, KERNEL32!GetFileType
00007ff7'bfe6688c ff 15 d6 a8 00 00 call qword ptr [rip + 0xa8d6] ; 0x7ff85cb92550, KERNEL32!GetFileType
00007ff7'bfe6e6c8 ff 15 32 2b 00 00 call qword ptr [rip + 0x2b32] ; 0x7ff85cb92720, KERNEL32!SetFilePointerEx
00007ff7'bfe6b399 ff 15 61 5d 00 00 call qword ptr [rip + 0x5d61] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6b3d8 ff 15 22 5d 00 00 call qword ptr [rip + 0x5d22] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6b504 ff 15 f6 5b 00 00 call qword ptr [rip + 0x5bf6] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6b61f ff 15 db 5a 00 00 call qword ptr [rip + 0x5adb] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6b789 ff 15 71 59 00 00 call qword ptr [rip + 0x5971] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6bb18 ff 15 e2 55 00 00 call qword ptr [rip + 0x55e2] ; 0x7ff85cb92770, KERNEL32!WriteFile
00007ff7'bfe6b285 ff 15 4d 5f 00 00 call qword ptr [rip + 0x5f4d] ; 0x7ff85cb92a80, KERNEL32!GetConsoleCP
00007ff7'bfe6b9df ff 15 fb 57 00 00 call qword ptr [rip + 0x57fb] ; 0x7ff85cb92a90, KERNEL32!GetConsoleMode
00007ff7'bfe6e775 ff 15 8d 2a 00 00 call qword ptr [rip + 0x2a8d] ; 0x7ff85cb92b60, KERNEL32!WriteConsoleW
00007ff7'bfe613cc ff 15 4e fc 00 00 call qword ptr [rip + 0xfc4e] ; 0x7ff85cba7440, KERNEL32!UnhandledExceptionFilterStub
00007ff7'bfe61b38 ff 15 e2 f4 00 00 call qword ptr [rip + 0xf4e2] ; 0x7ff85cba7440, KERNEL32!UnhandledExceptionFilterStub
00007ff7'bfe65afa ff 15 20 b5 00 00 call qword ptr [rip + 0xb520] ; 0x7ff85cba7440, KERNEL32!UnhandledExceptionFilterStub
00007ff7'bfe6297c 48 ff 25 1d e7 00 00 jmp qword ptr [rip + 0xe71d] ; 0x7ff85ce19a90, ntdll!RtlEnterCriticalSection
00007ff7'bfe69c5e 48 ff 25 3b 74 00 00 jmp qword ptr [rip + 0x743b] ; 0x7ff85ce19a90, ntdll!RtlEnterCriticalSection
00007ff7'bfe69ea0 48 ff 25 f9 71 00 00 jmp qword ptr [rip + 0x71f9] ; 0x7ff85ce19a90, ntdll!RtlEnterCriticalSection
00007ff7'bfe6e355 ff 15 95 2e 00 00 call qword ptr [rip + 0x2e95] ; 0x7ff85ce1a060, ntdll!RtlReAllocateHeap
00007ff7'bfe6554e ff 15 fc bb 00 00 call qword ptr [rip + 0xbbfc] ; 0x7ff85ce1d010, ntdll!RtlAllocateHeap
00007ff7'bfe6567d ff 15 cd ba 00 00 call qword ptr [rip + 0xbacd] ; 0x7ff85ce1d010, ntdll!RtlAllocateHeap
00007ff7'bfe62988 48 ff 25 19 e7 00 00 jmp qword ptr [rip + 0xe719] ; 0x7ff85ce21d90, ntdll!RtlLeaveCriticalSection
00007ff7'bfe69cb2 48 ff 25 ef 73 00 00 jmp qword ptr [rip + 0x73ef] ; 0x7ff85ce21d90, ntdll!RtlLeaveCriticalSection
00007ff7'bfe69ec4 48 ff 25 dd 71 00 00 jmp qword ptr [rip + 0x71dd] ; 0x7ff85ce21d90, ntdll!RtlLeaveCriticalSection
00007ff7'bfe6e2ee 48 ff 25 f3 2e 00 00 jmp qword ptr [rip + 0x2ef3] ; 0x7ff85ce21f10, ntdll!RtlSizeHeap
00007ff7'bfe623cf ff 15 db ec 00 00 call qword ptr [rip + 0xecdb] ; 0x7ff85ce5ced0, ntdll!RtlDeleteCriticalSection
00007ff7'bfe6294d ff 15 5d e7 00 00 call qword ptr [rip + 0xe75d] ; 0x7ff85ce5ced0, ntdll!RtlDeleteCriticalSection
00007ff7'bfe663e3 ff 15 c7 ac 00 00 call qword ptr [rip + 0xacc7] ; 0x7ff85ce5ced0, ntdll!RtlDeleteCriticalSection
00007ff7'bfe69c87 ff 15 23 74 00 00 call qword ptr [rip + 0x7423] ; 0x7ff85ce5ced0, ntdll!RtlDeleteCriticalSection
00007ff7'bfe69da5 ff 15 05 73 00 00 call qword ptr [rip + 0x7305] ; 0x7ff85ce5ced0, ntdll!RtlDeleteCriticalSection
00007ff7'bfe619c3 48 ff 25 9e f6 00 00 jmp qword ptr [rip + 0xf69e] ; 0x7ff85ce838d0, ntdll!RtlInitializeSListHead